How to Complete Your CMMC Level 1 Self Assessment
Contributors
If you have confirmed that your business handles FCI and falls under CMMC Level 1, you are past the scope determination stage and ready to execute. This guide walks through the practical steps of completing your self-assessment: identifying what falls in scope, working through the 15 required practices, addressing the gaps you find, and submitting your affirmation to SPRS. Treat this as your working checklist rather than background reading, since each step below maps directly to an action you take before your submission deadline.
Step 1: Define Your Assessment Scope
Before you assess anything, define exactly which systems, networks, and devices fall within scope. Your Level 1 obligation covers only the environment that touches FCI, so start by mapping every system that stores, processes, or transmits that information: email accounts handling contract correspondence, file storage holding contract documents, and any device your staff uses to access those systems.
Exclude systems that never touch FCI from your assessment scope, since expanding scope unnecessarily adds assessment burden without adding protection where it matters. Once you have your system inventory, designate your senior official, the individual who signs the annual affirmation and holds accountability for your compliance status. This person does not need a technical background, but does need authority within your organization and a clear understanding of what the affirmation represents.
Step 2: Work Through the 15 Practices
The 15 Level 1 practices group into six operational domains. Access Control practices require you to limit system access to authorized users and processes, and to restrict connections to external systems unless specifically authorized. Identification and Authentication practices require you to verify the identity of users and devices before granting system access, typically through unique user accounts and passwords.
Media Protection practices require you to sanitize or destroy media containing FCI before disposal or reuse, covering everything from retired hard drives to printed documents. Physical Protection practices require you to limit physical access to your facilities and systems to authorized individuals, and to escort visitors and maintain access logs where FCI-handling equipment is present.
System and Communications Protection practices require you to monitor and control communications at your network boundaries, and to implement subnetworks for publicly accessible components where they exist. System and Information Integrity practices require you to identify, report, and correct system flaws in a timely manner, and to protect systems from malicious code through updated protections.
Work through each domain systematically rather than treating the 15 practices as an unordered list. Most businesses find it efficient to start with Access Control and Identification and Authentication, since these practices touch every other domain and often reveal gaps that affect your remaining assessment.
Step 3: Watch for These Common Gaps
A first-pass assessment against these practices commonly surfaces the same handful of gaps, regardless of industry. Antivirus and endpoint protection coverage frequently exists on some devices but not all, particularly on older machines or personal devices employees use to access company email.
Access control policy often exists informally, in practice, but not in writing, which creates a documentation gap even when the underlying behavior meets the requirement. Auditors and contracting officers expect a documented policy, not just consistent practice.
Removable media, USB drives in particular, often moves in and out of the organization without encryption or a sanitization procedure, creating exposure at the exact point where FCI most commonly leaves a controlled environment. Identifying these patterns early lets you address them before they become blockers in your final assessment pass.
Step 4: Submit Through SPRS
Once you have implemented and documented all 15 practices, you submit your self-assessment results through the Supplier Performance Risk System, or SPRS. Your senior official needs an active SPRS account, which requires a PIEE, Procurement Integrated Enterprise Environment, login tied to your organization's CAGE code.
Within SPRS, you enter your self-assessment score, a summary calculation based on how many of the 15 practices you have fully implemented, and your senior official signs the annual affirmation confirming the accuracy of that score. This affirmation carries legal weight; the official signing it takes on personal accountability for the accuracy of what you report.
Keep your supporting documentation, policies, system inventories, and remediation records, organized and accessible even after submission, since a contracting officer can request it at any point during your contract period.
Step 5: Maintain Your Status
Your SPRS affirmation does not close the process permanently. Level 1 requires annual renewal, so plan your internal review cycle to reassess your practices and refresh your affirmation every twelve months. If your scope changes mid-year, if you add a new system that touches FCI, or if your contract expands to include CUI, trigger a fresh assessment immediately rather than waiting for your annual date. Treating compliance as a continuous process, rather than a once-a-year event, keeps you consistently audit-ready and avoids a scramble when your renewal date arrives.
Other Popular Articles
In the digital age, businesses must adopt an ad
GRC is the capability, or integrated collection