This guide explains how to conduct and report a CMMC Level 1 self-assessment. Experts explain each step and give tips on how to succeed with your controls and evidence. Also, get a free gap analysis template and a free self-assessment tool.

Preparing for CMMC Level 1 self-assessment

To prepare for a CMMC Level 1 self-assessment, seek clarity. Locate where Federal Contract Information (FCI) resides, spell out your scope, and gather the policies and records that show how those systems are protected or not protected. 

Preparation can uncover where documentation, controls, or responsibilities fall short. It gives you time to get things in order.

Too often, though, companies leap before they look.

William McBorough, a CMMC Lead Assessor, says it’s a common mistake to dig in without seeing where FCI actually resides.  

“Contractors often jump directly into answering the 15 control questions without first mapping where FCI is stored, transmitted, or accessed across their environment,” says McBorough, who is also Co-Founder of MCGlobalTech. “This leads to misapplied controls, overlooked systems, and gaps.”

He adds: “I’ve worked with organizations that believed FCI was only on their primary server. Further analysis revealed it was also stored in shared email systems, cloud collaboration tools, and even individual laptops.”

The lesson? Be methodical. 

How to conduct a CMMC Level 1 self-assessment

A CMMC Level 1 self-assessment is a pass/fail process to verify you’ve met all 15 security requirements. To complete it, lay out your scope, run a gap analysis (readiness check), collect final-form evidence, repair any gaps, and attest the results in the Supplier Performance Risk System (SPRS).

These five steps keep you on track to pass your self-assessment:

1. Determine your scope:

Find every person, system, facility, and service provider that handles Federal Contract Information (FCI). Keep boundaries tight and remember that Controlled Unclassified Information (CUI) belongs under CMMC Level 2. Document specialized assets, such as IoT or lab devices, to be outside of scope if they don’t handle FCI. A precise scope avoids wasting effort on things that don’t apply.

McBorough advises starting with an accurate system inventory and FCI data flow analysis. Contractors should ask:

• Where does FCI enter the organization (RFPs, portals, emails)?
• Where is it stored (servers, laptops, cloud applications)?
• Who has access to it (employees, contractors, MSPs)?
• How does it leave the organization (deliverables, subcontractors, reporting platforms)?
  
  

“Once these flows are documented, the compliance boundary becomes much clearer,” McBorough says. “Contractors who complete this step before their self-assessment consistently produce more accurate — and defensible — results.”

2. Run a gap analysis (readiness check):

Conduct a CMMC gap analysis by comparing your current cybersecurity practices against the 15 Level 1 requirements. Try Strike Graph’s free CMMC gap analysis template, which helps you log each requirement, record current practices, and note any deficiencies for follow-up.

Use the template to apply the DoD’s assessment methodology, which includes three assessment methods — examine documents, interview staff, and test configurations. You’ll reveal where controls are missing or only partially effective so you can close those gaps.

3. Gather and map evidence:

Compile final-form artifacts that demonstrate you’ve satisfied each requirement — approved policies, logs, training records, configuration files, and screenshots. Map every item to its related requirement so auditors can trace compliance. Drafts and incomplete documents don’t count; only finalized, approved evidence confirms implementation.

“In general, objective, system-generated evidence provides the strongest artifacts,” McBorough advises. “Unlike static documents or manually created spreadsheets, automated logs are difficult to dispute and clearly demonstrate that controls are active in real time.”

He spotlights these examples:

• Evidence from EDR (endpoint detection and response) systems to show endpoint protection is active on all workstations.
• Screens from MDM (mobile device management) tools verifying that disk encryption is enforced on every company laptop.
• Logs from MFA (multi-factor authentication) systems to show login attempts, either successful or failed.

Each snapshot tells a story of controls in motion.

“I advise clients to establish a routine process for capturing and archiving these reports,” McBorough says. “For example, schedule a monthly export from your MDM tool or keep a quarterly record of MFA logs.” 

4. Resolve your gaps:
   

Address every deficiency before moving forward. Unlike Level 2, Level 1 allows no Plans of Action and Milestones (POA&Ms) at submission. If a safeguard is genuinely Not Applicable (N/A), document why — N/A is considered MET only when justified. Use an internal action plan to manage remediation, but close all items before affirmation. Note any deficiencies or variances for follow-up.

5. Affirm your results:
   

Your internal affirmer, called the Affirming Official (AO), usually a senior executive, reviews the findings during internal affirmer verification and submits the self-affirmation statement electronically in SPRS. That affirmation is valid for one year and must be renewed annually. Retain all supporting evidence for six years from the Status Date in case of a future review or spot check by the Department of Defense.

Strike Graph CEO Justin Beals emphasizes that companies shouldn’t take this process lightly. 

“The biggest misconception I see is contractors treating Level 1 as a checkbox exercise — something they can knock out in an afternoon with their IT person. They think because it's ‘only’ 15 practices and self-assessed, it doesn't require real rigor.”

He cautions that the self-assessment is a legal attestation that goes into the SPRS system: “If you attest to controls you don't actually have in place, you're creating compliance exposure that can come back in audits or incident investigations. Organizations have already been fined millions of dollars for misrepresenting their CMMC compliance.”

How to submit a CMMC Level 1 self-assessment

Submitting a CMMC Level 1 self-assessment means confirming compliance, entering results accurately in the Supplier Performance Risk System (SPRS), and keeping records that prove every requirement was met. Accuracy matters. Mistakes can slow down compliance and weaken your credibility with the DoD.

These four steps will help you submit successfully:

1. Check your records:
   Make sure all 15 security requirements are fully implemented and that your evidence backs up each one. Level 1 is pass/fail, so if any safeguard isn’t met, the assessment cannot be affirmed.
   
   
2. Complete your SPRS entry:
   Through the Procurement Integrated Enterprise Environment (PIEE) portal, open SPRS and fill in the required fields: CMMC Level, Status Date, Assessment Scope, associated CAGE codes, and Compliance Result. The Affirming Official (AO) will later submit the electronic affirmation through the same system.
   
   
3. Review before submission:
   Double-check all data for accuracy before your AO submits. Errors may prompt questions from the DoD and delay your renewal next year.
   
   
4. Keep a record:
   Retain copies of your submission details and all supporting evidence for six years from the Status Date. If the DoD requests validation, you’ll be ready.
   
   

“CMMC self-assessments don’t need to feel like busy work,” says Micah Spieler, Head of Product at Strike Graph. “If you consider the SPRS score as another measurement of your compliance posture, and add it to your compliance dashboard for continuous monitoring (like we’ve done in Strike Graph), then your self-assessment is no longer a one-time vanity metric, but a true demonstration of your commitment to data security and privacy.” 

Free tools to help with a CMMC Level 1 self-assessment

Free tools can simplify CMMC Level 1 self-assessments by helping small teams document, organize, and track compliance without hiring consultants. The right resources reduce administrative work and make the process more consistent.

Here are a few ways they can help:

• Templates: Simple, repeatable documents help teams log each requirement, attach proof, and flag remediation needs. Templates add structure and make final reporting easier. For this approach, try Strike Graph’s free CMMC gap analysis template to see where you stand.
  
  
• Strike Graph’s CMMC self-assessment tool: This guided experience includes a built-in CMMC self-assessment checklist that walks users through every requirement, organizes evidence, and generates a ready-to-share self-assessment report. It transforms what could be a one-time task into a repeatable compliance process.
  

“Completing a standalone self-assessment, in a spreadsheet or some other bespoke tool, can be cumbersome,” says Strike Graph’s Spieler. “You have to reference control or other security compliance activities that might be spread out across many different systems with many different owners.”

That’s where Strike Graph’s free tool comes in. “With our built-in tool,” Spieler says, “we wanted to bring the best of both worlds to the CMMC self-assessments: an easy-to-use interface that streamlines and brings clarity to the complex self-assessment rubric, while also building it right into a GRC platform that monitors your compliance activities. This way, when you are applying scores for the various CMMC requirements, you have all the data you need to accurately reflect your compliance activities in your SPRS score.” 

Challenges in CMMC Level 1 self-assessments

CMMC Level 1 self-assessments often reveal operational and cyber hygiene weaknesses that go beyond technology. Common obstacles include putting requirements into practice, defining scope accurately, maintaining strong evidence, and keeping documentation current—all of which can delay affirmation.

Contractors need to overcome these recurring challenges:

• Operationalizing CMMC:
  Many small contractors underestimate how much day-to-day effort it takes to make CMMC controls part of normal operations. Paper policies aren’t enough.
  
  “Level 1 might be 15 requirements,” Beals notes, “but those practices cover fundamental security hygiene that most small contractors have never systematically implemented. Access control, awareness training, media protection — these aren't trivial when you actually operationalize them across your organization.”
  
  
• Preparing for what’s next:
  Level 1 isn’t the finish line. Contractors that treat it as a routine annual task risk being unprepared for Level 2’s third-party certification requirements. Building good security habits now makes your next steps, including a CMMC audit or a System Security Plan, far less painful.
  
  “From a business perspective, taking Level 1 seriously sets you up for what's coming,” Beals says. “CMMC 2.0 is rolling out, and the majority of DoD contracts will eventually require Level 2. If you treat Level 1 as a joke, you're building no institutional muscle for compliance. You're not establishing evidence collection practices, you're not training your team to think about security systematically, and you're going to get destroyed when Level 2 certification becomes mandatory.”
  
  
• Over-scoping or under-scoping: 
  Organizations often have trouble drawing accurate boundaries around Federal Contract Information. Over-scoping brings unnecessary systems into the process, while under-scoping leaves exposure points unprotected. A thorough inventory and data-flow map prevent both extremes.
  
  
• Incomplete or missing evidence
  Stating that controls exist isn’t enough. Screenshots, logs, and training records must show active policies.
  
  “When a C3PAO eventually shows up for Level 2, or when a prime does vendor diligence, ‘we said we do it’ isn’t going to cut it,” cautions Beals.
  
  
• Disorganized documentation:
  Teams often store artifacts in scattered folders or personal drives. Centralizing policies and artifacts in a structured compliance platform or shared repository is far more efficient and defensible.
  
  
• Outdated materials:
  Security policies and procedures quickly lose relevance as systems or vendors change. Regular review cycles keep documents accurate and aligned with current practice.
  
  

Easiest way to streamline your CMMC compliance roadmap

For many small to medium contractors, the hardest part of CMMC Level 1 isn’t understanding the requirements. It’s managing them with effective controls, policies, evidence, and reviews.

Strike Graph helps you organize and focus your self-assessment materials in one convenient platform. Try our free self-assessment and complete CMMC toolkit today.

With Strike Graph, policies update automatically when requirements change, evidence maps itself, and reviews stay on schedule instead of falling into crisis. The result: less guesswork, less stress, and a compliance process that finally keeps up with the work you’re already doing.

Beals notes the business value that CMMC brings: “Companies that build compliance into their operational DNA early — even at Level 1 — will have sustainable competitive advantages over those scrambling to bolt on compliance at the last minute.”

Schedule your Strike Graph demo today.