CMMC Level 1 Compliance for DoD Contractors
Companies that handle Federal Contract Information (FCI) under a Department of Defense (DoD) prime or subcontract must meet Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements. Phase 1 began on November 10, 2025. From that date, DoD can require a current Supplier Performance Risk System (SPRS) self-assessment score as a condition of award. Many in-scope companies are still in the early stages of readiness.
Supporting a DoD Contract Puts You in Scope
Level 1 covers any organization processing, storing, or transmitting FCI under a DoD prime or subcontract. Company size and supply chain position carry equal obligation. Subcontractors at every tier of the defense supply chain fall within scope.

The Cost of Delayed Action
CMMC Level 1 is now a contract eligibility threshold. A current SPRS score preserves your bidding eligibility on covered contracts, limits legal exposure for your affirming official, and keeps remediation costs from compounding.
A current and accurate CMMC status in SPRS preserves your eligibility to bid on, renew, and exercise option periods on applicable DoD contracts.
Your affirming official signs by name. That signature carries personal False Claims Act liability, separate from any corporate consequence.
Assessor capacity tightens as the deadline approaches. An engagement started now finishes with time and budget to spare. One started under deadline pressure delivers neither advantage.
How DivIHN Runs Every Engagement
DivIHN is a CMMC Level 2 certified organization. Level 2-experienced practitioners lead every Level 1 engagement, from initial scoping through SPRS submission.
Two Paths to the Same Outcome
We walk your team through all 15 requirements, reviews evidence, and prepares you to complete the self-assessment and SPRS submission in-house.
We manage the engagement end-to-end, from scoping and gap assessment through remediation support, documentation, and SPRS submission.
DoD requires Level 1 affirmation every year. DivIHN tracks your renewal cycle and supports the annual reassessment, so every deadline stays on schedule.
What Every Engagement Delivers to You
A full evaluation of your posture against all 15 FAR 52.204-21 requirements. Our team identifies every gap and prioritizes by remediation urgency.
Complete self-assessment scoring documentation and submission support for your affirming official. Our team covers every step of the SPRS process, from login access through the formal affirmation.
Ongoing support for the annual reaffirmation requirement. We rescope when your environment changes mid-year and tracks renewal dates, so every affirmation stays current.
How We Stay Involved
Contract scope shifts as systems expand and CUI enters the picture. We reassess your compliance posture and update your documentation accordingly.
Annual affirmation runs on a fixed cycle. Our team tracks your renewal date and initiates the process with enough lead time to close cleanly before the deadline.
Compliance questions surface after every engagement, especially when a new solicitation appears or a prime requests proof of SPRS status. Our team stays accessible for follow-up at every stage.
Resources from DivIHN
Everything here helps you make a more informed decision about your next penetration test.
Learn what CMMC is, who needs it, and how to determine if your business requires Level 1 compliance for DoD contracts.
Learn the key differences between CMMC Level 1 and Level 2, understand FCI vs. CUI, and determine which CMMC level your DoD contract requires to avoid unnecessary costs or compliance risks.
Understand what CMMC means for DoD subcontractors, how compliance requirements flow down from prime contractors, who must comply, and the steps to determine your CMMC obligations.
Evidence Your Auditor Accepts
CMMC Level 1 sits within a broader set of federal compliance requirements. Understanding how it connects to your existing contract frameworks clarifies your self-assessment scope, where new obligations begin, and which requirements apply as your scope grows.
US Department of Defense requirement. Defense suppliers handling Federal Contract Information (FCI) self-assess annually against FAR 52.204-21 and submit results to SPRS.
US Department of Defense requirement. Defense suppliers handling Federal Contract Information (FCI) self-assess annually against FAR 52.204-21 and submit results to SPRS.
The Defense Federal Acquisition Regulation Supplement clause that triggers flow-down requirements from prime to subcontractor. Finding this clause in any contract confirms CMMC applicability.
The 15 basic safeguarding requirements that define Level 1. DoD requires full implementation of every requirement before SPRS submission.
The 110-requirement framework underlying CMMC Level 2. Contracts involving CUI or an expanding scope bring these requirements into play.
The Supplier Performance Risk System where contractors submit self-assessment scores and senior official affirmations for DoD visibility and record.
Compliance Achieved Breached in Practice
Note: DivIHN anonymizes client details across all engagements shown. All outcomes reflect actual work.
A 22-person freight subcontractor with no dedicated IT staff completed their self-assessment and submitted their SPRS score in 6 weeks. We built the compliance documentation from scratch.
A workforce solutions firm placing personnel on a DoD base engagement confirmed their CMMC obligation following a prime contractor audit. Our team completed the Full-Service engagement in 8 weeks, including affirming official designation and annual affirmation.
A federal consulting firm operating under three separate prime contracts completed a multi-entity Level 1 engagement covering all three scopes simultaneously, qualifying for volume pricing and a single consolidated SPRS submission.
Get Actionable Guidance Straight from CMMC Compliance Practitioners
Deadline reminders, compliance updates, and plain-language guides matched to your contract type and company size, direct from CMMC compliance practitioners.