CustodiaCustodia.
Custodia · Free Tool · 2026 edition

The CMMC Level 1 self-assessment checklist.

All 17 safeguarding requirements from FAR 52.204-21— the rule behind CMMC Level 1 — in plain English. Walk through it with a pen, your IT person, or both. If you can honestly tick every box, you can post a SPRS affirmation and stay bid-ready.

15
Requirements
6
Control families
1 page
Annual SPRS affirmation
How to use this checklist
  1. 1.Read the “In plain English” explanation under each item.
  2. 2.Answer the “Quick test” question. If yes, tick the box.
  3. 3.Anything you can't tick is your punch list. Fix it, then come back.
  4. 4. When all 15 are ticked, log into PIEE / SPRS and post your annual affirmation.
AC

Access Control

Only let the right people in. To your systems, and to the data.

  1. 01

    Limit access to authorized users

    AC.L1-3.1.1

    In plain English: Every person who can sign into a company computer or cloud account is a named, authorized employee or contractor. No shared logins. No 'admin / admin'.

    Quick test: Can you produce a list of every active user account and tie each one to a real person?
    FAR 52.204-21(b)(1)(i) · 3.1.1
  2. 02

    Limit access to authorized functions

    AC.L1-3.1.2

    In plain English: People only get the permissions they need to do their job. The intern doesn't have admin. The bookkeeper doesn't have access to engineering files.

    Quick test: Are admin rights restricted to people who actually need them?
    FAR 52.204-21(b)(1)(ii) · 3.1.2
  3. 03

    Control external system connections

    AC.L1-3.1.20

    In plain English: You know which third-party services (Dropbox, personal Gmail, a vendor's portal) your team uses with company data — and you've approved them.

    Quick test: Do you have a written list of approved cloud apps and vendors?
    FAR 52.204-21(b)(1)(iii) · 3.1.20
  4. 04

    Control public posting of information

    AC.L1-3.1.22

    In plain English: Before someone posts anything from a federal contract to the company website, LinkedIn, a conference talk, or a press release, somebody approves it.

    Quick test: Who reviews public posts that might touch federal contract info?
    FAR 52.204-21(b)(1)(iv) · 3.1.22
IA

Identification & Authentication

Prove who you are before you get in.

  1. 05

    Identify users and devices

    IA.L1-3.5.1

    In plain English: Every user has a unique username. Every company device is on a list. Nothing logs in anonymously.

    Quick test: Can you list every user and every device that has access to company systems?
    FAR 52.204-21(b)(1)(v) · 3.5.1
  2. 06

    Authenticate users and devices

    IA.L1-3.5.2

    In plain English: Real passwords (not 'password123'), and ideally multi-factor authentication, before anyone gets in. Same for devices joining the network.

    Quick test: Is MFA on email, cloud apps, and remote access? Is there a real password policy?
    FAR 52.204-21(b)(1)(vi) · 3.5.2
MP

Media Protection

Wipe drives before you throw them out. Same with phones.

  1. 07

    Sanitize media before disposal

    MP.L1-3.8.3

    In plain English: Old laptops, drives, USB sticks, phones, and even paper get wiped or shredded before they leave the building. You keep a log.

    Quick test: Do you have a record of what was destroyed, when, and by whom?
    FAR 52.204-21(b)(1)(vii) · 3.8.3
PE

Physical Protection

Lock the office. Walk visitors. Watch the door.

  1. 08

    Limit physical access

    PE.L1-3.10.1

    In plain English: Strangers can't walk into the area where federal contract work happens. Doors lock. Badges or keys are required.

    Quick test: What stops a random person from walking into your work area today?
    FAR 52.204-21(b)(1)(viii) · 3.10.1
  2. 09

    Escort visitors

    PE.L1-3.10.3

    In plain English: When a visitor (vendor, family member, delivery driver, prospective client) comes into the work area, an employee is with them the whole time.

    Quick test: Are visitors escorted by an employee while in work areas?
    FAR 52.204-21(b)(1)(ix) · 3.10.3
  3. 10

    Maintain audit logs of physical access

    PE.L1-3.10.4

    In plain English: You keep a visitor log: name, date, who they were here to see, time in, time out. A clipboard at the front desk counts.

    Quick test: Could you show 60 days of visitor entries on demand?
    FAR 52.204-21(b)(1)(x) · 3.10.4
  4. 11

    Control physical access devices

    PE.L1-3.10.5

    In plain English: Keys, badges, fobs, alarm codes — you know who has each one, and you collect them back when someone leaves the company.

    Quick test: When the last employee quit, did you get their keys and fobs back?
    FAR 52.204-21(b)(1)(xi) · 3.10.5
SC

System & Communications Protection

Put a wall between you and the open internet.

  1. 12

    Monitor and control the network boundary

    SC.L1-3.13.1

    In plain English: A firewall stands between your network and the public internet. Inbound traffic is blocked by default. You know what's coming in and going out.

    Quick test: Is there a firewall — on the router, in the cloud, or both — and is it actually turned on?
    FAR 52.204-21(b)(1)(xii) · 3.13.1
  2. 13

    Separate public-facing systems

    SC.L1-3.13.5

    In plain English: Your public website (or a guest Wi-Fi) is not on the same network as the laptop where you handle federal contract work.

    Quick test: Is the guest Wi-Fi separate from the work Wi-Fi? Is the marketing site on a different host than internal files?
    FAR 52.204-21(b)(1)(xiii) · 3.13.5
SI

System & Information Integrity

Patch known holes. Run antivirus. Pay attention to alerts.

  1. 14

    Fix flaws in a timely manner

    SI.L1-3.14.1

    In plain English: Windows, macOS, your apps, and your firewall get updates installed in a reasonable timeframe. 'Reasonable' = within 30 days for most things, faster for critical security patches.

    Quick test: Are operating systems and apps set to auto-update? Are you actually rebooting when prompted?
    FAR 52.204-21(b)(1)(xiv) · 3.14.1
  2. 15

    Use malicious code protection

    SI.L1-3.14.2

    In plain English: Antivirus is installed and turned on, on every computer. Windows Defender counts. So does the built-in protection on a Mac.

    Quick test: If you opened every laptop right now, would each one show active antivirus protection?
    FAR 52.204-21(b)(1)(xv) · 3.14.2
  3. 16

    Update malicious code protection

    SI.L1-3.14.4

    In plain English: The antivirus updates its definitions automatically. Same for your firewall's threat lists. Nobody's running a 2018 signature file.

    Quick test: Are antivirus signatures updated within the last 7 days on every device?
    FAR 52.204-21(b)(1)(xvi) · 3.14.4
  4. 17

    Run periodic scans

    SI.L1-3.14.5

    In plain English: A full-system antivirus scan runs on a schedule (weekly is fine for most). Real-time scanning is on by default for files you open or download.

    Quick test: Is there a recurring full scan scheduled, and does real-time protection say 'on'?
    FAR 52.204-21(b)(1)(xvii) · 3.14.5

When every box is ticked

You're ready to post your annual SPRS affirmation. That's a one-page statement, filed in the Procurement Integrated Enterprise Environment (PIEE), saying that your business meets all 15 safeguarding requirements. That single act is what makes you bid-eligible on contracts that flow down FAR 52.204-21.

Senior official sign-off
Name & title
Signature & date
Next steps
  • Log in to PIEE (piee.eb.mil)
  • Open the SPRS module
  • Submit the CMMC Level 1 annual affirmation
  • Re-affirm every 12 months thereafter
Custodia.

Guided CMMC Level 1 compliance · bidfedcmmc.com

This checklist is a plain-English summary of FAR 52.204-21(b)(1) and 32 CFR 170.14 (CMMC Level 1 practices). It is not legal advice. The authoritative requirements are the regulations themselves.