← Custodia

CMMC Level 1 Self-Assessment Guide: Step by Step

Exactly how to run a CMMC Level 1 self-assessment, scope your FCI, assess each of the 15 requirements, gather evidence, affirm, and post in SPRS. No third-party assessor required. Written for the small contractor doing this themselves.

Last updated May 29, 2026~8 minute readPrimary sources cited

The answer in 50 words

A CMMC Level 1 self-assessment is your own annual review confirming you meet the 15 FAR 52.204-21 safeguarding requirements for FCI. Scope your systems, assess each requirement MET or NOT MET against the NIST 800-171A objectives, collect evidence, document an SSP, have a senior official affirm, and post in SPRS. No third-party assessor required.

What a CMMC Level 1 self-assessment is

CMMC Level 1 is self-attested. Unlike Level 2, which requires a third-party C3PAO assessment for most contracts, at Level 1 you assess your own organization against the 15 FAR 52.204-21 safeguarding requirements, a senior official affirms the result, and that affirmation is posted in the Supplier Performance Risk System (SPRS). The standard is binary: every requirement is MET or NOT MET, and all 15 must be MET to affirm.

This guide is the procedure. For the bigger picture, what CMMC Level 1 is, who needs it, and what it costs, start with the complete CMMC Level 1 guide.

The CMMC Level 1 self-assessment in 8 steps

  1. Step 1
    Define your assessment scope (your FCI boundary)

    Identify every asset that processes, stores, or transmits Federal Contract Information (FCI): cloud tenants, endpoints, servers, accounts, and physical locations. Everything in scope must meet the 15 requirements. For most small contractors the scope is one Microsoft 365 or Google Workspace tenant, a handful of laptops, and one office.

    Deep dive →
  2. Step 2
    Assess each of the 15 requirements against the NIST 800-171A objectives

    Work through FAR 52.204-21(b)(1)(i)-(xv). For each requirement, the CMMC Assessment Guide lists the lettered NIST SP 800-171A assessment objectives you must satisfy, [a] through as many as the requirement defines (up to [h] for boundary protection), using three methods: Examine (review documents/configs), Interview (ask the people who do the work), and Test (observe the control working).

    Deep dive →
  3. Step 3
    Mark each requirement MET or NOT MET

    CMMC Level 1 is binary. Every objective inside a requirement must be satisfied for the requirement to be MET. There is no partial credit, no numeric score, and, unlike Level 2, no POA&M (Plan of Action & Milestones) is allowed. Any NOT MET requirement means you are not yet ready to affirm.

    Deep dive →
  4. Step 4
    Collect and retain evidence for every requirement

    Save the proof that each control is implemented: MFA configuration screenshots, account/access lists, anti-malware status, patch reports, media-disposal logs, visitor logs. A written policy alone is not sufficient, evidence must show the control actually operating. 32 CFR 170.15(c)(2) requires you to retain the artifacts used as evidence for six (6) years from your CMMC Status Date.

    Deep dive →
  5. Step 5
    Document results in a System Security Plan (SSP)

    Record, requirement by requirement, how your environment satisfies each safeguard. The SSP is the single artifact a prime, contracting officer, or DIBCAC reviewer will ask to see. It does not need to be long, but it must be specific to your environment.

    Deep dive →
  6. Step 6
    Have a senior official affirm the result

    A senior company official (owner, CEO, or equivalent) signs the affirmation, attesting under 32 CFR § 170.22 that all 15 requirements are MET. This person is personally responsible for the accuracy of the affirmation, a false affirmation carries False Claims Act exposure.

    Deep dive →
  7. Step 7
    Post the affirmation in SPRS

    Log into PIEE (piee.eb.mil), open the SPRS module, select the CMMC Level 1 self-assessment, enter your assessment date and CAGE code, and submit the affirmation. There is no government fee. Save the confirmation for your records.

    Deep dive →
  8. Step 8
    Re-assess and re-affirm every 12 months

    The CMMC Level 1 self-assessment and senior-official affirmation must be renewed annually. Maintain your safeguards continuously, refresh evidence as systems change, and repeat the cycle before the prior affirmation expires.

    Deep dive →

Common self-assessment mistakes

  • Writing a policy but keeping no evidence. A policy document alone does not prove a control operates, save configuration screenshots, logs, and reports.
  • Treating Level 1 like it allows a POA&M. It does not. Every requirement must be fully MET before you affirm.
  • Scoping too broadly. Only systems that handle FCI are in scope. A clean boundary makes the assessment far simpler.
  • Letting the wrong person affirm. The affirmation must be signed by a senior official who accepts personal responsibility under 32 CFR § 170.22.
  • Forgetting it is annual. The self-assessment and affirmation must be renewed every 12 months.

CMMC Level 1 Self-Assessment: FAQ

What is a CMMC Level 1 self-assessment?

A CMMC Level 1 self-assessment is the contractor's own annual review confirming that it meets the 15 basic safeguarding requirements of FAR 52.204-21 for protecting Federal Contract Information (FCI). Unlike CMMC Level 2, Level 1 does not require a third-party (C3PAO) assessor, the contractor assesses itself, a senior official affirms the result, and the affirmation is posted in SPRS.

How do I do a CMMC self-assessment?

Define your FCI scope, assess each of the 15 requirements against the NIST SP 800-171A objectives using Examine/Interview/Test, mark each MET or NOT MET, collect evidence, document everything in a System Security Plan, have a senior official affirm the result, and post the affirmation in SPRS. The cycle repeats every 12 months.

Is a CMMC Level 1 self-assessment scored?

No. CMMC Level 1 is binary, every requirement is either MET or NOT MET, and all 15 must be MET to affirm. The numeric SPRS score from −203 to 110 applies only to CMMC Level 2 (the NIST SP 800-171 assessment). At Level 1 there is no score and no POA&M.

Can I use a POA&M for CMMC Level 1?

No. Plans of Action & Milestones are not permitted at CMMC Level 1. Every one of the 15 requirements must be fully implemented before a senior official can affirm. If any requirement is NOT MET, you are not eligible to affirm until it is remediated.

Who can sign the CMMC Level 1 affirmation?

A senior official of the company, typically the owner, CEO, or an equivalent executive, affirms the self-assessment in SPRS. Under 32 CFR § 170.22 that official is personally responsible for the accuracy of the affirmation.

How long must I keep CMMC self-assessment records?

Six (6) years. 32 CFR 170.15(c)(2) says the artifacts used as evidence for the assessment must be retained for six (6) years from your CMMC Status Date, which is the date your results are submitted to SPRS. Keep your System Security Plan, evidence, and SPRS confirmation together so you can produce them if a prime or contracting officer asks.

How often is the CMMC Level 1 self-assessment required?

Annually. The self-assessment must be performed and the senior-official affirmation renewed in SPRS every 12 months. Each affirmation covers the most recent assessment cycle.

Don't want to self-assess alone?

Custodia runs the whole self-assessment with you, walks each of the 15 requirements, checks your evidence, drafts your SSP and affirmation memo, and gets you ready to post in SPRS. 7-day free trial, no credit card.

Free · Every Monday

Get the federal bids a small business can win, in your inbox.

The Monday Bid Digest: brand-new SAM.gov solicitations matched to your NAICS, pre-filtered to Level 1 fit, with the CMMC gate called out on every one. Two minutes, no spam.

Get the Monday Bid Digest
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)