← Custodia

The CMMC Level 1 Self-Assessment Checklist (Free, Printable PDF) — 2026

All 15 FAR 52.204-21 safeguarding requirements in plain English, in a free printable checklist. Walk through it with a pen, your IT person, or both — and post your SPRS affirmation when every box is ticked.

By David Fuentes· Compliance Officer, CustodiaMay 13, 20267 min read

CMMC Level 1 is shorter than people expect. There are 15 safeguarding requirements— not 110, not 320 — and they come from a single regulation: FAR 52.204-21. Every Level 1 contractor in America has to self-attest to the same 15 items, then post a one-page affirmation in SPRS.

We built a free, printable version that turns each requirement into one paragraph of plain English plus a single question you can answer yes or no. If you can honestly tick every box, you're bid-ready.

TL;DR — what's in the checklist

  • All 15 requirements, grouped into the 6 NIST control families (Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, System & Information Integrity).
  • For each item: the regulation citation, a plain-English explanation, and a quick test question you can answer yes/no.
  • A signature block for your senior official to date and sign when you've completed it.
  • Print-optimized layout — fits on roughly 5 letter-size pages without cutting items in half.
  • Free, no email, no signup.

Download / print the checklist

The Custodia Library · Free

CMMC Level 1 Self-Assessment Checklist (2026)

Print-ready. Hit Cmd/Ctrl + P to save as a PDF. Branded, signed, and ready to keep on file.

Open the checklistTake the 4-min SPRS quiz instead

How the checklist is built

The structure follows the same six NIST control families the DoD uses internally, but the language is rewritten so an owner of a 12-person shop can read it without a compliance translator. Every item has three layers:

  1. What the regulation says. The official requirement and citation (e.g. FAR 52.204-21(b)(1)(i)).
  2. What it actually means. The same idea, translated into one paragraph of normal English.
  3. A quick test.One question you can answer yes or no without consulting a lawyer. If yes, tick the box. If no, you've found a gap.

How to use it in one afternoon

1. Block off 3 hours and gather the right people

The decision-maker (owner, president, CEO) needs to be in the room. So does whoever runs your IT — an internal admin, an MSP rep, or the office manager if that's honestly who does it. Most items have an “ops” component and a “tech” component; you'll need both lenses.

2. Print it or use it on screen

The printable layout is designed for a pen-and-clipboard pass. If you'd rather, open it on a laptop and check things off digitally with a screenshot tool. Either works.

3. Walk it requirement by requirement

For each of the 15, read the “In plain English” paragraph aloud. Then answer the “Quick test” question. If you can honestly say yes, tick the box. If not, write the gap in the margin.

4. Total the gaps

Anything you couldn't tick is your punch list. Most small contractors finish with 2–5 gaps. Common ones: no formal visitor log, no documented vendor list, MFA missing on one cloud account, antivirus not turned on for one laptop.

5. Fix the gaps

Pick the easy ones first — turning on Windows Defender takes 30 seconds. Then the medium ones (writing down a vendor list, putting a clipboard at the front desk). Most punch lists get cleared in a focused week.

6. Sign and date

The senior official signs and dates the bottom of the checklist. Keep the signed copy on file — this is the evidence you'll show a prime, an auditor, or your future self.

After every box is ticked: file SPRS

The checklist is your internal evidence; the SPRS annual affirmation is the official government-facing artifact. You file it in PIEE (the Procurement Integrated Enterprise Environment) and it makes you bid-eligible.

We wrote a separate walkthrough on the SPRS submission process: SPRS Score Explained: What It Is and How to Post One.

Frequently asked questions

Is there an official CMMC Level 1 self-assessment checklist?

Yes. The 15 safeguarding requirements come directly from FAR 52.204-21(b)(1) and are mirrored in 32 CFR 170.14 Table 1. The DoD does not publish a single 'official' checklist PDF, but the requirements themselves are the checklist — every Level 1 contractor must self-attest to all 15. Custodia's printable version puts each one in plain English on a single page.

How long does a CMMC Level 1 self-assessment take?

For a small contractor (1-20 employees) with normal IT (modern operating systems, cloud email, antivirus, a firewall), the self-assessment itself takes 2-4 hours of walking through the 15 requirements. If you discover gaps, fixing them is what takes the time — usually one to two weeks of focused work.

Do I need to keep the checklist on file?

Yes. While you don't submit the checklist to the government, you do need to retain evidence that you performed the self-assessment. The SPRS affirmation in PIEE is the official artifact, but a completed checklist (signed and dated by a senior official) is the standard internal record auditors and primes ask to see.

Who has to sign the CMMC Level 1 self-assessment?

An 'affirming official' — a senior officer of the company who has the authority to bind it to the affirmation. For most small contractors, this is the CEO, owner, or president. The same person submits the annual affirmation in SPRS.

Is this checklist enough to satisfy a prime contractor?

For Level 1, yes. Primes flow down FAR 52.204-21 and ask their subs to attest that they meet the 15 safeguarding requirements. A completed checklist + a current SPRS affirmation is the standard package they expect. For Level 2 (CUI), the requirements are far broader and a checklist alone is not sufficient.

The CMMC Level 1 checklist on this page is a plain-English summary of FAR 52.204-21(b)(1) and 32 CFR 170.14 Table 1. It is not legal advice. The authoritative requirements live in the regulations themselves.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)