CMMC Level 1

CMMC Level 1 Self-Assessment Guide

A CMMC Level 1 self-assessment is an annual, self-performed evaluation that verifies your company meets the 15 basic safeguarding requirements of FAR 52.204-21 for protecting Federal Contract Information (FCI). Unlike Level 2, no third-party assessor is required: you assess your own environment, record the result in SPRS, and a senior official affirms compliance each year. This guide walks through every requirement, the exact steps, and the mistakes that put contracts at risk.

CyberAB RPO #1449 | BBB A+ Since 2003 | 24+ Years Experience
The Basics

What a CMMC Level 1 Self-Assessment Actually Requires

Last Updated: July 3, 2026

Under the 48 CFR CMMC final rule, any defense contractor or subcontractor that handles Federal Contract Information, but not Controlled Unclassified Information, must complete a Level 1 self-assessment against the 15 security requirements of FAR 52.204-21, enter the result in the Supplier Performance Risk System (SPRS), and have a senior company official affirm continuing compliance annually. It is the entry tier of the CMMC program, and for many small subcontractors it is the only tier they will ever need.

Key Takeaways

  • CMMC 2.0 Level 1 covers 15 security requirements drawn directly from FAR 52.204-21, organized across six domains. It applies to contractors that handle FCI only, not CUI.
  • Level 1 is a self-assessment: no C3PAO audit is required. But the result must be entered in SPRS, and a senior official must submit an annual affirmation of compliance, which carries real legal weight under the False Claims Act. Petronella Technology Group has been through this process on its own systems: read how we scored 110 on our own CMMC self-assessment.
  • Every one of the 15 requirements must be fully MET. Level 1 has no scoring curve and no Plan of Action and Milestones (POA&M) allowance: one unmet requirement means you cannot self-assess as compliant.
  • Petronella Technology Group, a CyberAB Registered Provider Organization (RPO #1449) based in Raleigh, North Carolina, has guided defense contractors through CMMC and NIST-based compliance since the program's earliest days, backed by 24+ years securing regulated businesses.

Who Needs It

Who Must Complete a Level 1 Self-Assessment, and Why It Matters Now

If your company holds, or wants to hold, a Department of Defense contract or subcontract that involves Federal Contract Information, CMMC Level 1 applies to you. FCI is information provided by or generated for the government under contract that is not intended for public release. That definition is broader than most contractors expect. Delivery schedules, technical drawings marked for limited distribution, performance reports, contract correspondence, and pricing details all typically qualify. If the only government data touching your systems is information the government has already published publicly, you may fall outside the requirement, but very few active contractors are in that position.

The obligation flows down the supply chain. Prime contractors are required to verify that their subcontractors meet the appropriate CMMC level before awarding work, which means a machine shop three tiers down from a prime can lose an order because it has no current Level 1 self-assessment in SPRS. As the 48 CFR acquisition rule phases CMMC requirements into new solicitations, contracting officers will be unable to award covered contracts to companies without a valid assessment and affirmation on file. In practical terms, the self-assessment is becoming a condition of doing business with the defense industrial base, not a nice-to-have.

It is worth being precise about what Level 1 is not. It is not an audit, it is not a certification issued by a third party, and it does not cover Controlled Unclassified Information. If your contracts involve CUI, such as export-controlled technical data or information marked under a CUI category, you are in Level 2 territory, which means all 110 NIST SP 800-171 requirements and, for most contractors, a triennial third-party assessment by a C3PAO. Our CMMC Level 2 compliance guide covers that path in detail. Getting the level determination right at the start is the single most consequential scoping decision you will make, because assessing at Level 1 when your data actually requires Level 2 leaves you noncompliant no matter how carefully you complete the self-assessment.

17 vs 15

Why You See "17 Practices" and "15 Requirements" for the Same Level

Both numbers describe the same set of safeguards. The difference is bookkeeping between CMMC versions.

FAR 52.204-21, the Federal Acquisition Regulation clause on basic safeguarding of covered contractor information systems, lists 15 security requirements. The original CMMC 1.0 model restated those same obligations as 17 practices, because it split two of the physical protection requirements into separate line items for clarity. When CMMC 2.0 arrived and the program was codified in the 32 CFR and 48 CFR final rules, the count returned to the FAR's original 15 requirements. Nothing was added or removed in substance; older checklists simply counted the same protections differently.

This matters when you build your CMMC Level 1 checklist. If you are working from a resource that lists 17 practices, it is describing the legacy CMMC 1.0 numbering, and you should map it back to the current 15 requirements before you record anything in SPRS. The identifiers used today follow the pattern AC.L1-b.1.i through SI.L1-b.1.xv, matching the lettered paragraphs of the FAR clause. The table of requirements below uses the current structure.

Not Sure Whether You Handle FCI or CUI?

The level determination decides everything downstream. Petronella Technology Group's CMMC-RP certified team will review your contracts and data flows and tell you plainly which level applies, at no cost and with no obligation.


The Requirements

The 15 CMMC Level 1 Requirements, by Domain

The 15 requirements of FAR 52.204-21 fall into six domains. Every one must be fully implemented and verifiable for your self-assessment to come back compliant.

Access Control (AC) : 4 requirements

AC.L1-b.1.i Limit system access to authorized users, processes, and devices. AC.L1-b.1.ii Limit access to the types of transactions and functions authorized users are permitted to execute. AC.L1-b.1.iii Verify and control connections to and use of external information systems. AC.L1-b.1.iv Control information posted or processed on publicly accessible systems, such as your website.

Identification and Authentication (IA) : 2 requirements

IA.L1-b.1.v Identify system users, processes acting on behalf of users, and devices. IA.L1-b.1.vi Authenticate or verify the identities of those users, processes, and devices before allowing access. In practice this means unique accounts for every person, no shared logins, and enforced passwords or stronger authentication.

Media Protection (MP) : 1 requirement

MP.L1-b.1.vii Sanitize or destroy information system media containing FCI before disposal or release for reuse. Old laptops, decommissioned servers, USB drives, and copier hard drives must be wiped or physically destroyed, and you should be able to show how.

Physical Protection (PE) : 2 requirements

PE.L1-b.1.viii Limit physical access to systems, equipment, and operating environments to authorized individuals. PE.L1-b.1.ix Escort visitors, monitor visitor activity, maintain audit logs of physical access, and control physical access devices such as keys and badges. This is the area the old 17-practice model split into multiple line items.

System and Communications Protection (SC) : 2 requirements

SC.L1-b.1.x Monitor, control, and protect communications at the external boundaries and key internal boundaries of your systems, typically with a properly configured firewall. SC.L1-b.1.xi Implement subnetworks for publicly accessible system components that are separated from internal networks, so a public web server never sits on the same network segment as the systems holding FCI.

System and Information Integrity (SI) : 4 requirements

SI.L1-b.1.xii Identify, report, and correct information and system flaws in a timely manner, which means patching. SI.L1-b.1.xiii Provide protection from malicious code at appropriate locations. SI.L1-b.1.xiv Update malicious code protection mechanisms when new releases are available. SI.L1-b.1.xv Perform periodic scans of systems and real-time scans of files from external sources as they are downloaded, opened, or executed.

None of these requirements is exotic. They are the baseline hygiene any competent IT provider should already maintain. The gap for most small contractors is not capability but proof: knowing exactly which systems are in scope, being able to demonstrate each safeguard is actually working, and documenting the result well enough to defend an affirmation. That is where a structured self-assessment, or a guided one through our CMMC consulting services, earns its keep.

Level 1 vs Level 2

Level 1 Self-Assessment vs. Level 2 C3PAO Certification

The two lower tiers of CMMC differ in scope, evidence burden, and who performs the assessment. Here is the side-by-side view.

Factor Level 1 Self-Assessment Level 2 C3PAO Certification
Data covered Federal Contract Information (FCI) Controlled Unclassified Information (CUI)
Requirements 15 requirements from FAR 52.204-21 110 requirements from NIST SP 800-171
Who assesses Your own organization, annually Certified Third-Party Assessment Organization (C3PAO), every 3 years, for most contracts
Scoring All 15 must be MET; no partial credit 110-point SPRS scoring methodology with weighted deductions
POA&M allowed No Limited, for select requirements, closed within 180 days
SPRS entry + affirmation Required, annually Required, with annual affirmations between assessments
Typical cost driver Internal time plus any remediation Assessment fees plus substantial implementation work; see our CMMC cost breakdown
How To Do It

How to Complete Your CMMC Level 1 Self-Assessment, Step by Step

The process is straightforward when done in order. Most failures come from skipping the scoping and evidence steps, not from the safeguards themselves.

1

Identify your FCI: map which contracts, documents, and data flows involve Federal Contract Information

2

Scope your assessment: list every asset that processes, stores, or transmits FCI, including cloud services

3

Assess each of the 15 requirements as MET or NOT MET using the DoD Level 1 assessment guide objectives

4

Remediate every gap: fix, verify, and re-assess until all 15 requirements are fully MET

5

Enter the result in SPRS via PIEE, at the appropriate CAGE code scope

6

Affirm annually: a senior official submits the affirmation of continuing compliance, and you repeat every year

Step one deserves more attention than it usually gets. You cannot assess what you have not scoped, and scoping mistakes cut both ways. Scope too narrowly, by forgetting the accounting workstation where invoices with contract data live, or the personal phone that receives contract email, and your assessment misses systems the requirements actually cover. Scope too broadly and you take on remediation work for systems that never touch FCI. Draw the boundary deliberately, write it down, and be able to explain why each asset is in or out. Contractors who want a hard separation often stand up a dedicated enclave for government work so the rest of the business stays out of scope entirely.

Step three is where honesty pays. For each of the 15 requirements, the Department of Defense publishes assessment objectives that break the requirement into specific things that must be true. Take AC.L1-b.1.i as an example: it is not enough that you have user accounts; access must be limited to authorized users, authorized processes, and authorized devices, and you should be able to point to the mechanism doing the limiting. Walk the objectives one at a time, record what you observed, and resist the temptation to mark something MET because it is "mostly there." An affirmation built on generous self-grading is exactly the kind of statement the Department of Justice has pursued under the False Claims Act.

Steps five and six are administrative but unforgiving. The SPRS entry is made through the Procurement Integrated Enterprise Environment (PIEE), which means someone in your company needs a PIEE account with the SPRS "cyber vendor" role before the deadline pressure hits. The affirmation must come from a senior official with the authority to bind the company, not from your IT vendor. Put both the assessment anniversary and the affirmation renewal on the corporate calendar the day you first submit, because a lapsed affirmation makes you ineligible for covered awards just as surely as a failed assessment. If you also need to understand where you stand numerically for other contract requirements, our CMMC self-scoring guide explains how the related SPRS scoring works.

Want a Second Set of Eyes Before You Affirm?

A senior official's signature goes on that affirmation. Petronella Technology Group runs a guided Level 1 gap review so the answers you record in SPRS are answers you can defend.


Common Failures

Where Level 1 Self-Assessments Go Wrong

After decades of assessing small-business security programs, the same handful of failure points show up again and again.

Assuming the wrong level

The most expensive mistake happens before the assessment starts. Contractors handling export-controlled drawings or other CUI complete a tidy Level 1 self-assessment that was never the right exercise. Read your contracts, look for DFARS 252.204-7012 and CUI markings, and confirm the level before you invest a single hour. When in doubt, ask; our team performs this determination as part of any CMMC assessment engagement.

Shared accounts and stale users

The "shop floor" login that six people share, the ex-employee whose account still works, the vendor account with no owner: all of these fail IA.L1-b.1.v and AC.L1-b.1.i instantly. Unique accounts, prompt deprovisioning, and a quarterly access review are cheap fixes that close the most commonly failed requirements.

Forgotten scope: email, cloud, and phones

FCI lives wherever contract work happens, which today means Microsoft 365 or Google Workspace, file-sharing services, and mobile devices. Self-assessments that only examine office desktops miss the systems where most FCI actually flows. Include every cloud service and endpoint that touches contract data, and confirm those services are configured to enforce your access and authentication controls.

No proof behind the checkmarks

Level 1 does not require you to submit evidence, but the affirmation implies you have it. If a prime, a contracting officer, or an investigator asks how you verified requirement SI.L1-b.1.xii, "we're pretty sure everything is patched" is not an answer. Keep screenshots, configuration exports, visitor logs, and disposal records with the assessment file, dated and organized by requirement.

Flat networks with public services

SC.L1-b.1.xi requires publicly accessible components to sit on separated subnetworks. Small offices frequently run a web server, guest Wi-Fi, security cameras, and business systems on one flat network. A basic VLAN design or firewall segmentation resolves it, and it is the requirement most likely to need actual network work rather than a policy change.

Treating it as one-and-done

The self-assessment is annual and the affirmation is continuing. Companies that scramble through the first submission and then let patching, visitor logs, and account reviews decay are affirming compliance with a program that no longer exists. Build the 15 requirements into routine operations, with owners and recurring checks, so year two is an update instead of a rebuild.

DIY vs Guided

Doing It Yourself vs. a Guided Self-Assessment

Level 1 was designed to be self-performed, and plenty of contractors handle it internally. The honest comparison looks like this.

Consideration Fully DIY Guided by Petronella Technology Group
Scoping accuracy Depends on internal familiarity with FCI definitions; cloud and mobile scope frequently missed Scope set by a CMMC-RP certified team that does this across the defense supply chain
Interpretation of requirements Assessment objectives read cold; ambiguous cases guessed Each objective mapped to your actual environment with a defensible rationale
Remediation You find and fix gaps yourself Hands-on remediation: segmentation, authentication, patching, and disposal processes implemented with you
Documentation and evidence Ad hoc; often thin when a prime asks questions ComplianceArmor-generated policies and organized evidence, requirement by requirement
SPRS and affirmation mechanics PIEE account setup and submission learned by trial and error Walked through PIEE, SPRS entry, and the affirmation workflow the first time, documented for every year after
Cost Lowest cash outlay; highest risk of a false affirmation or a lost award Scoped engagement priced after a short discovery call, sized to your environment

If your company has a capable IT provider and only a handful of systems in scope, DIY is realistic; this guide plus the DoD's Level 1 assessment guide will get you there. The guided path earns its cost when scope is murky, when a prime is asking for your SPRS status this quarter, or when nobody internally wants their name on an affirmation they cannot personally verify.

How We Help

ComplianceArmor and the Petronella Level 1 Engagement

Petronella Technology Group approaches Level 1 the way it approaches every framework: build the real security program first, and let the paperwork fall out of it. The engagement starts with the FCI-versus-CUI determination and a scoping workshop, then walks all 15 requirements against the DoD assessment objectives in your actual environment. Gaps get fixed hands-on, whether that means segmenting a flat network, rolling out unique accounts with multi-factor authentication, or standing up a documented media disposal process. Nothing is marked MET until it is observably true.

The documentation layer runs on ComplianceArmor, the firm's proprietary compliance platform. Its CMMC module generates the policies and procedures behind each requirement, organizes evidence by control, and monitors the recurring obligations, patching cadence, access reviews, and log retention, so the annual re-assessment is a review rather than a rebuild. When the assessment is complete, the team walks your senior official through the SPRS submission in PIEE and the affirmation itself, so the mechanics never block a contract award. And because roughly the same team handles the full CMMC program up through Level 2 readiness, a contractor whose pipeline later adds CUI work extends the same program instead of starting over.

The credentials behind that work are verifiable. Petronella Technology Group has operated since April 2002, has held a BBB A+ rating since 2003, and is a CyberAB Registered Provider Organization (RPO #1449) with a CMMC-RP certified team. Founder Craig Petronella, a CMMC Registered Practitioner and author of the CMMC 2.0 Certification Guide, has spent 30+ years in IT and cybersecurity and holds CCNA and CWNE certifications, an NC Digital Forensics Examiner license (#604180-DFE), and MIT certifications in cybersecurity and AI. The firm is headquartered in Raleigh, North Carolina and serves defense contractors across the Research Triangle and nationwide, with the broader practice covering everything from compliance consulting across frameworks to full managed cybersecurity.

"Petronella Cybersecurity provides outstanding service! Their team is extremely knowledgeable, responsive, and truly cares about protecting their clients. They take the time to explain complex issues in simple terms and deliver real solutions, not just promises."

GB Entraînement, TrustIndex verified review

Rated 4.7 across 92 verified TrustIndex reviews.

Keep Going

Related CMMC Resources

Level 1 is one piece of the CMMC picture. These guides cover the rest of the program.


FAQ

CMMC Level 1 Self-Assessment Questions

What is a CMMC Level 1 self-assessment?
It is an annual evaluation, performed by your own organization, that verifies your systems handling Federal Contract Information meet the 15 basic safeguarding requirements of FAR 52.204-21. The result is entered in the Supplier Performance Risk System (SPRS), and a senior company official submits an annual affirmation of continuing compliance. No third-party assessor is involved at Level 1.
Does CMMC Level 1 have 15 requirements or 17 practices?
Fifteen, under the current CMMC final rule. The original CMMC 1.0 model counted the same obligations as 17 practices because it split two physical protection items into separate lines. CMMC 2.0 returned to the FAR clause's original count of 15 security requirements across six domains. If a checklist you are using lists 17, it is legacy numbering for the same protections.
Who is required to complete a CMMC Level 1 self-assessment?
Any DoD contractor or subcontractor whose contract involves Federal Contract Information but not Controlled Unclassified Information, once the CMMC clause appears in the solicitation or contract. The requirement flows down from primes to subcontractors, so even small suppliers several tiers down the chain need a current self-assessment and affirmation in SPRS to remain eligible for covered work.
Can I use a POA&M for requirements I have not finished at Level 1?
No. Level 1 does not permit Plans of Action and Milestones. All 15 requirements must be fully MET before you can record a compliant self-assessment in SPRS. If any requirement is not met, remediate first, then assess. This is a key difference from Level 2, where a limited, time-boxed POA&M is allowed for certain requirements.
How much does a CMMC Level 1 self-assessment cost?
The assessment itself is self-performed, so the direct cost is internal time plus whatever remediation your gaps require, such as network segmentation or account cleanup. A guided engagement adds professional fees, which Petronella Technology Group scopes after a short discovery call so the price reflects your actual environment. For the wider program economics, including Level 2, see the CMMC cost breakdown.
What happens if I affirm compliance but am not actually compliant?
The affirmation is a formal statement to the government by a senior company official, and false affirmations expose the company to liability under the False Claims Act, in addition to the contractual consequences of losing eligibility. The Department of Justice has pursued cybersecurity misrepresentation cases under its Civil Cyber-Fraud Initiative. Assess honestly, keep evidence, and fix gaps before you affirm.
How do I know if I handle FCI or CUI?
Read your contracts. FCI is non-public information provided by or generated for the government under contract, which covers most contract deliverables and correspondence. CUI is information requiring safeguarding under law or government-wide policy, such as export-controlled technical data, and usually arrives marked, often alongside DFARS 252.204-7012. CUI means Level 2, not Level 1. If your contracts are ambiguous, get a professional determination before assessing; it is the decision everything else depends on.
How often do I have to repeat the Level 1 self-assessment?
Annually. The self-assessment must be current in SPRS, and the senior official's affirmation must be renewed each year. Treat both dates as hard deadlines on the corporate calendar, because a lapsed entry can make you ineligible for new covered awards. Building the 15 requirements into routine operations, with owners and recurring checks, turns the annual cycle into a light refresh rather than a scramble.

Get Your Level 1 Self-Assessment Done Right the First Time

From the FCI determination to the SPRS entry and affirmation, Petronella Technology Group's CMMC-RP certified team will get you compliant and keep you that way. Talk to a compliance advisor today.

Last Updated: July 3, 2026

Petronella Technology Group, Inc. · 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 · 919-348-4912 · CMMC readiness for defense contractors nationwide