CMMC Self-Assessment Guide Level 1

If you’re working toward CMMC Level 1, you’re likely trying to answer a straightforward question:

What does a compliant self-assessment actually look like in practice?

Level 1 is often described as “basic cyber hygiene,” but that description undersells what the Department of Defense expects. Even at Level 1, your organization must demonstrate that required practices are implemented, consistently followed, and supported by evidence.

This guide walks through how to perform a disciplined, defensible self-assessment — not just a checklist exercise.

Digital illustration of structured shield, checklist, and system flow representing CMMC Level 1 self-assessment and cybersecurity compliance controls.

What Is a CMMC Level 1 Self-Assessment?

A CMMC Level 1 self-assessment is an internal evaluation of whether your organization meets the 17 required practices aligned with FAR 52.204-21.

Unlike Level 2, there is no third-party certification requirement. However, that does not mean the expectations are informal.

You are still required to:

  • Implement all 17 practices

  • Maintain objective evidence of implementation

  • Document your assessment results

  • Enter your score into the SPRS system

  • Be prepared for potential government review or audit

Organizations pursuing structured alignment often leverage CMMC 2.0 Compliance Consulting to ensure their assessment holds up under scrutiny.

Understanding the Scope: What Systems Are Included?

Before you assess anything, you need to define scope.

At Level 1, scope includes systems that process, store, or transmit Federal Contract Information (FCI).

This is where many organizations make early mistakes.

Your scope should clearly define:

  • Systems that directly handle FCI

  • Users who access those systems

  • Supporting infrastructure (networks, endpoints, cloud services)

  • External providers involved in FCI processing

If your scope is unclear, your assessment results are unreliable — and auditors will identify that immediately.

Organizations that already maintain structured governance through Enterprise Risk Management frameworks tend to handle scoping more effectively.

The 17 CMMC Level 1 Practices (What You’re Actually Assessing)

Level 1 practices are grouped into six control families.

You are not simply confirming existence — you are confirming implementation and consistency.

Access Control

  • Limit system access to authorized users only

  • Restrict access to authorized processes acting on behalf of users

  • Control access to systems processing FCI

Identification and Authentication

  • Identify system users and processes

  • Authenticate users before granting access

Media Protection

  • Sanitize or destroy media containing FCI before disposal or reuse

  • Limit physical access to media

Physical Protection

  • Limit physical access to systems and facilities

  • Escort visitors and monitor physical access

System and Communications Protection

  • Monitor and control communications at system boundaries

  • Implement basic network protections

System and Information Integrity

  • Identify and correct system flaws

  • Provide protection against malicious code

  • Update systems and software regularly

These are foundational controls, but they must be demonstrably operational — not assumed.

What “Compliant” Actually Means at Level 1

This is where most organizations get tripped up.

Compliance is not:

  • Having a written policy alone

  • Saying “we do this informally”

  • Assuming IT handles everything correctly

Compliance means you can show evidence that each practice is:

  • Implemented

  • Used consistently

  • Understood by relevant personnel

Examples of acceptable evidence include:

  • System configuration screenshots

  • Access control lists

  • Antivirus logs and update records

  • Patch management reports

  • Physical security procedures

  • Training acknowledgments

Organizations with mature documentation practices — often developed through ISO 27001 Consultant engagements — tend to perform significantly better during assessment validation.

How to Conduct a Structured Self-Assessment

A defensible self-assessment follows a clear, repeatable methodology.

Step 1 – Define Scope and Boundaries

You must explicitly document:

  • Systems in scope

  • Data types (FCI)

  • Users and roles

  • External dependencies

This is not optional — it is foundational.

Step 2 – Map Practices to Systems

For each of the 17 practices, identify:

  • Where the control is implemented

  • Who is responsible

  • What system enforces it

Avoid generic statements like “IT manages this.”

Step 3 – Collect Objective Evidence

Each practice must have supporting evidence.

  • Screenshots of configurations

  • Logs demonstrating activity

  • Policies tied to implementation

  • Records of system updates

If evidence cannot be produced, the control is not considered implemented.

Step 4 – Evaluate Implementation Consistency

Ask:

  • Is this control applied everywhere it should be?

  • Is it enforced consistently?

  • Are there exceptions or gaps?

This is where internal discipline matters most.

Organizations often bring in Conducting an Audit support to ensure objectivity at this stage.

Step 5 – Score and Document Results

You will assign:

  • Met

  • Not Met

There is no partial credit at Level 1.

Documentation should clearly explain:

  • Why a control is met

  • What evidence supports that conclusion

Step 6 – Submit SPRS Score

Your final score must be entered into the Supplier Performance Risk System (SPRS).

Inaccurate or unsupported scoring creates downstream risk — especially during contract reviews.

Common CMMC Level 1 Self-Assessment Mistakes

Most failures are not technical — they are structural.

Common issues include:

  • Undefined or overly broad scope

  • Missing or weak evidence for controls

  • Inconsistent implementation across systems

  • Treating policies as proof of compliance

  • Lack of documented assessment methodology

  • Overreliance on IT without operational ownership

Organizations with structured implementation discipline — often guided by Implementing a System methodologies — avoid these pitfalls.

Documentation Expectations (What You Actually Need)

Level 1 does not require extensive documentation frameworks like Level 2, but it still requires clarity.

You should maintain:

  • Defined scope statement

  • Control implementation descriptions

  • Evidence repository for each practice

  • Assessment results summary

  • SPRS submission record

If documentation is fragmented or inconsistent, your assessment credibility drops quickly.

Many organizations formalize this through Maintaining a System approaches to ensure sustainability beyond initial assessment.

How Long Does a Level 1 Self-Assessment Take?

Timelines vary depending on maturity.

Typical ranges:

  • Small organizations with existing controls: 2–4 weeks

  • Organizations starting from scratch: 4–8 weeks

  • Complex environments: 8+ weeks

The biggest factor is not technical complexity — it is clarity of ownership and documentation.

Organizations that treat this as a structured initiative, rather than a quick checklist, move faster and with fewer issues.

Is a CMMC Level 1 Self-Assessment Enough?

Technically, yes — for Level 1 contracts.

Strategically, not always.

Many organizations use Level 1 as a foundation for:

  • Future Level 2 certification

  • Broader cybersecurity maturity improvements

  • Alignment with NIST-based frameworks

  • Integration into enterprise risk governance

Organizations already working within Cybersecurity Risk Framework models often use Level 1 as an entry point into more advanced controls.

Aligning CMMC Level 1 with Broader Governance

CMMC Level 1 should not operate in isolation.

It connects directly to:

  • Risk identification and mitigation

  • Operational accountability

  • Vendor and supply chain expectations

  • Contractual compliance posture

Organizations with structured governance programs — especially those aligned with CMMC Compliance Service models — tend to integrate Level 1 more effectively into long-term strategy.

When to Bring in External Support

Not every organization needs external help — but many benefit from it.

Consider advisory support if:

  • You are unsure how to define scope

  • Evidence collection is inconsistent

  • Controls are partially implemented

  • You anticipate contract-driven scrutiny

  • You plan to progress to Level 2

A structured readiness effort, such as CMMC Gap Analysis, often provides the clarity needed to move forward confidently.

Why CMMC Level 1 Still Matters

Level 1 is often underestimated.

In reality, it establishes:

  • Foundational cybersecurity discipline

  • Contract eligibility for DoD work

  • Organizational accountability for FCI protection

  • A baseline for future compliance maturity

It also signals to customers and partners that your organization operates with defined, verifiable controls — not informal practices.

If You’re Also Evaluating…

The most effective path forward is a structured, evidence-driven self-assessment — followed by targeted remediation where gaps exist.

Contact us.

info@wintersmithadvisory.com
‪(801) 477-6329‬

Schedule a Free Consultation!