Skip to content
SPRS Lab

CMMC Level 1 Self-Assessment

The annual Level 1 self-assessment, done properly: all 17 practices from FAR 52.204-21 with plain-English explanations of what each one takes, strict MET/NOT-MET scoring (no POA&Ms allowed at Level 1, and we enforce that), and a downloadable record you can file before entering results in SPRS. Everything stays in your browser.

0/17 assessed · 0 met

IN PROGRESS

  1. 1. 3.1.1Access Control · FAR 52.204-21(b.1.i)

    Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

    Only people, service accounts, and devices you have explicitly approved can sign in to systems that touch FCI/CUI: no shared logins, no unknown devices.

  2. 2. 3.1.2Access Control · FAR 52.204-21(b.1.ii)

    Limit system access to the types of transactions and functions that authorized users are permitted to execute.

    Users can only do what their role requires: a shop-floor user shouldn't be able to touch payroll or admin consoles.

  3. 3. 3.1.20Access Control · FAR 52.204-21(b.1.iii)

    Verify and control/limit connections to and use of external systems.

    You control which external systems (personal devices, partner networks, public cloud) may connect to yours, and verify their security before allowing use.

  4. 4. 3.1.22Access Control · FAR 52.204-21(b.1.iv)

    Control CUI posted or processed on publicly accessible systems.

    Nothing marked CUI (or FCI) gets posted to public sites: someone reviews/approves what goes on your website or social media.

  5. 5. 3.5.1Identification & Authentication · FAR 52.204-21(b.1.v)

    Identify system users, processes acting on behalf of users, and devices.

    Every user, process, and device has a unique identity: you can tell them apart before granting access.

  6. 6. 3.5.2Identification & Authentication · FAR 52.204-21(b.1.vi)

    Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

    Identities are verified (passwords/keys/certs) before access: device and user authentication actually enforced.

  7. 7. 3.8.3Media Protection · FAR 52.204-21(b.1.vii)

    Sanitize or destroy system media containing CUI before disposal or release for reuse.

    Drives/media with CUI (or FCI) are wiped or destroyed before disposal or reuse: proper sanitization, not just deleting files.

  8. 8. 3.10.1Physical Protection · FAR 52.204-21(b.1.viii)

    Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

    Physical access to systems and workspaces is limited to authorized people (locks, badges, keys, and a list of who's authorized).

  9. 9. 3.10.3Physical Protection · FAR 52.204-21(b.1.ix)

    Escort visitors and monitor visitor activity.

    Visitors are escorted and their activity monitored: no wandering guests.

  10. 10. 3.10.4Physical Protection · FAR 52.204-21(b.1.ix)

    Maintain audit logs of physical access.

    You keep physical access logs (visitor log, badge system records).

  11. 11. 3.10.5Physical Protection · FAR 52.204-21(b.1.ix)

    Control and manage physical access devices.

    Keys, badges, and fobs are inventoried and managed: you know who holds what.

  12. 12. 3.13.1System & Communications Protection · FAR 52.204-21(b.1.x)

    Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

    Communications at your network edge (and key internal boundaries) are monitored, controlled, and protected: a real firewall with rules you own, plus boundary protection for cloud.

  13. 13. 3.13.5System & Communications Protection · FAR 52.204-21(b.1.xi)

    Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

    Public-facing components (web server, mail edge) live in a DMZ/separate subnet: not inside the internal network with CUI.

  14. 14. 3.14.1System & Information Integrity · FAR 52.204-21(b.1.xii)

    Identify, report, and correct system flaws in a timely manner.

    You identify, report, and fix flaws promptly: a real patch cadence with deadlines, covering OS, apps, and firmware.

  15. 15. 3.14.2System & Information Integrity · FAR 52.204-21(b.1.xiii)

    Provide protection from malicious code at designated locations within organizational systems.

    Malware protection at designated points: endpoints, servers, email gateway.

  16. 16. 3.14.4System & Information Integrity · FAR 52.204-21(b.1.xiv)

    Update malicious code protection mechanisms when new releases are available.

    Malware protection updates itself (signatures/engine current everywhere).

  17. 17. 3.14.5System & Information Integrity · FAR 52.204-21(b.1.xv)

    Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

    Periodic full scans of systems and real-time scanning of files from external sources (downloads, USB, email).

Assess all 17 practices to generate your record

Level 1 is binary: every practice must be fully implemented. POA&Ms are not permitted.

How the Level 1 requirement works

Under the CMMC Program rule (32 CFR Part 170), contracts involving FCI carry a Level 1 requirement: an annual self-assessment of the 15 basic safeguarding requirements in FAR 52.204-21 (expressed as 17 CMMC practices), with results entered in SPRS and an annual affirmation of continuing compliance by your Affirming Official. There's no auditor and no certificate at Level 1, but the affirmation has teeth: it's a statement to the government that the False Claims Act reaches.

Level 1 is deliberately binary. A practice that's 90% done is NOT MET, and unlike Level 2 there is no POA&M mechanism. The rule expects these 17 basics to simply be in place. Most small contractors who fail on a first pass fail on the same few: media sanitization records (3.8.3), physical access logs (3.10.4), and flaw remediation cadence (3.14.1).

Scope before you assess

The assessment covers every asset that processes, stores, or transmits FCI. The smaller and cleaner that boundary, the easier every practice becomes: many shops shrink scope dramatically by keeping FCI inside one cloud tenant and off personal devices. Describe your scope in the field above, since it prints into your record, and it's the first thing anyone (customer, prime, or future assessor) will ask.

Frequently asked questions

Who needs CMMC Level 1?

Any contractor or subcontractor whose DoD contracts involve Federal Contract Information (FCI) but not CUI. That covers a huge share of the defense industrial base: machine shops, parts suppliers, services firms. If you handle CUI, you need Level 2 instead.

Is a third-party audit required for Level 1?

No. Level 1 is an annual self-assessment. You assess your implementation of the 17 practices, enter the result in SPRS, and a senior company official (the Affirming Official) affirms continuing compliance annually.

Can I use a POA&M for a practice I haven't finished?

No. POA&Ms are not permitted at CMMC Level 1. If even one of the 17 practices isn't fully implemented, you are NOT MET, so fix it, then re-assess. (This tool enforces that logic.)

What counts as FCI?

Information not intended for public release that is provided by or generated for the government under contract: drawings, specs, emails about the work, delivery schedules. Basically, if it's about the contract and isn't public, treat it as FCI.

What happens if I falsely affirm compliance?

Affirmations are enforceable under the False Claims Act, and DOJ's Civil Cyber-Fraud Initiative has already produced settlements against contractors for misrepresenting cybersecurity compliance. Assess honestly, because an accurate NOT MET with fast remediation beats a false MET every time.

Get the Level 1 evidence pack

A one-page evidence checklist per practice (what to screenshot, what to log, what to file) so next year's self-assessment takes an afternoon, not a week.

Email signup launches soon. Check back shortly.

No spam, unsubscribe anytime. We never see your assessment answers.

Sources: FAR 52.204-21; 32 CFR Part 170 (CMMC Program); DoD CMMC Level 1 Self-Assessment Guide. Not legal advice, and not an official DoD tool.