CMMC Level 1 Self-Assessment Checklist: All 15 Requirements, Step by Step

This article is educational and is not legal, contractual, or compliance advice. CMMC requirements vary by contract, scope, and CUI handling specifics. Consult a CMMC Registered Practitioner (RP/RPO) or qualified attorney before making compliance decisions.

If a Department of Defense (DoD) solicitation — or a prime contractor’s compliance email — just told you to complete a CMMC Level 1 self-assessment, and you came looking for a straight checklist, here’s the bottom line before you read another word.

CMMC Level 1 is an annual, pass/fail self-assessment for companies that handle Federal Contract Information (FCI)— information generated for or provided under a federal contract that isn’t meant for public release — but not Controlled Unclassified Information (CUI). The checklist is 15 basic safeguarding requirements, pulled verbatim from Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1). You assess yourself — no CMMC Third-Party Assessment Organization (C3PAO) required, no government fee, no numeric score.

Once every applicable requirement is Met, your organization records a CMMC Status of Final Level 1 (Self) in the Supplier Performance Risk System (SPRS), and a senior official affirms — with their name and a signed electronic statement — that your organization is compliant. That affirmation is the step that trips most companies up.

Below: the full 15-requirement checklist with the evidence that proves each one, how to scope and submit it, what it actually costs (using DoD’s own numbers), and a clear read on whether you can do this yourself or should bring in help.

Verified against 32 CFR §170.15, FAR 52.204-21, the DoD CIO CMMC program, and the SPRS CMMC entry tutorial — last verified June 16, 2026.

Start here: which version of “you” is this?

Does CMMC Level 1 actually apply to you — or is your contract really Level 2?

The deciding factor is your data, not your size. Level 1 is for organizations whose covered systems process, store, or transmit FCI only; the moment CUI enters the picture, your requirement jumps to at least Level 2, which maps to the 110 requirements in NIST SP 800-171 Revision 2 (32 CFR §170.14). Getting this wrong is the most expensive mistake at this stage, because Level 1 is a self-assessment and it’s easy to talk yourself into it — and then realize months later that CUI was in play the whole time.

FCIis information not intended for public release that the government provides to you, or that you generate for the government, to deliver a product or service — contract line items, delivery schedules, statements of work, purchase orders, RFI responses. It excludes information the government already publishes and simple transactional data like payment processing (FAR 52.204-21). The full distinction is covered in our FCI vs. CUI guide.

CUIis a higher-impact category — the protected information types in the National Archives CUI Registry. On a DoD contract, CUI usually shows up as marked documents, controlled technical information, drawings and specifications from a prime, or anything tied to DFARS clause 252.204-7012 or NIST SP 800-171. Level 1 is not a lighter way to handle CUI. If you have CUI, Level 1 is the wrong level.

Level 1 rarely shows up out of nowhere — here’s how to read the signals:

Under DFARS clause 252.204-7021, a prime must flow CMMC requirements down to subcontractors and suppliers whose systems process, store, or transmit FCI or CUI — with commercially-available off-the-shelf (COTS) items excepted (effective November 10, 2025).

What’s on the CMMC Level 1 self-assessment checklist?

The CMMC Level 1 self-assessment checklist is 15 basic safeguarding requirements from FAR 52.204-21, spread across six security domains: Access Control (4), Identification & Authentication (2), Media Protection (1), Physical Protection (2), System & Communications Protection (2), and System & Information Integrity (4). All 15 applicable requirements must be Met to claim a CMMC Status of Final Level 1 (Self). If you’ve seen the number “17” elsewhere, that’s an older count — see the reconciliation table below.

We pulled the requirement language directly from the eCFR text of FAR 52.204-21 and matched each one to its current CMMC practice identifier from the CMMC Assessment Guide – Level 1. The “evidence,” “common gap,” and “owner” columns are our editorial implementation guidance — practical examples, not a legal standard.

Print that, assign the owner column, and you have a working assessment plan. Work it top to bottom — the rows you can’t honestly check yet are your punch list. The honest read on this list: for most small contractors, the gaps aren’t exotic. They’re almost always the same handful — multi-factor authentication on email, a former employee’s account nobody disabled, a network closet anyone can walk into, or antivirus that’s installed but never actually scanning.

Why some pages say “17 practices” (and which number to use)

Use 15as your checklist count. Here’s the reconciliation we wish more pages spelled out:

So the full picture is 15 requirements → 17 NIST controls → 59 assessment objectives. The checklist headline is 15.

A precision point worth getting right: Level 1’s requirements come from FAR 52.204-21, not from NIST SP 800-171. The self-assessment is conducted using the assessment objectives in NIST SP 800-171A (June 2018), mapped to those FAR requirements and applied to FCI. It’s Level 2 whose requirement set maps to NIST SP 800-171 Revision 2. NIST has since published Revision 3, but Revision 3 does not govern CMMC unless and until DoD amends the rule.

What “Met,” “Not Met,” and “N/A” mean

Level 1 findings come in three flavors: Met— the requirement is implemented and you can show evidence; Not Met— it isn’t implemented, or your evidence doesn’t hold up; Not Applicable (N/A)— the requirement genuinely doesn’t apply to your scoped environment, and you’ve documented why. To reach Final Level 1 (Self), every applicable requirement must be Met or N/A— with no POA&M to carry an unfinished item. N/A is not a polite way to say “we didn’t get to it.”

What counts as real evidence before you mark a requirement “Met”?

Treat Level 1 as an evidence exercise, not a memory test. Acceptable proof includes policies, configuration exports, logs, inventories, screenshots, interview notes, and test results — but the evidence should be final, current, and tied to your scope before a senior official affirms compliance.

A standard to hold any Level 1 packet to — evidence should be:

• Final or approved, not a draft policy “we’re still working on.”
• Dated or exportable, so it’s clear it reflects today’s environment.
• Mapped to a specific requirement (and ideally to the objective letters within it).
• Owned by a named role or person.
• Scoped — about the systems that actually touch FCI.
• Retained with the rest of the assessment packet.

The DoD assessment guide allows three methods for gathering proof — examine (review documents and configs), interview (talk to the people who do the work), and test(watch the control actually function). Most Level 1 requirements are satisfied by examine plus a quick interview.

One rule that catches people later: under the CMMC rule, you must retain your assessment records for six years following each assessment (32 CFR Part 170). If a contracting officer, a prime, or an authorized DoD reviewer ever asks you to back up your status, that packet is your defense. Build it to be found later.

How do you scope a Level 1 self-assessment without making it harder than it is?

Scope is where companies accidentally make Level 1 bigger, slower, and riskier than it needs to be. For Level 1, in scope means the people, technology, facilities, and External Service Providers (ESPs) that process, store, or transmit FCI (32 CFR §170.19). Everything that never touches FCI is out of scope — and keeping that boundary tight is the single biggest lever on your effort.

Enterprise scope vs. enclave scope. You can assess your whole relevant environment (enterprise), or you can draw a smaller boundary around FCI (an enclave) and assess that. For many small shops, isolating FCI into a defined enclave shrinks the assessment dramatically. SPRS even asks you to record which approach you used.

Specialized assets are excluded.The Level 1 scoping rules carve out specialized assets— Internet of Things (IoT) and Industrial IoT devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Don’t burn time documenting your shop-floor machine controller as if it were an FCI workstation.

When you’ll need a fresh assessment.Routine operational changes are handled through your annual affirmation. But a significant architectural or boundary change — a major network expansion, a merger, moving FCI into a new platform — can require a new assessment. Plan around that before you redesign your environment. See our full CMMC scoping guide for the asset-category framework.

How do you complete and submit your Level 1 self-assessment in SPRS?

You record Level 1 results in SPRS through the Procurement Integrated Enterprise Environment (PIEE), and then your Affirming Official files an electronic affirmation. The Level 1 entry includes your CMMC Level, the CMMC Status Date, your CMMC Assessment Scope, the associated Commercial and Government Entity (CAGE) code(s), and the compliance result (32 CFR §170.15(c)). Unlike Level 2, Level 1 has no numeric score— it’s a straight pass/fail compliance result.

Two things worth knowing. First, your record isn’t assigned a CMMC Unique Identifier (UID)— the 10-character code you’ll later list in proposals under DFARS 252.204-7025 — until the assessment is affirmed. Second, the status you end up with matters: answering “Yes” and completing affirmation gives the assessment the CMMC Status Type “Final Level 1 Self-Assessment,” while answering “No” records “No CMMC Status” (shown in red). The only status type visible to government personnel is “Final Level 1 Self-Assessment.”

Your SPRS pre-submit checklist

• CAGE code(s) and your CAGE hierarchy
• Assessment date (your CMMC Status Date)
• Scope: enterprise or enclave, plus a short scope description
• Employee count for the scope
• Your internal evidence packet (the 15-row worksheet above)
• The Affirming Official’s name, title, and contact (from their PIEE profile)
• Confirmation that every applicable requirement is Met or N/A

Who enters vs. who affirms.Your IT or security lead can do the data entry, then transfer the record to the Affirming Official by email. The affirmation is a separate, senior act — more on exactly what it commits the official to next.

Who is the Affirming Official — and what are they actually signing?

The Affirming Official is not just clicking a box for the IT department. Under 32 CFR §170.22, the Affirming Official is a senior company representative responsible for ensuring the organization’s compliance with CMMC Program requirements, with the authority to affirm its continuingcompliance — at the initial assessment and annually thereafter. It’s an executive accountability moment, not an administrative one.

An affirmation is a signed, dated compliance representation to the federal government. A knowingly inaccurate affirmation can expose the company — and, where individuals are implicated, the official personally — to civil liability under the False Claims Act (31 U.S.C. §§3729–3733) and criminal liability for false statements under 18 U.S.C. §1001. That’s the express purpose of the enforcement program described in the next section.

This page is information, not legal advice. Before your Affirming Official signs, have counsel review anything you’re unsure about.

Build an internal sign-off packet before affirming. Before your Affirming Official puts their name down, hand them: the scope statement, the asset list, the completed 15-row checklist, the evidence links, any N/A justifications, a list of remediated gaps, the assessment date, and a clear “all applicable requirements are Met or N/A” confirmation. If any of that is missing, the affirmation isn’t ready.

Can you use a POA&M or “pass with gaps” at Level 1?

No. CMMC Level 1 does not allow POA&Ms — to reach Final Level 1 (Self), every applicable requirement must be Met (32 CFR §170.21). A Plan of Action and Milestones is a documented “we’ll fix it by this date” plan; Level 2 permits limited ones with a 180-day closeout, but Level 1 permits none. If a safeguard isn’t met, you remediate first and affirm second.

Level 1 is the simplest and cheapest path in all of CMMC. You can legitimately do it yourself, often for little to no out-of-pocket cost, and we’re not going to pretend you need to buy something to pass. But that simplicity hides a sharp edge: because there’s no POA&M and no partial credit, the checklist matters most before you affirm— not after. There’s no safety net to catch a “mostly compliant” submission, and the affirmation carries the legal weight you just read about.

What to do with a Not Met item:

1. Do not submit or affirm Final Level 1.
2. Assign an owner and a remediation task.
3. Implement the fix, then collect the evidence (after, not before).
4. Re-check your scope — sometimes the cleanest fix is removing an asset from scope legitimately.
5. Affirm only when every applicable requirement is Met or N/A.

The risk most checklists skip: false affirmations and the False Claims Act

A knowingly inaccurate SPRS affirmation can create liability under the False Claims Act (31 U.S.C. §§3729–3733), which carries treble (triple) damages and per-claim penalties. Because the affirmation is an explicit, signed compliance representation, it is a point contractors should treat with real care before submission. An explicit affirmation is a more direct False Claims Act predicate than the older “implied certification” theory.

The Department of Justice’s Civil Cyber-Fraud Initiative, launched in 2021, exists specifically to pursue contractors that misrepresent cybersecurity compliance or inflate their SPRS posture. DOJ’s FY2025 False Claims Act results included more than $52 million across nine cybersecurity-related settlements. The named cases are instructive:

Sources: DOJ Office of Public Affairs settlement releases and DOJ’s FY2025 False Claims Act report.

To be precise about scope: most publicized enforcement so far has involved Level 2 / NIST SP 800-171 controls, not Level 1. But the mechanismis identical — when your Affirming Official attests that all 15 Level 1 requirements are Met, that’s an explicit certification with the same legal architecture behind it. The exposure isn’t about which level you’re at; it’s about whether the statement is true.

This is context, not legal advice.

What does a CMMC Level 1 self-assessment cost, and how long does it take?

The self-assessment itself has no government fee and no third-party assessor bill — done internally, your only hard cost is staff time. DoD’s own rulemaking estimates the annual cost of a Level 1 self-assessment and affirmation at about $4,042 for an other-than-small entity and about $5,977 for a small entity (CMMC rulemaking cost analysis, 32 CFR Part 170). Those are burden estimates, not market quotes.

Here’s what the DoD number deliberately leaves out — and why it matters. For Levels 1 and 2, DoD’s estimate covers only the assessment and affirmation effort. The rule assumes contractors have been meeting these basic safeguards since 2017, so it does notinclude the cost of closing gaps, buying tools, or replacing an under-equipped IT provider. Treat the DoD figure as a floor for how seriously to take the time involved — not as your budget. Your real number depends almost entirely on how far your current setup is from the 15 requirements. See our full CMMC Level 1 cost guide for the detailed breakdown.

Timeline, realistically:

• Small, simple, FCI-only shop already on mainstream tools: days to a couple of weeks.
• Typical small contractor with FCI across email, cloud, and laptops: several weeks to a couple of months.
• Messy scope or possible CUI: stop and finish scoping first — don’t rush a Level 1 affirmation to hit a date.

Do you need a C3PAO, RPO, MSP, or consultant for Level 1?

You do not need a C3PAO for Level 1, and bringing in help does not turn Level 1 into a certification. A readiness consultant, RPO, MSP, MSSP, or virtual CISO can help you scope FCI, close gaps, and organize evidence — but the result stays your organization’s self-assessment and affirmation. A C3PAO is for formal Level 2 third-party assessments, not Level 1.

When doing it yourself is reasonable:

• Your FCI is limited and easy to find
• Your systems are simple
• Access control and endpoint protection are already managed (e.g., a business-grade Microsoft or Google tenant with MFA)
• Your leadership understands the affirmation risk
• There’s no CUI in play

When outside help makes sense:

• You’re not sure whether you actually handle CUI
• FCI is spread across email/cloud/portals/paper
• You lack an asset inventory or access-control evidence
• Your current IT provider isn’t CMMC-aware
• A prime or contracting officer is asking for status on a short clock

One independence point worth stating plainly: readiness/remediation help and formal assessment should stay separate. Cyber AB’s accreditation rules restrict a C3PAO from assessing an organization it recently provided consulting or implementation services to. For Level 1 that’s moot — there’s no third-party assessment — but it’s the habit to build before Level 2. For the full provider-category comparison, see CMMC provider categories and our who to hire first guide.

“CMMC Level 1 is in my solicitation” — what to do this week

If a DoD solicitation names a required CMMC level, you generally need a current CMMC status and affirmation in SPRS before award. Under DFARS 252.204-7025, the solicitation states the required level, and an offeror is not eligible for awardunless it has, for each in-scope system, a current CMMC status entered in SPRS at the required level and a current affirmation of continuous compliance. DoD contracting activities, including the Defense Logistics Agency (DLA), have begun building Level 1 SPRS requirements into procurement guidance.

Why now is real (not manufactured urgency): the phased rollout began with Phase 1 on November 10, 2025, running through November 9, 2026, focused primarily on Level 1 and Level 2 self-assessments. DoD’s rulemaking estimates that roughly 63% of the Defense Industrial Basewill fall under Level 1. For Level 1 specifically, the assessment type doesn’t change across phases — it’s a self-assessment the whole way. What changes is that more solicitations carry the clause.

Your this-week list:

1. Confirm the contract is FCI-only (if CUI, you’re Level 2 — rescope).
2. Identify every place FCI lives.
3. Work the 15-requirement checklist above and capture evidence.
4. Remediate any Not Met items.
5. Record your status and affirmation in SPRS — before you’re counting on eligibility.

If you’re a subcontractor:a prime can require you to be Level 1 if you only handle FCI, and must require at least Level 2 if you handle CUI (32 CFR §170.23). If a prime just asked for your “SPRS status,” the checklist above is your fastest path to a clean answer — and if the deadline is tight, we can match you with readiness help that works on your timeline.

What we actually verified for this guide

We don’t expect you to take a checklist on faith — especially one where a wrong number could end up in a federal attestation. Here’s what we read and when.

On June 16, 2026, we confirmed against primary sources:

What this page does not claim.It’s information, not legal or contractual advice — talk to counsel before your Affirming Official signs. It is not a guarantee of award eligibility, and it does not certify or validate any contractor’s status. We are not affiliated with the DoD, the Cyber AB, or any U.S. government agency.

Last verified: June 16, 2026. Next scheduled review: September 2026 — or sooner if DoD, eCFR, or Acquisition.gov materially updates Level 1 rules, FAR clause language, or SPRS submission procedures.

CMMC Level 1 self-assessment FAQ

Is CMMC Level 1 self-assessed?

Yes. Level 1 is a self-assessment your organization performs and records in SPRS — no C3PAO is involved. You can use outside help, but the result is still your self-assessment (32 CFR §170.15).

How many requirements are in CMMC Level 1 — 15 or 17?

Use 15. The 15 come from FAR 52.204-21(b)(1), items (i)–(xv). The “17” you may see is the NIST control count (the physical-access requirement splits into three NIST controls); the current Level 1 Assessment Guide consolidated it back to 15.

Do I need a C3PAO for CMMC Level 1?

No. A C3PAO is for Level 2 third-party assessments. Level 1 is self-assessed (32 CFR §170.15). For the full certification process overview, see CMMC certification process.

Can I use a POA&M for CMMC Level 1?

No. Level 1 permits no Plan of Action and Milestones — every applicable requirement must be Met to reach Final Level 1 (Self) (32 CFR §170.21).

Do I need a System Security Plan (SSP) for CMMC Level 1?

An SSP is not required at Level 1 — that obligation begins at Level 2. An SSP is still smart practice for documenting your environment, but it is not one of the 15 Level 1 requirements.

What information goes into SPRS for Level 1?

At minimum: your CMMC Level, the CMMC Status Date, the CMMC Assessment Scope, the associated CAGE code(s), and the compliance result — followed by the Affirming Official’s affirmation (32 CFR §170.15(c)). Level 1 has no numeric score.

How long is a CMMC Level 1 status current?

One year. The self-assessment and affirmation must be renewed annually to keep your status current (32 CFR §170.15).

Does FAR 52.204-21 flow down to subcontractors?

Yes — when a subcontractor may have FCI residing in or transiting through its systems, the clause’s substance flows down, except for commercially available off-the-shelf (COTS) items (FAR 52.204-21).

What if I discover I have CUI while doing the checklist?

Stop and rescope before affirming. CUI puts you at CMMC Level 2, which maps to NIST SP 800-171 Rev. 2 — a Level 1 affirmation won’t cover it (32 CFR §170.16).

Is CMMC Level 1 a “certification”?

Not in the third-party sense. Level 1 produces a CMMC Status of Final Level 1 (Self) based on your own assessment and affirmation. Only Level 2 (via C3PAO) and Level 3 produce a third-party-issued Certificate of CMMC Status. See CMMC Level 1 vs. Level 2 for the full comparison.

When did Level 1 requirements start appearing in contracts?

Phase 1 began November 10, 2025, when DFARS clause 252.204-7021 took effect and DoD began inserting Level 1 and Level 2 self-assessment requirements into new solicitations.

Keep going from here

• What is CMMC? — the full level model, timeline, and who it applies to
• FCI vs. CUI — the distinction that sets your level
• CMMC Level 1 vs. Level 2 — full side-by-side comparison
• CMMC Level 1 cost — detailed breakdown including remediation ranges
• CMMC Level 2 checklist — if you’re actually handling CUI
• CMMC Level 2 requirements — all 110 NIST SP 800-171 controls
• CMMC readiness checklist — pre-assessment checklist across all levels
• CMMC certification process — what a C3PAO assessment actually involves
• CMMC MSP guide — evaluating managed service providers for CMMC work
• CMMC provider categories — RPO, C3PAO, MSP, enclave — what each one does

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with, endorsed by, or sponsored by the U.S. Department of Defense, the Cyber AB, CAICO, DCMA DIBCAC, NIST, SPRS, FedRAMP, or any U.S. Government agency. This article is editorial research and does not constitute legal, procurement, cybersecurity, or compliance advice. Verify all regulatory citations against the primary sources listed above before relying on them in a contract context. Last verified: June 16, 2026. Editorial corrections policy: corrections.