Skip to content
  • There are no suggestions because the search field is empty.

CMMC Level 1 Self Assessment Guide

The following article supports you through a step by step process for becoming CMMC Level 1 ready. 

1. Define Your Assessment Scope

  • Identify where FCI resides (systems, devices, applications, cloud services).

  • Only systems that process, store, or transmit FCI are in scope.

  • Document this scoping decision clearly. 

2. Understand the 15 Required Practices

Level 1 controls map to six cybersecurity domains (e.g., Access Control, Identification & Authentication, Media Protection, Physical Protection, System and Communications Protection, System and Information Integrity).

Familiarize yourself with each requirement and what it means in practice. 

3. Gather & Organize Documentation

You’ll need to collect evidence that can support your compliance claims. Examples include:

  • Policies and procedures

  • System configurations and network diagrams

  • Logs and screenshots

  • Training materials

  • Records of physical security controls

Documentation must be final and current (drafts do not count). 

4. During the Self-Assessment

CMMC Level 1 uses three official assessment methods adapted from NIST SP 800-171A:

  • Examine  - Review documents and other artifacts to confirm the requirement is implemented. 

  • Interview - Talk with responsible employees to understand how security practices are actually followed. 

  •  Test - Where applicable, demonstrate that a control works (e.g., user account permissions, malware protection, boundary configurations). 

For each requirement, determine whether the evidence meets all the associated assessment objectives

 5. Determining Compliance

For each control, you must make one of these findings:

Finding

Meaning

MET

All objectives satisfied with supporting evidence.

NOT MET

One or more objectives unable to be demonstrated as implemented.

NOT APPLICABLE

The control truly doesn’t apply (e.g., no public-facing systems).

To achieve Level 1 compliance, ALL applicable requirements must be MET or NOT APPLICABLE

6. After the Assessment

Submit to SPRS

Your final step is submitting your Level 1 self-assessment results into the Supplier Performance Risk System (SPRS).

This submission includes:

  • Assessment date

  • Self-attestation of compliance

  • Any evidentiary statements necessary (if applicable) 

7. Maintain Evidence & Records

Keep documentation in case of audits or DoD reviews. Records include:

  • Your self-assessment report

  • Supportive artifacts used in the assessment

  • Scope documentation 

8.  Recurring Requirements

Level 1 compliance involves an annual self-assessment and reaffirmation by a senior official. Stay proactive to avoid gaps. 

Quick Preparation Checklist Recap:

☐ Scope defined and documented

☐ Controls mapped to requirements

☐ Evidence collected and organized

☐ Internal walkthrough completed (test interviews, examine, test)

☐ Draft self-assessment reviewed

☐ Final self-assessment submitted to SPRS

 

FutureFeed Footer – Newest