Ten Steps to CMMC Level 1 Compliance

Level 1 is often underestimated. It is not a technical exercise—it is the first enforceable governance layer in the DoD cybersecurity model.

CMMC Phase 1 implementation began on November 10, 2025. For the twelve months that follow, select DoD solicitations will begin including Level 1 or Level 2 self-assessments where applicable. If your company holds — or is pursuing — DoD contracts involving Federal Contract Information, CMMC Level 1 is a condition of a contract award when required in a solicitation.

Level 1 is the foundation: fifteen security requirements drawn from FAR clause 52.204-21, an annual self-assessment, and an annual affirmation entered in the Supplier Performance Risk System (SPRS). No third-party assessor is required. The key requirements include access control, identification and authentication, media sanitization, physical security and system maintenance.

It sounds straightforward. In practice, the companies that struggle are the ones that treat it as a checkbox exercise rather than a governance process.

The ten steps below are designed to close that gap — building a compliance posture that holds up not just for this year's assessment, but for the transition to Level 2 when Phase 2 is expected to begin in November 2026.

Step Title Core Action

1. Know What You're Protecting Identify all FCI in scope

2. Map Your Assessment Boundary Define systems, users, assets in scope

3. Gap-Assess Against the 15 Requirements Measure current state vs FAR 52.204-21

4. Remediate — Close the Gaps Fix what's missing before assessment

5. Document Your Controls Evidence policies, configs, procedures

6. Score Yourself in SPRS Enter your score in the DoD system

7. Conduct the Annual Self-Assessment Formal review, every 12 months

8. Affirm Compliance Annually Senior official signs off in SPRS

9. Manage the Plan of Action and Milestones (POA&M) Rule No POA&Ms permitted at Level 1. (Level 1 requires all 15 controls to be fully implemented at the time of assessment; POA&Ms are not used to defer requirements)

10. Document and Evidence the Process Note: Contracting officers are expected to review SPRS

STEP 1 Know What You're Protecting

Level 1 applies when your company processes, stores, or transmits Federal Contract Information (FCI) — information provided by or generated for the government under a contract, not intended for public release. Before you assess anything, you need to know exactly what FCI you hold and where it lives.

This is a data flow question, not a document inventory exercise. Where does FCI enter your environment? Know it and map it.

Where is it stored? Where does it leave — to subcontractors, cloud systems, email? Your assessment boundary is determined by the answer. If you don't know what you're protecting, you cannot assess whether you're protecting it adequately. A continually updated data map is beneficial as a road map.

STEP 2 Map Your Assessment Boundary

Your CMMC assessment scope covers the assets, systems, people, and facilities that process, store, or transmit FCI — or that provide security protection to those assets. Mapping it precisely matters for two reasons: it defines the scope of your self-assessment, and it determines what must be included in your SPRS score.

Common boundary mistakes: including shared IT infrastructure that doesn't touch FCI (makes assessment harder than necessary), or excluding cloud services that do (creates a compliance gap). Map it carefully, document it, and keep it current as your environment changes. Better yet, have a change control board and a change process that documents and approves any changes and a process to update the data map.

STEP 3 Gap-Assess Against the 15 Requirements

Federal Acquisition Regulation (FAR) clause 52.204-21 specifies fifteen basic safeguarding requirements covering access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. If you need more details you can review the NIST SP 800-171 Revision 2 for a further breakdown.

For each requirement, you need an honest review the current state, with a clear answer:

- Met,

- Partially Met, or

- Not Met.

This is an evidence question, not a documentation exercise. Do you have the control in place, operating as intended, with evidence that it works? The gap assessment is the most important step in the process — everything downstream depends on its accuracy.

The fifteen requirements of FAR 52.204-21 are foundational controls: access management, password policy, media handling, physical access, patch management, malware protection. Most are implementable without large capital investment. The constraint is usually process discipline, not technology.

STEP 4 Remediate — Close the Gaps Before You Assess

If you are at the beginning of this process, you are still in the implementation phase working up to the self-assessment. Therefore, the self-assessment is not the moment to discover your gaps. It is the moment to confirm you have closed them. Any Not Met or Partially Met requirements identified in Step 3 must be remediated before you conduct the formal annual assessment — because at Level 1, POA&Ms are not permitted (see Step 9) of the initial chart.

Document every remediation action: date it, record who did it, and retain the evidence. Also, retest it to make sure the change was a success. That documentation becomes your assessment evidence package and the foundation of your Level 2 System Security Plan when Phase 2 arrives.

STEP 5 Document Your Controls

A control that exists but is not documented is a control that cannot be assessed, defended, or repeated. Level 1 does not require the formal System Security Plan that Level 2 demands, but you need sufficient documentation to support your self-assessment and annual affirmation.

At minimum, document what each requirement means in your specific environment, how you have implemented the corresponding control, what evidence demonstrates it is operating, and who is responsible for maintaining it. Ensure you have policies, standards, guidelines and procedures that document the key processes across the organization. Build this documentation properly at Level 1 and it significantly reduces the effort required to transition to Level 2. Keeping updated documentation helps ensure people are on the same page.

STEP 6 Score Yourself in SPRS

The Supplier Performance Risk System (SPRS) is the DoD system of record for CMMC self-assessment scores. Your SPRS score is visible to contracting officers and used in source selection decisions. For Level 1, assessment is binary for each of the fifteen requirements: Met or Not Met. Enter your results accurately.

STEP 7 Conduct the Annual Self-Assessment

The formal annual self-assessment is the structured evaluation of your compliance with the fifteen requirements, conducted by your organization, with results entered into SPRS. It is not a one-person desk review. It should involve the people responsible for operating the controls being assessed, with documented evidence reviewed for each requirement. If you have a three lines of defense model in place, this is where you rely heavily on that third line and work together for the benefit of the organization.

Structure the assessment around your boundary from Step 2. For each in-scope requirement, review the evidence from Step 5, confirm the control is still operating as documented, and record the outcome. The assessment must be completed annually — a lapsed SPRS entry creates a contract award risk that contracting officers will flag. It is helpful to ensure that the assessment is documented with a formal scoping exercise and that all parties agree the start and end date and what a good assessment process will look like. This makes the following years easier to review and amend for deletions and updates.

STEP 8 Affirm Compliance Annually

The annual affirmation is a separate requirement from the self-assessment. After completing the assessment and entering results in SPRS, a senior official — this could be the CEO, President, or equivalent — must formally affirm compliance with Level 1 requirements. This affirmation is a legal attestation entered into SPRS.

Do not treat this as a signature formality. The affirming official should understand what they are affirming, have reviewed the self-assessment results, and have confidence in the evidence base that supports them. False Claims Act liability attaches to materially inaccurate affirmations — which is precisely why the affirming official needs to be genuinely informed, not simply available to sign.

STEP 9 Manage the POA&M Rule — Level 1 Has No Flexibility Here

At Level 1, Plans of Action and Milestones (POA&Ms) are not permitted. This is a strict requirement: all controls must be fully implemented at the time of assessment. This requirement reinforces a strong foundation control environment.

At Level 2 and Level 3, POA&Ms allow conditional compliance with a 180-day closeout window. At Level 1, a requirement that is Not Met at assessment time represents an unresolved gap — not a documented remediation plan. Remediate before you assess, not after.

The practical implication: build a remediation calendar that gives you sufficient time to close all gaps before your formal assessment window. Discovering a Not Met requirement on assessment day is not a POA&M opportunity at Level 1 — it is a failed assessment.

This also reinforces the importance of Steps 3 and 4. The gap assessment and remediation sequence is not administrative overhead. It is the mechanism that makes a clean Level 1 self-assessment possible.

STEP 10 Prepare the Paper Trail for Contract Award

A completed self-assessment and annual affirmation in SPRS is a necessary condition for contract award on DoD solicitations requiring CMMC Level 1. Contracting officers are expected to check SPRS. For higher-value contracts or those involving more sensitive FCI, they may ask for supporting documentation confirming your SPRS score reflects a real, operating compliance posture.

Your paper trail should include: the documented assessment boundary, the evidence package for each of the fifteen requirements, records of the self-assessment process, the date and identity of the affirming official, and a version-controlled record of any changes to your compliance posture since the last assessment. It does not need to be elaborate. It needs to be accurate, current, and retrievable on short notice.

Looking Ahead: Phase 2 is Expected to Begin November 2026

Level 1 compliance built properly is not just a Phase 1 deliverable. The assessment boundary you define, the controls you document, and the SPRS discipline you establish all carry forward into Level 2 readiness.

When Phase 2 begins, it is expected in November 2026, solicitations will require Level 2 certification assessments conducted by an authorized CMMC Third-Party Assessor Organization (C3PAO) against the 110 requirements of NIST SP 800-171 Revision 2. The companies that will be ready are the ones that treated Level 1 as a governance foundation — not a compliance minimum.

If your company is navigating Phase 1 implementation or planning the transition to Level 2 certification, the governance architecture questions are worth getting ahead of now.

This article is for informational purposes only and does not constitute legal advice. CMMC requirements should be verified against current DoD guidance at dodcio.defense.gov/CMMC. Published May 2026.

Sturnella's Role

Sturnella advises mining, energy, infrastructure, and defense companies on IPO cybersecurity readiness, SEC Regulation S-K Item 106 compliance, cyber diligence in M&A transactions, and board-level cybersecurity governance — before and during capital markets events.

We operate at the deal table, not inside the IT department. Our work is focused on governance precision, disclosure defensibility, and transaction protection

Disclaimer: This article appeared on the Sturnella website at sturnellahq.com and is provided for informational purposes only. It does not constitute investment advice, financial advice, legal advice, or a solicitation to buy or sell any security or financial instrument. The information contained herein is based on publicly available sources and is believed to be accurate at the time of publication but is not guaranteed. Sturnella LLC is a capital markets cybersecurity and governance advisory firm and is not a registered investment adviser, broker-dealer, or financial institution. Always consult a qualified financial, legal, or investment professional before making any investment decision.