CMMC Level 1 Self-Assessment Guide
A CMMC Level 1 self-assessment is an annual, self-performed evaluation that verifies your company meets the 15 basic safeguarding requirements of FAR 52.204-21 for protecting Federal Contract Information (FCI). Unlike Level 2, no third-party assessor is required: you assess your own environment, record the result in SPRS, and a senior official affirms compliance each year. This guide walks through every requirement, the exact steps, and the mistakes that put contracts at risk.
What a CMMC Level 1 Self-Assessment Actually Requires
Last Updated: July 3, 2026
Under the 48 CFR CMMC final rule, any defense contractor or subcontractor that handles Federal Contract Information, but not Controlled Unclassified Information, must complete a Level 1 self-assessment against the 15 security requirements of FAR 52.204-21, enter the result in the Supplier Performance Risk System (SPRS), and have a senior company official affirm continuing compliance annually. It is the entry tier of the CMMC program, and for many small subcontractors it is the only tier they will ever need.
Key Takeaways
- CMMC 2.0 Level 1 covers 15 security requirements drawn directly from FAR 52.204-21, organized across six domains. It applies to contractors that handle FCI only, not CUI.
- Level 1 is a self-assessment: no C3PAO audit is required. But the result must be entered in SPRS, and a senior official must submit an annual affirmation of compliance, which carries real legal weight under the False Claims Act. Petronella Technology Group has been through this process on its own systems: read how we scored 110 on our own CMMC self-assessment.
- Every one of the 15 requirements must be fully MET. Level 1 has no scoring curve and no Plan of Action and Milestones (POA&M) allowance: one unmet requirement means you cannot self-assess as compliant.
- Petronella Technology Group, a CyberAB Registered Provider Organization (RPO #1449) based in Raleigh, North Carolina, has guided defense contractors through CMMC and NIST-based compliance since the program's earliest days, backed by 24+ years securing regulated businesses.
Who Must Complete a Level 1 Self-Assessment, and Why It Matters Now
If your company holds, or wants to hold, a Department of Defense contract or subcontract that involves Federal Contract Information, CMMC Level 1 applies to you. FCI is information provided by or generated for the government under contract that is not intended for public release. That definition is broader than most contractors expect. Delivery schedules, technical drawings marked for limited distribution, performance reports, contract correspondence, and pricing details all typically qualify. If the only government data touching your systems is information the government has already published publicly, you may fall outside the requirement, but very few active contractors are in that position.
The obligation flows down the supply chain. Prime contractors are required to verify that their subcontractors meet the appropriate CMMC level before awarding work, which means a machine shop three tiers down from a prime can lose an order because it has no current Level 1 self-assessment in SPRS. As the 48 CFR acquisition rule phases CMMC requirements into new solicitations, contracting officers will be unable to award covered contracts to companies without a valid assessment and affirmation on file. In practical terms, the self-assessment is becoming a condition of doing business with the defense industrial base, not a nice-to-have.
It is worth being precise about what Level 1 is not. It is not an audit, it is not a certification issued by a third party, and it does not cover Controlled Unclassified Information. If your contracts involve CUI, such as export-controlled technical data or information marked under a CUI category, you are in Level 2 territory, which means all 110 NIST SP 800-171 requirements and, for most contractors, a triennial third-party assessment by a C3PAO. Our CMMC Level 2 compliance guide covers that path in detail. Getting the level determination right at the start is the single most consequential scoping decision you will make, because assessing at Level 1 when your data actually requires Level 2 leaves you noncompliant no matter how carefully you complete the self-assessment.
Why You See "17 Practices" and "15 Requirements" for the Same Level
Both numbers describe the same set of safeguards. The difference is bookkeeping between CMMC versions.
FAR 52.204-21, the Federal Acquisition Regulation clause on basic safeguarding of covered contractor information systems, lists 15 security requirements. The original CMMC 1.0 model restated those same obligations as 17 practices, because it split two of the physical protection requirements into separate line items for clarity. When CMMC 2.0 arrived and the program was codified in the 32 CFR and 48 CFR final rules, the count returned to the FAR's original 15 requirements. Nothing was added or removed in substance; older checklists simply counted the same protections differently.
This matters when you build your CMMC Level 1 checklist. If you are working from a resource that lists 17 practices, it is describing the legacy CMMC 1.0 numbering, and you should map it back to the current 15 requirements before you record anything in SPRS. The identifiers used today follow the pattern AC.L1-b.1.i through SI.L1-b.1.xv, matching the lettered paragraphs of the FAR clause. The table of requirements below uses the current structure.
Not Sure Whether You Handle FCI or CUI?
The level determination decides everything downstream. Petronella Technology Group's CMMC-RP certified team will review your contracts and data flows and tell you plainly which level applies, at no cost and with no obligation.
The 15 CMMC Level 1 Requirements, by Domain
The 15 requirements of FAR 52.204-21 fall into six domains. Every one must be fully implemented and verifiable for your self-assessment to come back compliant.
Access Control (AC) : 4 requirements
AC.L1-b.1.i Limit system access to authorized users, processes, and devices. AC.L1-b.1.ii Limit access to the types of transactions and functions authorized users are permitted to execute. AC.L1-b.1.iii Verify and control connections to and use of external information systems. AC.L1-b.1.iv Control information posted or processed on publicly accessible systems, such as your website.
Identification and Authentication (IA) : 2 requirements
IA.L1-b.1.v Identify system users, processes acting on behalf of users, and devices. IA.L1-b.1.vi Authenticate or verify the identities of those users, processes, and devices before allowing access. In practice this means unique accounts for every person, no shared logins, and enforced passwords or stronger authentication.
Media Protection (MP) : 1 requirement
MP.L1-b.1.vii Sanitize or destroy information system media containing FCI before disposal or release for reuse. Old laptops, decommissioned servers, USB drives, and copier hard drives must be wiped or physically destroyed, and you should be able to show how.
Physical Protection (PE) : 2 requirements
PE.L1-b.1.viii Limit physical access to systems, equipment, and operating environments to authorized individuals. PE.L1-b.1.ix Escort visitors, monitor visitor activity, maintain audit logs of physical access, and control physical access devices such as keys and badges. This is the area the old 17-practice model split into multiple line items.
System and Communications Protection (SC) : 2 requirements
SC.L1-b.1.x Monitor, control, and protect communications at the external boundaries and key internal boundaries of your systems, typically with a properly configured firewall. SC.L1-b.1.xi Implement subnetworks for publicly accessible system components that are separated from internal networks, so a public web server never sits on the same network segment as the systems holding FCI.
System and Information Integrity (SI) : 4 requirements
SI.L1-b.1.xii Identify, report, and correct information and system flaws in a timely manner, which means patching. SI.L1-b.1.xiii Provide protection from malicious code at appropriate locations. SI.L1-b.1.xiv Update malicious code protection mechanisms when new releases are available. SI.L1-b.1.xv Perform periodic scans of systems and real-time scans of files from external sources as they are downloaded, opened, or executed.
None of these requirements is exotic. They are the baseline hygiene any competent IT provider should already maintain. The gap for most small contractors is not capability but proof: knowing exactly which systems are in scope, being able to demonstrate each safeguard is actually working, and documenting the result well enough to defend an affirmation. That is where a structured self-assessment, or a guided one through our CMMC consulting services, earns its keep.
Level 1 Self-Assessment vs. Level 2 C3PAO Certification
The two lower tiers of CMMC differ in scope, evidence burden, and who performs the assessment. Here is the side-by-side view.
How to Complete Your CMMC Level 1 Self-Assessment, Step by Step
The process is straightforward when done in order. Most failures come from skipping the scoping and evidence steps, not from the safeguards themselves.
Identify your FCI: map which contracts, documents, and data flows involve Federal Contract Information
Scope your assessment: list every asset that processes, stores, or transmits FCI, including cloud services
Assess each of the 15 requirements as MET or NOT MET using the DoD Level 1 assessment guide objectives
Remediate every gap: fix, verify, and re-assess until all 15 requirements are fully MET
Enter the result in SPRS via PIEE, at the appropriate CAGE code scope
Affirm annually: a senior official submits the affirmation of continuing compliance, and you repeat every year
Step one deserves more attention than it usually gets. You cannot assess what you have not scoped, and scoping mistakes cut both ways. Scope too narrowly, by forgetting the accounting workstation where invoices with contract data live, or the personal phone that receives contract email, and your assessment misses systems the requirements actually cover. Scope too broadly and you take on remediation work for systems that never touch FCI. Draw the boundary deliberately, write it down, and be able to explain why each asset is in or out. Contractors who want a hard separation often stand up a dedicated enclave for government work so the rest of the business stays out of scope entirely.
Step three is where honesty pays. For each of the 15 requirements, the Department of Defense publishes assessment objectives that break the requirement into specific things that must be true. Take AC.L1-b.1.i as an example: it is not enough that you have user accounts; access must be limited to authorized users, authorized processes, and authorized devices, and you should be able to point to the mechanism doing the limiting. Walk the objectives one at a time, record what you observed, and resist the temptation to mark something MET because it is "mostly there." An affirmation built on generous self-grading is exactly the kind of statement the Department of Justice has pursued under the False Claims Act.
Steps five and six are administrative but unforgiving. The SPRS entry is made through the Procurement Integrated Enterprise Environment (PIEE), which means someone in your company needs a PIEE account with the SPRS "cyber vendor" role before the deadline pressure hits. The affirmation must come from a senior official with the authority to bind the company, not from your IT vendor. Put both the assessment anniversary and the affirmation renewal on the corporate calendar the day you first submit, because a lapsed affirmation makes you ineligible for covered awards just as surely as a failed assessment. If you also need to understand where you stand numerically for other contract requirements, our CMMC self-scoring guide explains how the related SPRS scoring works.
Want a Second Set of Eyes Before You Affirm?
A senior official's signature goes on that affirmation. Petronella Technology Group runs a guided Level 1 gap review so the answers you record in SPRS are answers you can defend.
Where Level 1 Self-Assessments Go Wrong
After decades of assessing small-business security programs, the same handful of failure points show up again and again.
Assuming the wrong level
The most expensive mistake happens before the assessment starts. Contractors handling export-controlled drawings or other CUI complete a tidy Level 1 self-assessment that was never the right exercise. Read your contracts, look for DFARS 252.204-7012 and CUI markings, and confirm the level before you invest a single hour. When in doubt, ask; our team performs this determination as part of any CMMC assessment engagement.
Shared accounts and stale users
The "shop floor" login that six people share, the ex-employee whose account still works, the vendor account with no owner: all of these fail IA.L1-b.1.v and AC.L1-b.1.i instantly. Unique accounts, prompt deprovisioning, and a quarterly access review are cheap fixes that close the most commonly failed requirements.
Forgotten scope: email, cloud, and phones
FCI lives wherever contract work happens, which today means Microsoft 365 or Google Workspace, file-sharing services, and mobile devices. Self-assessments that only examine office desktops miss the systems where most FCI actually flows. Include every cloud service and endpoint that touches contract data, and confirm those services are configured to enforce your access and authentication controls.
No proof behind the checkmarks
Level 1 does not require you to submit evidence, but the affirmation implies you have it. If a prime, a contracting officer, or an investigator asks how you verified requirement SI.L1-b.1.xii, "we're pretty sure everything is patched" is not an answer. Keep screenshots, configuration exports, visitor logs, and disposal records with the assessment file, dated and organized by requirement.
Flat networks with public services
SC.L1-b.1.xi requires publicly accessible components to sit on separated subnetworks. Small offices frequently run a web server, guest Wi-Fi, security cameras, and business systems on one flat network. A basic VLAN design or firewall segmentation resolves it, and it is the requirement most likely to need actual network work rather than a policy change.
Treating it as one-and-done
The self-assessment is annual and the affirmation is continuing. Companies that scramble through the first submission and then let patching, visitor logs, and account reviews decay are affirming compliance with a program that no longer exists. Build the 15 requirements into routine operations, with owners and recurring checks, so year two is an update instead of a rebuild.
Doing It Yourself vs. a Guided Self-Assessment
Level 1 was designed to be self-performed, and plenty of contractors handle it internally. The honest comparison looks like this.
If your company has a capable IT provider and only a handful of systems in scope, DIY is realistic; this guide plus the DoD's Level 1 assessment guide will get you there. The guided path earns its cost when scope is murky, when a prime is asking for your SPRS status this quarter, or when nobody internally wants their name on an affirmation they cannot personally verify.
ComplianceArmor and the Petronella Level 1 Engagement
Petronella Technology Group approaches Level 1 the way it approaches every framework: build the real security program first, and let the paperwork fall out of it. The engagement starts with the FCI-versus-CUI determination and a scoping workshop, then walks all 15 requirements against the DoD assessment objectives in your actual environment. Gaps get fixed hands-on, whether that means segmenting a flat network, rolling out unique accounts with multi-factor authentication, or standing up a documented media disposal process. Nothing is marked MET until it is observably true.
The documentation layer runs on ComplianceArmor, the firm's proprietary compliance platform. Its CMMC module generates the policies and procedures behind each requirement, organizes evidence by control, and monitors the recurring obligations, patching cadence, access reviews, and log retention, so the annual re-assessment is a review rather than a rebuild. When the assessment is complete, the team walks your senior official through the SPRS submission in PIEE and the affirmation itself, so the mechanics never block a contract award. And because roughly the same team handles the full CMMC program up through Level 2 readiness, a contractor whose pipeline later adds CUI work extends the same program instead of starting over.
The credentials behind that work are verifiable. Petronella Technology Group has operated since April 2002, has held a BBB A+ rating since 2003, and is a CyberAB Registered Provider Organization (RPO #1449) with a CMMC-RP certified team. Founder Craig Petronella, a CMMC Registered Practitioner and author of the CMMC 2.0 Certification Guide, has spent 30+ years in IT and cybersecurity and holds CCNA and CWNE certifications, an NC Digital Forensics Examiner license (#604180-DFE), and MIT certifications in cybersecurity and AI. The firm is headquartered in Raleigh, North Carolina and serves defense contractors across the Research Triangle and nationwide, with the broader practice covering everything from compliance consulting across frameworks to full managed cybersecurity.
"Petronella Cybersecurity provides outstanding service! Their team is extremely knowledgeable, responsive, and truly cares about protecting their clients. They take the time to explain complex issues in simple terms and deliver real solutions, not just promises."
GB Entraînement, TrustIndex verified review
Rated 4.7 across 92 verified TrustIndex reviews.
Related CMMC Resources
Level 1 is one piece of the CMMC picture. These guides cover the rest of the program.
CMMC Level 1 Self-Assessment Questions
What is a CMMC Level 1 self-assessment?
Does CMMC Level 1 have 15 requirements or 17 practices?
Who is required to complete a CMMC Level 1 self-assessment?
Can I use a POA&M for requirements I have not finished at Level 1?
How much does a CMMC Level 1 self-assessment cost?
What happens if I affirm compliance but am not actually compliant?
How do I know if I handle FCI or CUI?
How often do I have to repeat the Level 1 self-assessment?
Get Your Level 1 Self-Assessment Done Right the First Time
From the FCI determination to the SPRS entry and affirmation, Petronella Technology Group's CMMC-RP certified team will get you compliant and keep you that way. Talk to a compliance advisor today.
Last Updated: July 3, 2026
Petronella Technology Group, Inc. · 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 · 919-348-4912 · CMMC readiness for defense contractors nationwide