What Is the CMMC Level 1 Self-Assessment?
The CMMC Level 1 self-assessment is an internal evaluation your organization completes to measure how well your basic cybersecurity practices align with DoD requirements. Unlike Level 2 and Level 3, which require a Cyber AB–accredited C3PAO to conduct official assessments, Level 1 is self-conducted by your own personnel. You evaluate 17 basic security controls, document evidence, calculate your Security Posture Rating Score (SPRS), and submit this score to the DoD.
Level 1 is a foundational, self-managed baseline—not an official CMMC certification like Level 2 or 3. However, it's increasingly important as the DoD phases CMMC requirements across contract types. Your SPRS score becomes part of your contractual compliance posture and influences contract awards.
Understanding SPRS (Security Posture Rating Score)
SPRS is a numerical score from 0 to 110 that represents your Level 1 compliance maturity. The scoring methodology is straightforward but requires careful documentation:
SPRS Baseline and Deduction Model
- Baseline: You start with 110 points
- Controls assessed: 17 Level 1 basic security controls
- Deductions: Each unmet or partially met control deducts points
- Final score: 110 minus all deductions = your SPRS
- Contract minimum: Generally 60+ points for contract eligibility (varies by contracting agency)
For example, if you meet 14 of 17 controls and have 3 unmet controls at 5 points each, your score would be: 110 - 15 = 95 SPRS.
The 17 Level 1 Controls: What's Assessed
Level 1 focuses on foundational, "common sense" security practices that any organization should have. Here are the 17 controls organized by function:
| Control Family | Control Title | What It Requires | Evidence Type |
|---|---|---|---|
| Access Control | AC-1: User Access Management | Unique user IDs, password policy, inactive account removal | Active Directory logs, password policy screenshots |
| AC-2: Privileged Access | Separate admin accounts, restricted elevated access | Group policy, account listing, access logs | |
| AC-3: Account Management | User provisioning/deprovisioning procedures documented | HR policies, access request forms, deprovisioning records | |
| Asset Management | AM-1: Hardware Inventory | Document all IT assets with owner, location, type | Asset register, CMDB screenshots, network scans |
| AM-2: Software Inventory | Track licensed software, versions, and deployment | Software listing, license agreements, endpoint scans | |
| Identification & Authentication | IA-1: User Identification | Each user has unique identifier and knows it | Employee accounts, training records |
| IA-2: Authentication | Passwords meet complexity requirements (14+ chars, mixed case/number/symbol) | Password policy, test screenshots | |
| Configuration Management | CM-1: Configuration Baseline | Document baseline configurations for all system types | Configuration documentation, system specs |
| CM-2: Configuration Change | Changes are documented and approved before implementation | Change log, approval emails, version control | |
| Security Training | AT-1: Security Awareness | All employees receive annual security training | Training records, completion certificates, attendance |
| Incident Management | IR-1: Incident Response | Incident response plan documented and exercises conducted | Policy, test logs, incident records |
| IR-2: Incident Reporting | Process to identify and report security incidents | Incident tracking log, reporting procedures | |
| Maintenance & Patch Management | MA-1: System Maintenance | IT maintenance activities documented and tracked | Maintenance logs, records, approval forms |
| MA-2: Flaw Remediation | Security patches applied within 30 days of availability | Patch reports, update logs, deployment records | |
| MA-3: Baseline Remediation | Vulnerabilities remediated according to risk level | Vulnerability scans, remediation plans, proof of fix | |
| Protection & Detection | PD-1: Protection & Detection | Antivirus/anti-malware deployed and updated on all endpoints | Endpoint inventory, antivirus status, update logs |
Notice these controls are fundamental: password policies, user access management, asset tracking, patching, and antivirus. Level 1 assumes organizations already have basic IT practices in place.
Not sure where your controls stand?
Use our detailed checklist to audit your current compliance level before self-assessment.
Step-by-Step Self-Assessment Process
Completing your Level 1 self-assessment involves these phases:
Phase 1: Planning and Team Assembly (Week 1)
Assign a compliance coordinator (often IT manager or security officer). Identify which systems and personnel fall in scope (typically all company IT systems). Create a responsibility matrix: who owns evidence gathering for each control? Schedule assessment meetings for the next 2-3 weeks.
Phase 2: Evidence Gathering (Weeks 2-4)
For each of the 17 controls, collect proof that the control is implemented:
- For password policy: collect screenshot of domain password policy showing 14+ character minimum, complexity requirements
- For asset inventory: export device list from Active Directory, CMDB, or network scanning tool
- For training: compile employee training completion records
- For patch management: export patch deployment logs showing patches applied within required timeframes
Store evidence in a shared folder (Teams, SharePoint, Google Drive) organized by control. Each control should have 2-3 pieces of supporting evidence.
Phase 3: Self-Assessment Evaluation (Week 5)
For each control, rate it as:
- Implemented: Control is documented, configured, and working as intended. Full points awarded (no deduction)
- Partially Implemented: Control exists but has gaps (e.g., password policy exists but not enforced uniformly). Partial deduction
- Not Implemented: Control is missing entirely. Full deduction
For each unmet or partially implemented control, document what's missing and plan remediation. This becomes your Plan of Action and Milestones (POA&M).
Phase 4: SPRS Score Calculation (Week 6)
Using the DoD's CMMC Assessment Tool or your internal template, input your ratings for all 17 controls. The tool calculates deductions automatically, resulting in your final SPRS score (0-110).
Phase 5: Submission (Week 7)
Submit your SPRS score via the CMMC Assessment Management System (CAMS) at https://cams.cmmc.dod.gov. You'll need your CAGE code (Commercial and Government Entity code from SAM.gov) and authorized representative credentials. The submission includes your score and a declaration that the assessment is accurate.
SPRS Score Calculation Methodology Example
Here's a worked example to clarify how SPRS is calculated:
| Control | Your Status | Points Deducted | Notes |
|---|---|---|---|
| AC-1: User Access | Implemented | 0 | AD policy verified, accounts inactive after 90 days |
| AC-2: Privileged Access | Implemented | 0 | Separate admin accounts for IT staff |
| AC-3: Account Management | Implemented | 0 | Documented procedures in IT handbook |
| AM-1: Hardware Inventory | Partially Implemented | -3 | Register exists but 5 devices missing from tracking |
| AM-2: Software Inventory | Implemented | 0 | Endpoint detection tool scans all machines monthly |
| IA-1: User Identification | Implemented | 0 | Every user has unique email and network ID |
| IA-2: Authentication | Not Implemented | -5 | Current password policy is 8 chars; need to upgrade to 14 |
| CM-1: Configuration Baseline | Implemented | 0 | Documented baseline for Windows, Linux, network devices |
| CM-2: Configuration Change | Implemented | 0 | Change control process documented; tickets required |
| AT-1: Security Awareness | Partially Implemented | -3 | 75% of employees completed training; 25% pending |
| IR-1: Incident Response | Implemented | 0 | Incident response plan exists; tabletop exercise conducted |
| IR-2: Incident Reporting | Implemented | 0 | Employees know to report to IT; tracking log maintained |
| MA-1: System Maintenance | Implemented | 0 | Maintenance activities logged in ticketing system |
| MA-2: Flaw Remediation | Implemented | 0 | Patches deployed within 30 days; logs show compliance |
| MA-3: Baseline Remediation | Partially Implemented | -3 | Scanning done quarterly; some vulnerabilities older than 90 days |
| PD-1: Protection & Detection | Implemented | 0 | Antivirus deployed on all 42 endpoints; updated weekly |
| TOTAL DEDUCTIONS: | -14 | ||
| SPRS SCORE (110 - 14): | 96 | Exceeds minimum threshold; contract eligible | |
In this example, the organization scored 96 SPRS. Three controls have gaps that require remediation. The organization should document a POA&M targeting completion within 30-60 days, after which they can re-assess and improve their score to 110 (perfect).
How to Submit Your SPRS Score
Once calculated, submitting your SPRS requires these steps:
Register in CAMS (CMMC Assessment Management System)
Visit https://cams.cmmc.dod.gov and log in using your contractor credentials. You'll need:
- CAGE code (Commercial and Government Entity identifier from SAM.gov)
- Business email address
- Organization name as registered in federal systems
Complete the Self-Assessment Form
CAMS provides an online form asking you to:
- Rate each of the 17 controls (Implemented / Partially / Not Implemented)
- Provide a brief description of evidence for each control
- Document any gaps and planned remediation (POA&M)
- Certify that the assessment is complete, accurate, and performed by authorized company personnel
Submit and Receive Confirmation
Once submitted, you receive a confirmation number and your SPRS score is recorded in the CMMC system. The DoD can view your score when you bid on contracts requiring CMMC compliance.
Important: Submission is not approval. Your SPRS score becomes part of your contracting record, and if you win a contract requiring Level 2+ later, a C3PAO may audit your Level 1 assessment and findings could affect your Level 2 assessment costs.
What SPRS Score Do You Need?
Minimum SPRS thresholds vary by contracting agency and contract type:
- DoD general contracts: Minimum 60 SPRS typically required for contract eligibility
- High-value contracts (>$100M): Some RFPs require 80+ SPRS or mandate immediate Level 2 certification
- Intelligence Community contracts: Often require Level 2 (C3PAO assessment) regardless of SPRS
- Subcontractors to large primes: Prime contractors increasingly require SPRS 80+ from supply-chain vendors
Check your specific contract vehicle (e.g., GSA schedule, IDIQ, task order) for CMMC requirements. Many contracts are still rolling out CMMC mandates; some don't require compliance yet.
Common Mistakes in Self-Assessment
Organizations often make these errors when completing Level 1, leading to inaccurate scores and future C3PAO audit issues:
Over-Reporting Compliance
Claiming a control is "Implemented" when it's actually partial or missing. Example: A policy document exists for password complexity, but it's not enforced across all systems. This is Partial, not Implemented. Being honest upfront avoids C3PAO audit surprises.
Missing or Weak Evidence
Claiming password policy meets 14-character requirements without providing screenshot evidence. If a DoD auditor asks, you need proof. Document everything: screenshots, configuration exports, policy documents, training records.
Not Documenting POA&M
Identifying gaps but not documenting how and when you'll fix them. POA&M (Plan of Action and Milestones) is just as important as the assessment. It shows the DoD you have a remediation roadmap.
Forgetting People Outside IT
Assessment scope includes non-IT personnel. If training control requires 100% of staff to complete security training, but you've only trained IT people, the control is partial/not implemented for the whole organization.
Not Tracking Control Decay
A control might be implemented today but decay over time if not maintained. Example: Patch management—if you apply patches for 6 months then stop, controls degrade. Annual reassessment should catch this.
Self-Assessment vs. Third-Party Assessment Comparison
Understand how Level 1 self-assessment differs from Level 2/3 C3PAO assessment:
| Aspect | Level 1 Self-Assessment | Level 2/3 C3PAO Assessment |
|---|---|---|
| Who Performs | Your own company personnel | Cyber AB-accredited third-party (C3PAO) |
| Official Authority | None; self-reporting only | Official Authoritative Assessment Report (AAR) |
| Number of Controls | 17 basic controls | 100+ controls across 5 levels |
| Cost | Minimal (staff time only) | $8k-$250k+ depending on scope |
| Independence | No independence requirement | Strict independence from consulting work |
| Contract Validity | Contract-eligible immediately | Valid for 3 years; renewal required |
| Risk of Audit | DoD can audit; no penalty for honest assessment | C3PAO audited by Cyber AB for accuracy |
| On-Site Inspection | No on-site visit required | Multiple on-site visits required |
Key distinction: Level 1 is self-directed and low-cost but provides no official certification. Level 2/3 requires significant investment but delivers official, enforceable certification the DoD trusts.
Deep dive into Level 2 and 3 assessments
Learn about formal CMMC assessments and what each level requires.
How to Improve Your SPRS Score
If your initial self-assessment reveals gaps, here's how to improve before re-assessment or contract deadline:
Prioritize by Point Value and Effort
Some controls are easier to fix than others. Password policy (5-point deduction) might be a policy change away. Asset inventory (3-point deduction) requires scanning and reconciliation but is straightforward. Prioritize easy wins first to improve your score quickly.
Use Our Compliance Checklist
Our detailed CMMC checklist breaks down each control into actionable steps, tools, and templates you can use to accelerate remediation.
Leverage Tools and Automation
Deployment of scanning tools (vulnerability scanners, endpoint inventory tools, patch management systems) accelerates control implementation and provides audit-ready evidence.
Set Remediation Timeline and Track Progress
Create a POA&M specifying: Control name, current state, target completion date, responsible person, and required resources. Review monthly and celebrate wins as controls move from partial to implemented.
SPRS Score and Contract Implications
Your SPRS score affects more than just current contract eligibility—it influences future opportunities and pricing:
Contract Bid Eligibility
RFPs increasingly include CMMC clauses stating "Contractor must maintain SPRS 60+" or "Contractor must achieve Level 2 by [date]." Your SPRS becomes part of your contractual standing. A score below threshold disqualifies you from bidding.
Pricing and Competitive Advantage
Some RFPs award preference to contractors with higher SPRS scores (e.g., 80+ vs. minimum 60+). A higher score can be a technical differentiator in proposal evaluation.
Prime Contractor Supply Chain Pressure
Large primes increasingly require subcontractors to maintain minimum CMMC levels. If your SPRS is below their threshold, you lose subcontracting opportunities.
Renewal and Annual Re-Assessment
SPRS is typically valid for one year. Annual re-assessment is prudent to show continuous compliance. Some organizations aim for perfect 110 SPRS by year 2-3 as a competitive advantage.
FAQ: CMMC Self-Assessment and SPRS Scoring
Can I hire someone to do my Level 1 self-assessment?
Technically yes, but the assessment must be performed by "your own company personnel." You can hire a consultant to guide the process, but your employees must conduct the evaluation and sign off on findings. Having someone externally complete the assessment creates compliance risk.
What happens if I submit a false SPRS score?
Knowingly submitting false CMMC data can result in: contract suspension, debarment from DoD contracting, financial penalties, and criminal prosecution for fraud. The DoD takes CMMC misrepresentation seriously. Always be honest about your compliance state.
Can I submit SPRS before fixing all gaps?
Yes. You submit your honest SPRS score even if some controls are partially implemented or missing. That's why POA&M exists—to document what you'll fix and by when. Submitting 85 SPRS with a 30-day remediation plan is better than claiming 110 SPRS falsely.
How often should I re-assess my SPRS score?
At minimum annually, especially if you're tracking a POA&M to completion. Some organizations re-assess quarterly to demonstrate progress closing gaps. More frequent assessment shows the DoD and primes that you maintain continuous compliance.
Does Level 1 SPRS count if I achieve Level 2?
No. Level 2 (C3PAO assessment) supersedes Level 1 SPRS. When you achieve Level 2 certification, that becomes your official compliance status; the old SPRS score is retired. However, your Level 1 evidence may be referenced during the Level 2 assessment as baseline context.
What's the difference between SPRS and CAIQ?
SPRS is your Level 1 self-assessment score (0-110). CAIQ (Capability Assessment and Instrument Questionnaire) is a longer, more detailed self-assessment tool some organizations use for pre-assessment preparation before engaging a C3PAO. CAIQ maps to all 5 CMMC levels; SPRS only covers Level 1 basics.
Ready to start your compliance roadmap?
Use our free readiness assessment to identify your current state and required controls.