CMMC Level 1 Self-Assessment: How the Annual Affirmation Process Works

The self-assessment requirement for CMMC Level 1 sounds simple on paper. You assess yourself, submit your results, and you’re done. No third-party auditor, no expensive certification process.

That’s mostly accurate, but the part contractors consistently underestimate is what “submit your results” actually involves. There’s a specific system you submit to, a specific person in your organization who has to sign off, a legal statement they’re signing, an annual deadline to maintain your status, and a documentation requirement that carries a six-year retention obligation.

This article walks through the full process from start to finish so you know exactly what you’re committing to before you start.

What the Self-Assessment Actually Is

A CMMC Level 1 self-assessment is a structured review of your organization’s information systems against 15 basic safeguarding requirements drawn from FAR 52.204-21. Under the current regulation (32 CFR 170.15), you’re not just checking a general “are we doing this” box. You’re working through 58 specific assessment objectives that sit underneath those 15 requirements, and determining whether each one is Met, Not Met, or Not Applicable.

The 15 requirements you’re assessing against are the same ones covered by FAR 52.204-21: access control, user identification, authentication, physical access, visitor controls, network boundary protection, patch management, malware protection, scanning, and the rest. If you’ve done a gap assessment against FAR 52.204-21, you’ve already done the preparation work for the self-assessment.

The 58 objectives get more specific. A requirement like “authenticate users before granting access to systems” breaks down into objectives around how authentication is implemented, whether it applies to processes and devices in addition to human users, and whether there are exceptions that undermine the control. The objectives are defined in NIST SP 800-171A (June 2018 edition), which is incorporated by reference in the CMMC regulations. The DoD publishes a mapping table in the regulation that shows which 800-171A objectives correspond to each Level 1 requirement.

You can’t say a control is Met because you have a policy that says it should be done. The assessment objectives look at whether it’s actually implemented.

The All-or-Nothing Rule: No POA&Ms at Level 1

This is the detail that catches contractors off guard most often. At CMMC Level 1, there is no Plan of Action and Milestones (POA&M).

At Level 2, if you have gaps, you can document them in a POA&M, submit a score reflecting partial compliance, and get a conditional status while you fix the outstanding items. Level 1 doesn’t work that way. Every one of the 15 requirements and all 58 assessment objectives must be fully Met before you can submit. There is no conditional Level 1 status. The only valid submission is one where everything is in place.

In practice, this means you need to close all gaps before you submit, not after. If you find a control that isn’t implemented and submit anyway, you’re either submitting a score that doesn’t reflect reality (a false affirmation) or you’re holding up your contract eligibility until the gap is closed.

The upside is that Level 1’s requirements are straightforward enough that most organizations can get there in a reasonable timeframe without major infrastructure changes. The downside is you can’t rush the submission and plan to fix things later. It doesn’t work that way at this level.

Step 1: Define Your Assessment Scope

Before you start working through the 15 requirements, you need to know what you’re assessing. The regulation defines your CMMC Assessment Scope as the information systems that process, store, or transmit Federal Contract Information, plus the people and technology that support those systems.

Getting scope wrong is one of the most common problems in Level 1 assessments. Scope too broadly and you’re creating compliance work for systems that don’t need it. Scope too narrowly and you’re leaving FCI-handling systems out of your assessment, which means you’re not actually compliant even if your submission says you are.

Start by mapping where FCI lives: which email accounts it flows through, which file storage systems hold it, which project management or document platforms your team uses for contract work, and which endpoints (laptops, desktops, mobile devices) access any of those systems. Every system in that map is in scope. Every system that never touches FCI is not.

Your scope also determines which CAGE codes to include in your SPRS submission, since you’re attesting compliance for specific information systems associated with specific entity identifiers.

Step 2: Work Through the Assessment Objectives

With scope defined, you go through each of the 15 requirements and their associated assessment objectives, documenting your findings for each one.

For each objective, you’re collecting evidence. A policy document is a starting point, but it’s not sufficient on its own. Evidence of implementation means logs showing access controls are enforced, records of user account reviews, screenshots or configuration documentation showing authentication is required, physical access logs, patch history, antivirus definition update records, and similar artifacts that show the controls are actually operating.

The regulation requires you to retain the artifacts used as evidence for six years from the date you achieve your CMMC status. Six years. That’s not a documentation preference, it’s a legal requirement under 32 CFR 170.15.

For each objective, your conclusion is Met, Not Met, or Not Applicable. Not Applicable requires justification: you need to document why the objective genuinely doesn’t apply to your environment, not just mark it N/A because it’s inconvenient. A Not Applicable finding is treated as Met for scoring purposes, but only when there’s a legitimate documented reason.

Step 3: Submit Your Results to SPRS

Once every requirement is Met, you submit your assessment results to the Supplier Performance Risk System, which is the DoD web application at sprs.csd.disa.mil. This is where your compliance status becomes visible to contracting officers and prime contractors who look you up before awarding contracts or subcontracts.

To submit, you need a Procurement Integrated Enterprise Environment (PIEE) account with the SPRS Cyber Vendor User role. If you don’t have a PIEE account, getting one takes time. Account setup and role approvals are not instant. Setting this up well before a contract deadline is worth doing early.

Your Level 1 submission in SPRS includes, at minimum:

• The date of the self-assessment
• The CMMC status achieved: Final Level 1 (Self)
• The CMMC Unique Identifier (UID) assigned to the assessed information system, which SPRS generates when you submit
• All CAGE codes associated with the information systems in your assessment scope

At Level 1, there’s no numerical score to enter the way there is at Level 2 (where scores range from -203 to 110 based on weighted NIST 800-171 requirements). Level 1 is binary: all requirements are Met or they’re not. What goes into SPRS is your status, not a score.

Step 4: The Affirmation

Submitting assessment results is not enough. You also need an affirmation.

This is a separate, formal step. The Affirming Official, who is the senior-level representative within your organization responsible for ensuring CMMC compliance, submits a statement in SPRS attesting that your organization has implemented and will maintain all applicable CMMC Level 1 security requirements for all information systems within your assessment scope.

The AO must be a company executive or senior official with actual authority to represent the organization. This isn’t a job for a project manager or IT administrator, regardless of who actually ran the technical assessment. The affirmation is an executive act. It requires someone with organizational authority to stand behind it.

The technical process works like this: after the assessment results are entered into SPRS, the submission sits in a Pending Affirmation status. The AO logs into SPRS using their PIEE account with the Cyber Vendor User role, finds the pending record, reviews the information, and completes the affirmation workflow. The system records who affirmed, when, and for which CAGE codes.

Once the AO completes the affirmation, your organization achieves Final Level 1 (Self) status in SPRS.

What the AO is Actually Signing

This is where the legal weight of the process becomes concrete, and it’s worth reading carefully.

The affirmation statement commits that your organization has implemented and will maintain all applicable CMMC security requirements. It’s submitted under the False Claims Act framework. The DoJ’s Civil Cyber-Fraud Initiative, which launched in 2021, specifically uses the False Claims Act to pursue contractors who misrepresent their cybersecurity compliance. In 2025 alone, the DoJ settled seven cybersecurity-related FCA cases.

False Claims Act violations carry treble damages, meaning three times the government’s losses, plus civil penalties per claim. Willful ignorance is not a defense. The AO signing the SPRS affirmation is personally accountable for the accuracy of what’s being submitted.

An executive who signs an affirmation for a company that hasn’t actually implemented all 15 controls is not just creating a compliance risk, they’re creating a personal legal risk. This is why the all-or-nothing rule matters. Submitting before you’re ready isn’t a shortcut; it’s an exposure.

The Annual Cycle

CMMC Level 1 status doesn’t last indefinitely. Per 32 CFR 170.15 and 170.22, you have to reassess and reaffirm every year.

Specifically: you must conduct a full Level 1 self-assessment on an annual basis, submit the results in SPRS, and have your AO submit a new affirmation. A lapsed affirmation has the same practical effect as no submission at all. Contracting officers checking SPRS before award will see that your affirmation has expired. That can disqualify you from a contract before a conversation even starts.

The 12-month clock runs from the date of your previous affirmation. Track that date. Put a calendar reminder 60 to 90 days out so you have time to run the assessment, close any new gaps that have emerged, and complete the submission before the deadline.

What can cause new gaps between annual assessments? More than you might expect: staff turnover that leaves stale accounts, software updates that change system configurations, new tools adopted by employees that bring FCI into systems that weren’t previously in scope, and physical office changes that affect access controls. An annual assessment is not just a paperwork renewal; it’s a real check on whether your environment still looks the way it did when you last affirmed.

What SPRS Shows and Who Can See It

The DoD uses SPRS to verify compliance before contract awards. Contracting officers check it. Prime contractors are required to verify that their subcontractors have current CMMC status before sharing FCI or awarding subcontracts.

Your specific assessment details are visible only to the DoD, not to the general public or to your primes directly. What primes can see is whether you have a current, valid CMMC status and what level it is. A missing record, an expired affirmation, or no submission at all is visible as a compliance gap.

This has practical implications for subcontractors. Even if your prime hasn’t explicitly asked you about CMMC yet, the expectation is built into the contracting framework. When a prime looks you up in SPRS before subcontracting work that involves FCI, the absence of a current Level 1 status creates a problem for both of you.

Common Mistakes to Avoid

Running the assessment before fixing gaps

You cannot submit a POA&M at Level 1. If you find a gap during the assessment, fix it first and then complete the assessment. Documenting a gap and planning to close it later is not a compliant approach at this level.

Using the wrong person as AO

The Affirming Official must be a senior representative with actual organizational authority. An IT lead or compliance consultant can prepare everything, but the executive AO is the one who has to affirm. If the wrong person submits the affirmation, it’s invalid.

Treating N/A as a workaround

Marking an assessment objective as Not Applicable when it does apply is a false affirmation. Every N/A needs a documented justification. If you can’t explain why an objective genuinely doesn’t apply to your environment in writing, it probably does apply.

Not having a PIEE account ready

Account setup takes time. Getting your AO set up with the right PIEE role before you’re under deadline pressure is worth doing well in advance.

Letting the affirmation lapse

A gap in your affirmation history, even a short one, puts you in a non-compliant status. Track your renewal date and treat it as a hard deadline.

Not retaining evidence

Six years is a long time, and many small businesses don’t think about documentation retention at this level. Set up a folder structure or document management process that keeps your assessment evidence organized and accessible.

Where to Go from Here

The self-assessment and affirmation process is manageable for most small contractors. What makes it harder than it needs to be is starting without a clear picture of where you stand against the 15 requirements, which is why a readiness assessment before you begin the formal process saves time overall.

Pacific Cloud Cyber works with small and mid-size contractors through the full Level 1 compliance process: gap assessment, remediation, documentation, SPRS submission support, and setting up the annual renewal process so the affirmation doesn’t become a scramble each year. We’ve done this across construction, manufacturing, logistics, IT services, and professional services firms.

If you’re not sure where to start, or you’re not confident your current SPRS submission is accurate, contact Pacific Cloud Cyber to schedule a free consultation.