How to Complete Your CMMC Level 1 Self Assessment

Contributors

Shantanoo Govilkar
Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions
Image
cmmc-level-1-self-assessment-guide

If you have confirmed that your business handles FCI and falls under CMMC Level 1, you are past the scope determination stage and ready to execute. This guide walks through the practical steps of completing your self-assessment: identifying what falls in scope, working through the 15 required practices, addressing the gaps you find, and submitting your affirmation to SPRS. Treat this as your working checklist rather than background reading, since each step below maps directly to an action you take before your submission deadline.

cmmc-level-1-scope-boundary

Step 1: Define Your Assessment Scope

Before you assess anything, define exactly which systems, networks, and devices fall within scope. Your Level 1 obligation covers only the environment that touches FCI, so start by mapping every system that stores, processes, or transmits that information: email accounts handling contract correspondence, file storage holding contract documents, and any device your staff uses to access those systems.

Exclude systems that never touch FCI from your assessment scope, since expanding scope unnecessarily adds assessment burden without adding protection where it matters. Once you have your system inventory, designate your senior official, the individual who signs the annual affirmation and holds accountability for your compliance status. This person does not need a technical background, but does need authority within your organization and a clear understanding of what the affirmation represents.

Step 2: Work Through the 15 Practices

The 15 Level 1 practices group into six operational domains. Access Control practices require you to limit system access to authorized users and processes, and to restrict connections to external systems unless specifically authorized. Identification and Authentication practices require you to verify the identity of users and devices before granting system access, typically through unique user accounts and passwords.

Media Protection practices require you to sanitize or destroy media containing FCI before disposal or reuse, covering everything from retired hard drives to printed documents. Physical Protection practices require you to limit physical access to your facilities and systems to authorized individuals, and to escort visitors and maintain access logs where FCI-handling equipment is present.

System and Communications Protection practices require you to monitor and control communications at your network boundaries, and to implement subnetworks for publicly accessible components where they exist. System and Information Integrity practices require you to identify, report, and correct system flaws in a timely manner, and to protect systems from malicious code through updated protections.

Work through each domain systematically rather than treating the 15 practices as an unordered list. Most businesses find it efficient to start with Access Control and Identification and Authentication, since these practices touch every other domain and often reveal gaps that affect your remaining assessment.

Step 3: Watch for These Common Gaps

A first-pass assessment against these practices commonly surfaces the same handful of gaps, regardless of industry. Antivirus and endpoint protection coverage frequently exists on some devices but not all, particularly on older machines or personal devices employees use to access company email.

Access control policy often exists informally, in practice, but not in writing, which creates a documentation gap even when the underlying behavior meets the requirement. Auditors and contracting officers expect a documented policy, not just consistent practice.

Removable media, USB drives in particular, often moves in and out of the organization without encryption or a sanitization procedure, creating exposure at the exact point where FCI most commonly leaves a controlled environment. Identifying these patterns early lets you address them before they become blockers in your final assessment pass.

Step 4: Submit Through SPRS

Once you have implemented and documented all 15 practices, you submit your self-assessment results through the Supplier Performance Risk System, or SPRS. Your senior official needs an active SPRS account, which requires a PIEE, Procurement Integrated Enterprise Environment, login tied to your organization's CAGE code.

Within SPRS, you enter your self-assessment score, a summary calculation based on how many of the 15 practices you have fully implemented, and your senior official signs the annual affirmation confirming the accuracy of that score. This affirmation carries legal weight; the official signing it takes on personal accountability for the accuracy of what you report.

Keep your supporting documentation, policies, system inventories, and remediation records, organized and accessible even after submission, since a contracting officer can request it at any point during your contract period.

Step 5: Maintain Your Status

Your SPRS affirmation does not close the process permanently. Level 1 requires annual renewal, so plan your internal review cycle to reassess your practices and refresh your affirmation every twelve months. If your scope changes mid-year, if you add a new system that touches FCI, or if your contract expands to include CUI, trigger a fresh assessment immediately rather than waiting for your annual date. Treating compliance as a continuous process, rather than a once-a-year event, keeps you consistently audit-ready and avoids a scramble when your renewal date arrives. 

Get the latest insights straight from our desk to your inbox.

Other Featured Articles

Explore More
what-is-cmmc-do-you-need-it

What Is CMMC and Do You Need It?

Learn what CMMC is, who needs it, and how to determine if your business requires Level 1 compliance for DoD contracts.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
mmc-level-selection-guide

CMMC Level 1 vs Level 2, Which Applies to You?

Learn the key differences between CMMC Level 1 and Level 2, understand FCI vs. CUI, and determine which CMMC level your DoD contract requires to avoid unnecessary costs or compliance risks.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-dod-subcontractors

What CMMC Means for DoD Subcontractors

Understand what CMMC means for DoD subcontractors, how compliance requirements flow down from prime contractors, who must comply, and the steps to determine your CMMC obligations.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-level-1-self-assessment-guide

How to Complete Your CMMC Level 1 Self Assessment

Complete CMMC Level 1 self-assessment guide: define scope, work through 15 practices, fix common gaps, and submit your SPRS affirmation.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-october-2026-deadline

The October 2026 CMMC Deadline: What Happens If You Miss It 

Prepare for the October 2026 CMMC deadline. Learn how compliance affects DoD contract eligibility, SPRS affirmations, renewals, and subcontractors.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
IT-OT-Boundary-Ransomware-Entry-Point

Operational Technology (OT) Penetration Testing Guide for Ransomware Defense

Ransomware doesn't need to breach your control room it needs to get close enough that you can't trust it hasn't.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
FDA-510K-and-PMA-Cybersecurity-Testing

A Medical Device Maker's Guide to FDA Cybersecurity Testing for 510(k) & PMA

The FDA doesn't publish a pen testing checklist, but its guidance, 524B requirements, and reviewer expectations add up to one.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Pharma-Pen-Testing-FDA-Complianc

Pharma Pen Testing: Why FDA and IP Risk Need Different Scoping

Standard pen test scoping frameworks weren't built for pharma.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
FDA-524B-Medical-Device-Cybersecurity-Testing

FDA 524B Is Here: What Medical Device Makers Must Test Now

Section 524B made medical device cybersecurity a legal requirement, not a guideline.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
CMMC-2-0-Pen-Testing-Requirements

Why CHIPS Act Manufacturers Can't Rely on CMMC Pen Testing Alone

Semiconductor manufacturers face dual compliance obligations under CMMC 2.0 and the CHIPS Act and a standard pen test satisfies neither fully.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
C3PAO-Audit-Evidence-Mapping

Why Pen Test Evidence Fails C3PAO Assessments (and How to Fix It)

Completing a pen test isn't enough for CMMC.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
PTaaS-vs-Annual-Pen-Testing

PTaaS vs. Annual Pen Testing: Why Manufacturers Are Switching

Annual penetration testing produces documentation, not security.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Map-OT-Attack-Surface

Map Your OT Attack Surface Before the Next Audit

Don't wait for an auditor to tell you what you missed.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Scope-IT-OT-Penetration-Testing

How to Scope IT-OT Penetration Testing Safely

Learn how to safely scope IT-OT penetration testing engagements.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Manufacturing-Penetration-Testing-Frequency

How Often Should Manufacturers Run OT Penetration Testing?

Annual pen testing fits a budget cycle but it doesn't reflect how fast manufacturing environments actually change.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
21-CFR-Part-11-and-cGMP-Requirements

Pharmaceutical Pen Testing: What 21 CFR Part 11 and cGMP Require

21 CFR Part 11 and cGMP don't mention penetration testing but the controls they require depend on it.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
RD-and-Regulated-Systems-Penetration-Testing-Scopes

Pharmaceutical Pen Testing: Why R&D and GxP Need Different Scopes

R&D and GxP regulated environments have different risk profiles, compliance requirements, and testing constraints.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Nation-State-Cyber-Threats-in-Pharma

Why Pharmaceutical Pen Testing Must Address Nation-State Threats

Nation-state actors treat pharma like critical infrastructure targeting formulation data, synthesis routes, and clinical IP with patience and precision.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
IT-OT-Boundary-Ransomware-Risk

How Ransomware Crosses the IT-OT Boundary (And How to Stop It)

Ransomware operators target the IT-OT boundary deliberately and they know manufacturing economics well.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Where-Industry-4-0-Exposed-OT

Where Industry 4.0 Left Your OT Attack Surface Wide Open

Industry 4.0 connected OT environments were never built for. Learn why traditional IT security tools fall short and what OT penetration testing reveals that audits miss.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
What-AS4-Actually-Solves-Banner-Image

What AS4 Actually Solves: Real Outcomes Companies See After Migration

Discover what AS4 actually solves for modern businesses. Learn the real outcomes companies achieve after migration, from stronger security to better B2B integration performance.

 

EDI Solutions Group
Marketing Group view
AS4-migration-pitfalls-Banner-image

7 Migration Pitfalls That Derail AS4 Upgrades (and How to Avoid Them)

Avoid costly AS4 upgrade mistakes. Discover 7 migration pitfalls that delay projects, create risk, and disrupt B2B messaging, plus practical ways to avoid them.

EDI Solutions Group
Marketing Group view
pen-testing-in-cloud-enviroment-banner-image

How to Perform Penetration Testing in Cloud Environments (AWS, Azure, and GCP) - 2026 Edition

A practical guide to cloud penetration testing across AWS, Azure, and GCP. Learn methods, tools, and best practices to identify vulnerabilities and improve security.

Cybersecurity Solutions Group
Marketing Group view
when-to-switch-legacy-edi-to-as4

5 Signs It's Time to Move Legacy EDI Environment to AS4 Protocol

Partner onboarding delays, compliance gaps, and rising maintenance costs are signals your EDI infrastructure is reaching its limits. Learn the five signs it is time to evaluate a move to AS4.

EDI Solutions Group
Marketing Group view
How-to-Design-Custom-Chatbots-Banner-Image

How to Design Custom Chatbots That Cannot “Make Stuff Up”

Confident AI answers without traceable sources create institutional risk. Learn how Grounded RAG architecture retrieves real documents first and attaches verifiable citations to every response.

Data and AI Solutions Group
Marketing Group view
Conversational-AI-blog-banner

How Citation-Backed Conversational AI Improves Public Access and Internal Decision-Making

AI without source citations creates real liability. Learn how citation-backed AI brings traceable sources, version awareness, and audit-ready outputs to every institutional decision.

Data and AI Solutions Group
Marketing Group view
Network-penetration-testion-blog-banner

How to Perform a Successful Network Penetration Test: Comprehensive Guide for 2025

Learn how to perform a successful network penetration test to identify vulnerabilities, simulate real cyberattacks, and strengthen your organization’s network security.

Cybersecurity Solutions Group
Marketing Group view
Penetration-testing-banner-image

What Is Penetration Testing? A 2026 Expert Guide

A 2026 expert guide to penetration testing for security leaders and IT teams seeking proactive defense, compliance, and stakeholder trust.

Cybersecurity Solutions Group
Marketing Group view
ot-ransomware-prevention-banner-image

OT Ransomware Prevention: Practical Best Practices for Industrial Cybersecurity

Explore enterprise grade OT ransomware prevention strategies, including segmentation, identity control, threat informed detection, and resilient recovery design to protect industrial operations fro

Cybersecurity Solutions Group
Marketing Group view
OT-Ransomware-Risks-and-Response-Banner

10 Myths About OT/ICS Security That Put Your Business at Risk

Think your OT network is secure? Learn the 10 most dangerous myths about OT and ICS cybersecurity that leave industrial operations exposed to attacks.

Cybersecurity Solutions Group
Marketing Group view
OT-ransomeware-risk-and-responses-banner-image

OT Ransomware Risks and Response for Industrial Systems

Learn why OT environments face higher ransomware risk, how attackers gain access, and how effective detection and response reduce operational impact.

Cybersecurity Solutions Group
Marketing Group view
AI-Risk-Assessment-Best-Practices-Banner

AI Risk Assessment: Risk Types, Best Practices & More

Explore AI risk types, essential assessment frameworks, and proven best practices to mitigate threats in AI deployment. Learn actionable strategies for secure AI systems today.

Cybersecurity Solutions Group
Marketing Group view
AI Risk Assessment Banner Image

AI Risk Assessment: Everything You Need to Know

Learn essential processes, methodologies, risk types, regulatory requirements, and practical implementation strategies for safe AI deployment.

Cybersecurity Solutions Group
Marketing Group view
Whitepaper: Ransomware Threat Management

Whitepaper: Ransomware Threat Management

Ransomware continues to be a real threat to business operations across all industries, no organization is safe from this threat.

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Cybersecurity Incident Response Preparedness

Cybersecurity Incident Response Preparedness

An incident response framework provides a structure to support incident response operations. A framework typically provides guidance on what needs to be done, but not on how it is done.

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Internet of Things

IoT Medical Device Cybersecurity

Healthcare data and medical devices would be aggressively targeted by ransomware attacks since early 2017 has proven to be true

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Back
to Top