CMMC Level 1 Self-Assessment and Affirmation Requirements
Effective: December 16, 2024
32 CFR 170.15 sets the procedural requirements for CMMC Level 1: an annual self-assessment against the 15 safeguarding requirements of FAR 52.204-21, scored on a binary MET / NOT MET basis with no POA&Ms permitted, followed by an annual affirmation posted in SPRS by a senior official with authority to bind the organization.
Who must comply
Any contractor or subcontractor whose covered information systems process, store, or transmit only FCI and not CUI.
What it requires
- 01Conduct a self-assessment of the contractor's compliance with the 15 safeguarding requirements in FAR 52.204-21(b)(1) at least annually.
- 02Score every assessment objective as MET or NOT MET — no partial credit, no scoring, no Plan of Action and Milestones permitted.
- 03Achieve MET on every objective to be considered CMMC Level 1 compliant.
- 04Have a senior official with authority to bind the company affirm continued compliance in SPRS at least annually after the initial self-assessment.
Key points
- Level 1 is exclusively self-assessed — there is no C3PAO involvement at Level 1.
- Because POA&Ms are not allowed, every requirement must be fully implemented before the affirmation is posted.
Related clauses
- FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems
FAR 52.204-21 requires every federal contractor that has Federal Contract Information (FCI) on its systems to implement 15 basic safeguarding requirements covering access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. It is the entire substantive content of CMMC Level 1.
- DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official — a senior representative of the contractor with authority to bind the organization — to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.
Related terms
Read more in the Library
- CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors
The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- CMMC Level 1 Is Binary. There Is No Score. Here's What That Means.
Level 1 isn't graded on a curve. Every one of the 15 requirements has to be MET — or the whole assessment fails. Here's how the rule actually works, and why that's good news for small contractors.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026
CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.