CMMC Level 1 Self-Assessment: A Plain-English Guide for Small Contractors
All 17 CMMC Level 1 practices translated into plain English for small federal contractors — what each one means, what evidence you need, and how to affirm in SPRS.
The clause you probably haven't read
If you hold a DoD contract — or subcontract under someone who does — there's a clause in it called FAR 52.204-21. It lists 15 "basic safeguarding" requirements you agreed to the day you signed. CMMC Level 1 turns those 15 requirements into 17 practices you now have to self-assess against every year, with a company executive affirming the result in the government's SPRS system.
No affirmation, no award. And primes are pushing the same requirement down to every subcontractor that touches Federal Contract Information (FCI).
Here's the part nobody tells you: Level 1 is completely doable for a small shop. There's no auditor, no certification body, no $100k project. You need three things: know what the 17 practices actually mean, honestly check yourself against them, and have written policies and evidence to back your answers.
The 17 practices, translated
Access control (who gets in):
- AC.L1-3.1.1 — Everyone has their own login. No shared accounts. Access removed when someone leaves.
- AC.L1-3.1.2 — People can only reach the systems and data their job requires.
- AC.L1-3.1.20 — You know and control which outside systems (vendor tools, cloud apps, home computers) connect to yours.
- AC.L1-3.1.22 — Someone reviews what gets posted publicly (website, social media) so contract information never leaks out.
Identification & authentication (proving who's who): 5. IA.L1-3.5.1 — You keep track of the users and devices allowed on your systems. 6. IA.L1-3.5.2 — Everyone actually authenticates — passwords at minimum, MFA if you're smart.
Media protection (old drives): 7. MP.L1-3.8.3 — Computers, drives, and USB sticks get wiped or destroyed before disposal or reuse.
Physical protection (the building): 8. PE.L1-3.10.1 — Physical access to equipment is limited to authorized people. 9. PE.L1-3.10.3 — Visitors are escorted. 10. PE.L1-3.10.4 — You keep a log of who came in (paper is fine). 11. PE.L1-3.10.5 — You know who holds keys and badges, and you get them back.
System & communications protection (the network): 12. SC.L1-3.13.1 — A firewall protects the boundary between your network and the internet. 13. SC.L1-3.13.5 — Public-facing systems (like your website) are separated from your internal network.
System & information integrity (keeping systems clean): 14. SI.L1-3.14.1 — Security flaws get identified and patched in a timely way. 15. SI.L1-3.14.2 — Anti-malware runs on your computers. 16. SI.L1-3.14.4 — It updates itself. 17. SI.L1-3.14.5 — It scans regularly and checks files from outside.
Read that list again. A 10-person machine shop with Microsoft 365, a decent firewall, Defender turned on, a locked door, and a visitor log is most of the way there — they just can't prove it, because nothing is written down.
Where small contractors actually fail
Not the technology. The documentation. When a prime's questionnaire or a self-assessment asks "do you limit system access to authorized users?", the honest answer for most small shops is "yes, but it's in the owner's head." That doesn't count. You need:
- Written policies — access control, physical security, media disposal, malware protection. Short is fine; nonexistent is not.
- Simple evidence — a user list, a visitor log, a screenshot of your antivirus console, patch settings.
- A record of the self-assessment itself — what you checked, when, and what you found.
The self-assessment, step by step
- Scope it. Which systems touch FCI? For most small subs it's email, a file share, and a few laptops. Keep the boundary small.
- Answer the 17 honestly. Implemented, partially, or not. (Our free 3-minute check walks you through exactly this, in plain English, no signup.)
- Close the gaps. Most Level 1 gaps are cheap: turn on MFA, start a visitor log, write the missing policies, set automatic updates.
- Write it down. Policies plus evidence, filed where you can find them next year.
- Affirm in SPRS. A senior official logs into the Supplier Performance Risk System via PIEE and affirms compliance. Annually.
Do it before the questionnaire arrives
Primes are sending supplier cybersecurity questionnaires with two-week deadlines. The subs who answer confidently keep the work; the ones who go quiet get replaced by a supplier who's already compliant. Thirty minutes with a free readiness check today beats a panicked weekend when the email lands.
Generate documentation mapped to frameworks
Generate policies, procedures, and gaps you can act on—without consultant-heavy overhead.