The primary sources behind CMMC Level 1 and SPRS

The DoD's program rule. Defines the three CMMC levels, what each requires, how assessments work, and how affirmations are posted in SPRS. Effective December 16, 2024.

Applies to: Everyone subject to CMMC. The substantive 'what does each level mean' rule.

The contract-clause rule that puts CMMC into DoD solicitations. Adds DFARS 252.204-7021 in its final form. Begins landing in new solicitations November 10, 2025, on a phased rollout through November 10, 2028.

Applies to: Any DoD prime or subcontractor receiving a new solicitation in or after phase 1.

The 15 safeguarding requirements every CMMC Level 1 contractor must implement. These are not new — they have been in federal contracts since 2016. CMMC Level 1 is structurally the same controls plus an annual SPRS affirmation.

Applies to: Any federal contractor (DoD or civilian) handling Federal Contract Information (FCI) above the micro-purchase threshold.

Requires contractors handling Controlled Unclassified Information (CUI) to meet NIST SP 800-171 and report cyber incidents within 72 hours. This is the Level 2 trigger; if your contract has 7012, you are not a Level 1 contractor.

Applies to: DoD contractors handling CUI ('Covered Defense Information').

Requires contractors subject to 7012 to have a current Basic Assessment score (–203 to +110) posted in SPRS at award. This is the 0–110 'SPRS score' that primes ask about — it does not apply to Level 1 contractors.

Applies to: DoD contractors handling CUI.

The CMMC contract clause itself. Once present in a solicitation, the contractor must have the required CMMC level (1, 2, or 3) at award and maintain it throughout performance.

Applies to: Any DoD solicitation that includes the clause once Phase 1 rolls onto the contract type.

The DoD's official guide for determining what's in scope for a Level 1 self-assessment. Confirms the 15 safeguarding requirements count and explains how to draw the boundary around the systems that handle FCI. Mirrored on this site under DoD Distribution Statement A.

Applies to: Every CMMC Level 1 contractor.

The official walkthrough of every Level 1 practice with assessment objectives, examine/interview/test methods, and example evidence. This is the guide that splits some FAR requirements into multiple sub-practice IDs (hence the '17' you see in older articles — the regulatory count remains 15). Mirrored on this site under DoD Distribution Statement A.

Applies to: Every CMMC Level 1 contractor and assessor.

The DoD's top-level explainer of the CMMC model: the three levels, the 14 domains, and the full matrix of every practice across Levels 1, 2, and 3 with FAR / NIST source mappings. Useful for understanding where Level 1 sits in the larger model. Mirrored on this site under DoD Distribution Statement A.

Applies to: Every CMMC contractor — Level 1 contractors use the Level 1 column.

The 320 assessment objectives that map to the 110 NIST SP 800-171 controls. Defines what evidence satisfies each control. Anchor reference for any L2 assessment; L1 contractors only encounter the 59 objectives that map to the 15 FAR safeguarding requirements.

Applies to: Primarily Level 2. Referenced by Level 1 only where FAR-NIST overlap exists.

Federal criminal statute for false statements made to a federal agency. A SPRS affirmation is a statement to the federal government, signed by a senior official.

Applies to: The senior official who signs the SPRS affirmation, personally.

The civil statute the DOJ's Civil Cyber-Fraud Initiative uses to bring cybersecurity fraud cases. Treble damages plus per-claim penalties. Settlements 2022–2025 range from $1M to $9M+.

Applies to: Any federal contractor — including Level 1 self-attesters — who knowingly files a materially false SPRS affirmation.