CMMC LEVEL 1 COMPLIANCE SERVICES

CMMC Level 1 Compliance for DoD Contractors

Companies that handle Federal Contract Information (FCI) under a Department of Defense (DoD) prime or subcontract must meet Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements. Phase 1 began on November 10, 2025. From that date, DoD can require a current Supplier Performance Risk System (SPRS) self-assessment score as a condition of award. Many in-scope companies are still in the early stages of readiness.

63%+
Share of the Defense Industrial Base subject to CMMC Level 1 requirements, per DoD.
15
basic safeguarding requirements set by FAR 52.204-21. All 15 must be met before SPRS submission.
30%
Competitive rates. Volume discounts available for multi-entity engagements.
$0
Third-party assessors required at Level 1. The self-assessment is yours to complete and submit.
--- WHO THIS APPLIES TO

Supporting a DoD Contract Puts You in Scope

Level 1 covers any organization processing, storing, or transmitting FCI under a DoD prime or subcontract. Company size and supply chain position carry equal obligation. Subcontractors at every tier of the defense supply chain fall within scope.

CMMC Diagram
THE EXPOSURE

The Cost of Delayed Action

CMMC Level 1 is now a contract eligibility threshold. A current SPRS score preserves your bidding eligibility on covered contracts, limits legal exposure for your affirming official, and keeps remediation costs from compounding. 

contract-risk
SPRS Status Determines Award Eligibility

A current and accurate CMMC status in SPRS preserves your eligibility to bid on, renew, and exercise option periods on applicable DoD contracts.

Legal risk
False Attestations Carry Personal Liability

Your affirming official signs by name. That signature carries personal False Claims Act liability, separate from any corporate consequence. 

time-risk
Earlier Engagements Cost Less

Assessor capacity tightens as the deadline approaches. An engagement started now finishes with time and budget to spare. One started under deadline pressure delivers neither advantage.

THE METHODOLOGY

How DivIHN Runs Every Engagement

DivIHN is a CMMC Level 2 certified organization. Level 2-experienced practitioners lead every Level 1 engagement, from initial scoping through SPRS submission.

See the full process

SERVICE PATHS

Two Paths to the Same Outcome

guided-self-assessment
Guided Self-Assessment

We walk your team through all 15 requirements, reviews evidence, and prepares you to complete the self-assessment and SPRS submission in-house.

full-service
Full-Service

We manage the engagement end-to-end, from scoping and gap assessment through remediation support, documentation, and SPRS submission.

annual-renewal-support
Annual Renewal Support

DoD requires Level 1 affirmation every year. DivIHN tracks your renewal cycle and supports the annual reassessment, so every deadline stays on schedule. 

DELIVERABLES

What Every Engagement Delivers to You

gap-assessment-report
Gap Assessment Report

A full evaluation of your posture against all 15 FAR 52.204-21 requirements. Our team identifies every gap and prioritizes by remediation urgency. 

sprs-submission-package
SPRS Submission Package

Complete self-assessment scoring documentation and submission support for your affirming official. Our team covers every step of the SPRS process, from login access through the formal affirmation.

annual-affirmation-support
Annual Affirmation Support

Ongoing support for the annual reaffirmation requirement. We rescope when your environment changes mid-year and tracks renewal dates, so every affirmation stays current. 

BEYOND THE ENGAGEMENT

How We Stay Involved

scope-change-support
Scope Change Support

Contract scope shifts as systems expand and CUI enters the picture. We reassess your compliance posture and update your documentation accordingly.

affirmation-reminders
Affirmation Reminders

Annual affirmation runs on a fixed cycle. Our team tracks your renewal date and initiates the process with enough lead time to close cleanly before the deadline. 

advisory-access
Advisory Access

Compliance questions surface after every engagement, especially when a new solicitation appears or a prime requests proof of SPRS status. Our team stays accessible for follow-up at every stage.

Insights

Resources from DivIHN

Everything here helps you make a more informed decision about your next penetration test.

what-is-cmmc-do-you-need-it
Insights
What Is CMMC and Do You Need It?

Learn what CMMC is, who needs it, and how to determine if your business requires Level 1 compliance for DoD contracts.

mmc-level-selection-guide
Insights
CMMC Level 1 vs Level 2, Which Applies to You?

Learn the key differences between CMMC Level 1 and Level 2, understand FCI vs. CUI, and determine which CMMC level your DoD contract requires to avoid unnecessary costs or compliance risks.

cmmc-dod-subcontractors
Insights
What CMMC Means for DoD Subcontractors

Understand what CMMC means for DoD subcontractors, how compliance requirements flow down from prime contractors, who must comply, and the steps to determine your CMMC obligations.

COMPLIANCE

Evidence Your Auditor Accepts

CMMC Level 1 sits within a broader set of federal compliance requirements. Understanding how it connects to your existing contract frameworks clarifies your self-assessment scope, where new obligations begin, and which requirements apply as your scope grows.

Learn more about CMMC requirements 
 

CMMC Level 1

US Department of Defense requirement. Defense suppliers handling Federal Contract Information (FCI) self-assess annually against FAR 52.204-21 and submit results to SPRS. 

DFARS 252.204-7012

US Department of Defense requirement. Defense suppliers handling Federal Contract Information (FCI) self-assess annually against FAR 52.204-21 and submit results to SPRS. 

DFARS 252.204-7012

The Defense Federal Acquisition Regulation Supplement clause that triggers flow-down requirements from prime to subcontractor. Finding this clause in any contract confirms CMMC applicability.

FAR 52.204-21

The 15 basic safeguarding requirements that define Level 1. DoD requires full implementation of every requirement before SPRS submission.

NIST SP 800-171

The 110-requirement framework underlying CMMC Level 2. Contracts involving CUI or an expanding scope bring these requirements into play.

SPRS

The Supplier Performance Risk System where contractors submit self-assessment scores and senior official affirmations for DoD visibility and record. 

Case studies

Compliance Achieved Breached in Practice

Note: DivIHN anonymizes client details across all engagements shown. All outcomes reflect actual work.

LOGISTICS level_1
logistics-case-study
Freight Subcontractor, No IT Staff, 6 Weeks to Submission

A 22-person freight subcontractor with no dedicated IT staff completed their self-assessment and submitted their SPRS score in 6 weeks. We built the compliance documentation from scratch.

Started from zero. Submitted on time.
STAFFING level_1
staffing-case-study
Prime-Triggered Obligation, Resolved Before Recompete

A workforce solutions firm placing personnel on a DoD base engagement confirmed their CMMC obligation following a prime contractor audit. Our team completed the Full-Service engagement in 8 weeks, including affirming official designation and annual affirmation.

Prime-triggered. Fully resolved before recompeting.
PROFESSIONAL SERVICES level_1
professional-services-case-study
Three Prime Contracts, One Consolidated Engagement

A federal consulting firm operating under three separate prime contracts completed a multi-entity Level 1 engagement covering all three scopes simultaneously, qualifying for volume pricing and a single consolidated SPRS submission.

Three contracts. One engagement. One submission.
STAY COMPLIANT

Get Actionable Guidance Straight from CMMC Compliance Practitioners

Deadline reminders, compliance updates, and plain-language guides matched to your contract type and company size, direct from CMMC compliance practitioners.

I have read and agree to the Privacy Policy and Terms of Use.
Back
to Top