The answer in 50 words
A CMMC Level 1 self-assessment is your own annual review confirming you meet the 15 FAR 52.204-21 safeguarding requirements for FCI. Scope your systems, assess each requirement MET or NOT MET against the NIST 800-171A objectives, collect evidence, document an SSP, have a senior official affirm, and post in SPRS. No third-party assessor required.
What a CMMC Level 1 self-assessment is
CMMC Level 1 is self-attested. Unlike Level 2, which requires a third-party C3PAO assessment for most contracts, at Level 1 you assess your own organization against the 15 FAR 52.204-21 safeguarding requirements, a senior official affirms the result, and that affirmation is posted in the Supplier Performance Risk System (SPRS). The standard is binary: every requirement is MET or NOT MET, and all 15 must be MET to affirm.
This guide is the procedure. For the bigger picture, what CMMC Level 1 is, who needs it, and what it costs, start with the complete CMMC Level 1 guide.
The CMMC Level 1 self-assessment in 8 steps
- Step 1Define your assessment scope (your FCI boundary)
Identify every asset that processes, stores, or transmits Federal Contract Information (FCI): cloud tenants, endpoints, servers, accounts, and physical locations. Everything in scope must meet the 15 requirements. For most small contractors the scope is one Microsoft 365 or Google Workspace tenant, a handful of laptops, and one office.
Deep dive → - Step 2Assess each of the 15 requirements against the NIST 800-171A objectives
Work through FAR 52.204-21(b)(1)(i)-(xv). For each requirement, the CMMC Assessment Guide lists the lettered NIST SP 800-171A assessment objectives you must satisfy, [a] through as many as the requirement defines (up to [h] for boundary protection), using three methods: Examine (review documents/configs), Interview (ask the people who do the work), and Test (observe the control working).
Deep dive → - Step 3Mark each requirement MET or NOT MET
CMMC Level 1 is binary. Every objective inside a requirement must be satisfied for the requirement to be MET. There is no partial credit, no numeric score, and, unlike Level 2, no POA&M (Plan of Action & Milestones) is allowed. Any NOT MET requirement means you are not yet ready to affirm.
Deep dive → - Step 4Collect and retain evidence for every requirement
Save the proof that each control is implemented: MFA configuration screenshots, account/access lists, anti-malware status, patch reports, media-disposal logs, visitor logs. A written policy alone is not sufficient, evidence must show the control actually operating. 32 CFR 170.15(c)(2) requires you to retain the artifacts used as evidence for six (6) years from your CMMC Status Date.
Deep dive → - Step 5Document results in a System Security Plan (SSP)
Record, requirement by requirement, how your environment satisfies each safeguard. The SSP is the single artifact a prime, contracting officer, or DIBCAC reviewer will ask to see. It does not need to be long, but it must be specific to your environment.
Deep dive → - Step 6Have a senior official affirm the result
A senior company official (owner, CEO, or equivalent) signs the affirmation, attesting under 32 CFR § 170.22 that all 15 requirements are MET. This person is personally responsible for the accuracy of the affirmation, a false affirmation carries False Claims Act exposure.
Deep dive → - Step 7Post the affirmation in SPRS
Log into PIEE (piee.eb.mil), open the SPRS module, select the CMMC Level 1 self-assessment, enter your assessment date and CAGE code, and submit the affirmation. There is no government fee. Save the confirmation for your records.
Deep dive → - Step 8Re-assess and re-affirm every 12 months
The CMMC Level 1 self-assessment and senior-official affirmation must be renewed annually. Maintain your safeguards continuously, refresh evidence as systems change, and repeat the cycle before the prior affirmation expires.
Deep dive →
Common self-assessment mistakes
- Writing a policy but keeping no evidence. A policy document alone does not prove a control operates, save configuration screenshots, logs, and reports.
- Treating Level 1 like it allows a POA&M. It does not. Every requirement must be fully MET before you affirm.
- Scoping too broadly. Only systems that handle FCI are in scope. A clean boundary makes the assessment far simpler.
- Letting the wrong person affirm. The affirmation must be signed by a senior official who accepts personal responsibility under 32 CFR § 170.22.
- Forgetting it is annual. The self-assessment and affirmation must be renewed every 12 months.
CMMC Level 1 Self-Assessment: FAQ
What is a CMMC Level 1 self-assessment?
A CMMC Level 1 self-assessment is the contractor's own annual review confirming that it meets the 15 basic safeguarding requirements of FAR 52.204-21 for protecting Federal Contract Information (FCI). Unlike CMMC Level 2, Level 1 does not require a third-party (C3PAO) assessor, the contractor assesses itself, a senior official affirms the result, and the affirmation is posted in SPRS.
How do I do a CMMC self-assessment?
Define your FCI scope, assess each of the 15 requirements against the NIST SP 800-171A objectives using Examine/Interview/Test, mark each MET or NOT MET, collect evidence, document everything in a System Security Plan, have a senior official affirm the result, and post the affirmation in SPRS. The cycle repeats every 12 months.
Is a CMMC Level 1 self-assessment scored?
No. CMMC Level 1 is binary, every requirement is either MET or NOT MET, and all 15 must be MET to affirm. The numeric SPRS score from −203 to 110 applies only to CMMC Level 2 (the NIST SP 800-171 assessment). At Level 1 there is no score and no POA&M.
Can I use a POA&M for CMMC Level 1?
No. Plans of Action & Milestones are not permitted at CMMC Level 1. Every one of the 15 requirements must be fully implemented before a senior official can affirm. If any requirement is NOT MET, you are not eligible to affirm until it is remediated.
Who can sign the CMMC Level 1 affirmation?
A senior official of the company, typically the owner, CEO, or an equivalent executive, affirms the self-assessment in SPRS. Under 32 CFR § 170.22 that official is personally responsible for the accuracy of the affirmation.
How long must I keep CMMC self-assessment records?
Six (6) years. 32 CFR 170.15(c)(2) says the artifacts used as evidence for the assessment must be retained for six (6) years from your CMMC Status Date, which is the date your results are submitted to SPRS. Keep your System Security Plan, evidence, and SPRS confirmation together so you can produce them if a prime or contracting officer asks.
How often is the CMMC Level 1 self-assessment required?
Annually. The self-assessment must be performed and the senior-official affirmation renewed in SPRS every 12 months. Each affirmation covers the most recent assessment cycle.
Don't want to self-assess alone?
Custodia runs the whole self-assessment with you, walks each of the 15 requirements, checks your evidence, drafts your SSP and affirmation memo, and gets you ready to post in SPRS. 7-day free trial, no credit card.