← Custodia

CMMC Level 1 Certification: How It Actually Works

The plain truth most sites bury: there is no third-party CMMC Level 1 certificate. Level 1 is self-assessed and self-affirmed in SPRS. Here's exactly how “certification” works, what it costs, and how to get it.

Last updated May 29, 2026~7 minute readPrimary sources cited
Get Level 1 done in a week →Free scoping check

The answer in 50 words

There is no third-party CMMC Level 1 certificate. Level 1 is satisfied by an annual self-assessment of the 15 FAR 52.204-21 requirements and a senior-official affirmation posted in SPRS. That affirmation — not a paper certificate — is your proof. Formal C3PAO certificates apply only to most CMMC Level 2 work.

Why people search for “CMMC Level 1 certification”

It is a reasonable thing to search — primes and contracting officers often ask contractors to “be CMMC certified.” But at Level 1 the word certification is misleading. There is no exam, no assessor visit, and no certificate issued by an outside body. Level 1 is self-assessed and self-affirmed. Your authoritative record of compliance is the senior-official affirmation posted in the Supplier Performance Risk System (SPRS).

That distinction matters: it means you can achieve Level 1 status on your own timeline, without paying a C3PAO assessment fee — the cost and gatekeeping that come with Level 2.

How to get “certified” at Level 1

  1. Step 1
    Confirm Level 1 applies to you

    Verify your contract includes FAR 52.204-21 and that you handle Federal Contract Information (FCI) but not CUI. If you handle CUI, you need Level 2, which does involve a third-party certificate.

    Deep dive →
  2. Step 2
    Implement the 15 safeguarding requirements

    Meet all 15 FAR 52.204-21 requirements. Most are configuration of tools you already use — MFA, anti-malware, access control, patching, media disposal, physical access.

    Deep dive →
  3. Step 3
    Complete the annual self-assessment

    Assess each requirement MET or NOT MET against the NIST 800-171A objectives, collect evidence, and document a System Security Plan. All 15 must be MET — no POA&M is allowed at Level 1.

    Deep dive →
  4. Step 4
    Have a senior official affirm and post in SPRS

    A senior official signs the affirmation, accepting personal responsibility under 32 CFR § 170.22, and posts it in SPRS through PIEE. That posted affirmation is your proof of Level 1 status — the closest thing to a 'certificate.'

    Deep dive →
  5. Step 5
    Renew every 12 months

    Re-assess and re-affirm annually. There is no certificate that sits on the wall for three years — Level 1 status is the current affirmation in SPRS, kept up to date each year.

    Deep dive →

CMMC Level 1 Certification: FAQ

Is there a CMMC Level 1 certificate?

No. CMMC Level 1 does not produce a third-party certificate. Level 1 is satisfied by an annual self-assessment and a senior-official affirmation posted in the Supplier Performance Risk System (SPRS). The posted affirmation — not a paper certificate — is your proof of compliance. A formal certificate from a C3PAO applies only to most CMMC Level 2 assessments.

How do I get CMMC Level 1 certified?

Implement the 15 FAR 52.204-21 safeguarding requirements, complete an annual self-assessment marking each requirement MET, document a System Security Plan, have a senior official affirm the result, and post that affirmation in SPRS. There is no exam and no outside assessor at Level 1 — you certify yourself.

Who issues CMMC Level 1 certification?

No one issues it — you self-affirm. Unlike Level 2, where a CMMC Third-Party Assessment Organization (C3PAO) conducts the assessment, Level 1 is entirely self-assessed. Your senior official's affirmation in SPRS is the authoritative record that you meet the requirements.

How much does CMMC Level 1 certification cost?

There is no government fee to post the affirmation. Real costs are time and tooling: doing it yourself is $0 cash plus 20–40 hours; a consultant runs $6,000–$18,000; guided software like Custodia is $249/month with a 7-day free trial. Because Level 1 is self-assessed, you do not pay a C3PAO assessment fee.

How long is CMMC Level 1 certification valid?

The self-assessment and affirmation must be renewed every 12 months. There is no multi-year certificate at Level 1 — your status is the current annual affirmation in SPRS, which you refresh each year.

What's the difference between Level 1 and Level 2 certification?

Level 1 is self-assessed and self-affirmed annually for Federal Contract Information (FCI) — no certificate, no outside assessor. Level 2 covers Controlled Unclassified Information (CUI), requires meeting 110 NIST SP 800-171 controls, and for most contracts requires a C3PAO assessment that produces a formal certification valid for three years.

Get to a posted SPRS affirmation in a week

Custodia walks you through the 15 requirements, drafts your SSP and affirmation, and gets you ready to post in SPRS — the real proof of CMMC Level 1 status. 7-day free trial, no credit card.

Start 7-day free trial →Self-assessment guideCMMC Level 1 guide
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)