CMMC Level 1 Readiness

Preparing defense contractors for the annual self-assessment and SPRS affirmation required under FAR 52.204-21.

CMMC Level 1 Readiness

Overview

CMMC Level 1 applies to any defense contractor or subcontractor that handles Federal Contract Information (FCI). It requires annual self-assessment against 17 basic safeguarding practices drawn from FAR clause 52.204-21, followed by an affirmation submitted to the Supplier Performance Risk System (SPRS) signed by a senior company official. The affirmation carries False Claims Act exposure, which means accuracy matters as much as completion.

The 17 practices cover foundational security: who can access your systems, how users are identified, how media is handled, how your facilities are protected, how your network perimeter is managed, and how malicious code is detected and addressed. Most contractors believe they satisfy these requirements. Fewer have documentation that would survive scrutiny. We audit your actual implementation against each practice, identify genuine gaps, and prepare you to affirm with confidence.

A small defense subcontractor came to us ahead of their first SPRS affirmation. Their IT provider had assured them they were compliant. When we walked through the 17 practices, three were partially implemented and one was not in place at all. We closed the gaps and documented the implementation before the affirmation was submitted. The False Claims Act exposure made the engagement worthwhile.

17-Practice Gap Assessment

We assess your implementation of each of the 17 CMMC Level 1 practices across all six domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. Each practice is evaluated against what is actually in place, not what policy documents say should be.

Evidence Documentation

We collect and organize the evidence that supports each implemented practice: configuration settings, access control lists, asset inventory, physical access logs, network diagrams, and malicious code protection records. Documented evidence is what separates a defensible affirmation from a liability.

Remediation Support

For any practices not fully implemented, we provide specific, actionable remediation guidance. The 17 Level 1 practices are not technically demanding — the gaps are almost always in documentation, configuration consistency, or a process that exists informally but has never been formalized.

SPRS Affirmation Preparation

We prepare the self-assessment documentation package and walk your designated senior official through what the SPRS affirmation covers. The affirmation is a legal statement. We make sure it is grounded in verified implementation before it is submitted.

The False Claims Act applies to CMMC affirmations. A senior official who signs an SPRS affirmation without a genuine assessment of each practice is personally exposed, not just the company. Getting this right is not optional.

What You Can Expect

  • Assessment of all 17 CMMC Level 1 practices against actual implementation
  • Gap report with findings categorized by practice domain
  • Evidence collection and documentation for each implemented practice
  • Remediation guidance for any open findings
  • Self-assessment documentation package for SPRS submission
  • Briefing for the senior official signing the annual affirmation

Handling CUI? If your contracts involve Controlled Unclassified Information, Level 1 is not sufficient. See our CMMC Level 2 Readiness service, which covers all 110 NIST SP 800-171 requirements and prepares you for C3PAO assessment.

Engagement Fee

Level 1 engagements are scoped to the size of your organization and the number of systems in scope. Contact us for a specific quote.

Who This Is For

  • Defense contractors and subcontractors that handle FCI but not CUI and are required to complete an annual CMMC Level 1 self-assessment
  • Organizations submitting their first SPRS affirmation and wanting verification that their self-assessment is accurate before a senior official signs
  • Contractors whose IT provider has attested to compliance but who want an independent review before signing the affirmation
  • Prime contractors verifying that subcontractors in their supply chain have completed accurate Level 1 self-assessments

Common Questions

What is CMMC Level 1 and who does it apply to?

CMMC Level 1 applies to defense contractors that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires annual self-assessment against 17 basic safeguarding practices from FAR 52.204-21, covering access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. The contractor self-assesses and submits an affirmation to SPRS signed by a senior company official.

What are the 17 CMMC Level 1 practices?

The 17 practices come from FAR 52.204-21 across six domains:

  • Access Control (2): Limit system access to authorized users; limit access to authorized transaction types.
  • Identification and Authentication (2): Identify and authenticate users before granting access; use multifactor authentication for privileged accounts.
  • Media Protection (2): Sanitize or destroy media before disposal or reuse; protect removable media containing FCI.
  • Physical Protection (3): Limit physical access to authorized individuals; escort and monitor visitors; maintain physical access logs.
  • System and Communications Protection (2): Monitor and control external boundary communications; implement subnetworks for publicly accessible components.
  • System and Information Integrity (6): Identify and correct system flaws in a timely manner; provide malicious code protection; perform periodic and real-time scans; update malicious code protection mechanisms.
What is SPRS and why does the annual affirmation matter?

The Supplier Performance Risk System (SPRS) is the DoD system where contractors submit their CMMC self-assessment scores and affirmations. A senior company official must annually affirm that all 17 Level 1 practices are implemented. A false affirmation is subject to the False Claims Act, which carries civil penalties and potential treble damages. Contractors that submit affirmations without genuinely implementing the practices are exposed to significant liability.

What is the difference between CMMC Level 1 and Level 2?

Level 1 covers organizations handling FCI and requires self-assessment against 17 basic practices. Level 2 covers organizations handling CUI and requires assessment against all 110 practices in NIST SP 800-171, with many contracts requiring a third-party C3PAO assessment. If your contracts involve CUI, Level 1 is not sufficient. The key question is whether DoD-designated CUI flows to your systems under any of your contracts.

Ask A Question Book a Discovery Call