← Custodia

CMMC Level 1 Self-Assessment Guide: Step by Step

Exactly how to run a CMMC Level 1 self-assessment — scope your FCI, assess each of the 15 requirements, gather evidence, affirm, and post in SPRS. No third-party assessor required. Written for the small contractor doing this themselves.

Last updated May 29, 2026~8 minute readPrimary sources cited
Run your self-assessment guided →Get the free checklist

The answer in 50 words

A CMMC Level 1 self-assessment is your own annual review confirming you meet the 15 FAR 52.204-21 safeguarding requirements for FCI. Scope your systems, assess each requirement MET or NOT MET against the NIST 800-171A objectives, collect evidence, document an SSP, have a senior official affirm, and post in SPRS. No third-party assessor required.

What a CMMC Level 1 self-assessment is

CMMC Level 1 is self-attested. Unlike Level 2 — which requires a third-party C3PAO assessment for most contracts — at Level 1 you assess your own organization against the 15 FAR 52.204-21 safeguarding requirements, a senior official affirms the result, and that affirmation is posted in the Supplier Performance Risk System (SPRS). The standard is binary: every requirement is MET or NOT MET, and all 15 must be MET to affirm.

This guide is the procedure. For the bigger picture — what CMMC Level 1 is, who needs it, and what it costs — start with the complete CMMC Level 1 guide.

The CMMC Level 1 self-assessment in 8 steps

  1. Step 1
    Define your assessment scope (your FCI boundary)

    Identify every asset that processes, stores, or transmits Federal Contract Information (FCI): cloud tenants, endpoints, servers, accounts, and physical locations. Everything in scope must meet the 15 requirements. For most small contractors the scope is one Microsoft 365 or Google Workspace tenant, a handful of laptops, and one office.

    Deep dive →
  2. Step 2
    Assess each of the 15 requirements against the NIST 800-171A objectives

    Work through FAR 52.204-21(b)(1)(i)–(xv). For each requirement, the CMMC Assessment Guide lists the NIST SP 800-171A assessment objectives [a]–[f] you must satisfy, using three methods: Examine (review documents/configs), Interview (ask the people who do the work), and Test (observe the control working).

    Deep dive →
  3. Step 3
    Mark each requirement MET or NOT MET

    CMMC Level 1 is binary. Every objective inside a requirement must be satisfied for the requirement to be MET. There is no partial credit, no numeric score, and — unlike Level 2 — no POA&M (Plan of Action & Milestones) is allowed. Any NOT MET requirement means you are not yet ready to affirm.

    Deep dive →
  4. Step 4
    Collect and retain evidence for every requirement

    Save the proof that each control is implemented: MFA configuration screenshots, account/access lists, anti-malware status, patch reports, media-disposal logs, visitor logs. A written policy alone is not sufficient — evidence must show the control actually operating. Retain assessment records for at least six years.

    Deep dive →
  5. Step 5
    Document results in a System Security Plan (SSP)

    Record, requirement by requirement, how your environment satisfies each safeguard. The SSP is the single artifact a prime, contracting officer, or DIBCAC reviewer will ask to see. It does not need to be long, but it must be specific to your environment.

    Deep dive →
  6. Step 6
    Have a senior official affirm the result

    A senior company official (owner, CEO, or equivalent) signs the affirmation, attesting under 32 CFR § 170.22 that all 15 requirements are MET. This person is personally responsible for the accuracy of the affirmation — a false affirmation carries False Claims Act exposure.

    Deep dive →
  7. Step 7
    Post the affirmation in SPRS

    Log into PIEE (piee.eb.mil), open the SPRS module, select the CMMC Level 1 self-assessment, enter your assessment date and CAGE code, and submit the affirmation. There is no government fee. Save the confirmation for your records.

    Deep dive →
  8. Step 8
    Re-assess and re-affirm every 12 months

    The CMMC Level 1 self-assessment and senior-official affirmation must be renewed annually. Maintain your safeguards continuously, refresh evidence as systems change, and repeat the cycle before the prior affirmation expires.

    Deep dive →

Common self-assessment mistakes

  • Writing a policy but keeping no evidence. A policy document alone does not prove a control operates — save configuration screenshots, logs, and reports.
  • Treating Level 1 like it allows a POA&M. It does not. Every requirement must be fully MET before you affirm.
  • Scoping too broadly. Only systems that handle FCI are in scope. A clean boundary makes the assessment far simpler.
  • Letting the wrong person affirm. The affirmation must be signed by a senior official who accepts personal responsibility under 32 CFR § 170.22.
  • Forgetting it is annual. The self-assessment and affirmation must be renewed every 12 months.

CMMC Level 1 Self-Assessment: FAQ

What is a CMMC Level 1 self-assessment?

A CMMC Level 1 self-assessment is the contractor's own annual review confirming that it meets the 15 basic safeguarding requirements of FAR 52.204-21 for protecting Federal Contract Information (FCI). Unlike CMMC Level 2, Level 1 does not require a third-party (C3PAO) assessor — the contractor assesses itself, a senior official affirms the result, and the affirmation is posted in SPRS.

How do I do a CMMC self-assessment?

Define your FCI scope, assess each of the 15 requirements against the NIST SP 800-171A objectives using Examine/Interview/Test, mark each MET or NOT MET, collect evidence, document everything in a System Security Plan, have a senior official affirm the result, and post the affirmation in SPRS. The cycle repeats every 12 months.

Is a CMMC Level 1 self-assessment scored?

No. CMMC Level 1 is binary — every requirement is either MET or NOT MET, and all 15 must be MET to affirm. The numeric SPRS score from −203 to 110 applies only to CMMC Level 2 (the NIST SP 800-171 assessment). At Level 1 there is no score and no POA&M.

Can I use a POA&M for CMMC Level 1?

No. Plans of Action & Milestones are not permitted at CMMC Level 1. Every one of the 15 requirements must be fully implemented before a senior official can affirm. If any requirement is NOT MET, you are not eligible to affirm until it is remediated.

Who can sign the CMMC Level 1 affirmation?

A senior official of the company — typically the owner, CEO, or an equivalent executive — affirms the self-assessment in SPRS. Under 32 CFR § 170.22 that official is personally responsible for the accuracy of the affirmation.

How long must I keep CMMC self-assessment records?

Retain the records of each self-assessment and affirmation for at least six years from the date of submission. Keep your System Security Plan, evidence, and SPRS confirmation together so you can produce them if a prime or contracting officer asks.

How often is the CMMC Level 1 self-assessment required?

Annually. The self-assessment must be performed and the senior-official affirmation renewed in SPRS every 12 months. Each affirmation covers the most recent assessment cycle.

Don't want to self-assess alone?

Custodia runs the whole self-assessment with you — walks each of the 15 requirements, checks your evidence, drafts your SSP and affirmation memo, and gets you ready to post in SPRS. 7-day free trial, no credit card.

Start 7-day free trial →See all 15 requirementsHow to post in SPRS
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)