Prepare for CMMC certification with our self-assessment tool covering the 17 foundational practices required to protect Federal Contract Information (FCI).
Why This Matters
CMMC Level 1 isn't optional for DoD contractors handling FCI. The contracts โ and the liability โ are real.
CMMC Level 1 compliance is a prerequisite for all DoD contracts involving Federal Contract Information. Without it, you cannot bid โ regardless of price or qualifications.
Source: DFARS 252.204-7012; DoD CMMC 2.0
of defense contractors are not yet CMMC-certified as the phased rollout accelerates. Early movers gain a direct competitive advantage in contract awards.
Source: OUSD(A&S) estimates1
Annual self-attestation in SPRS is required under FAR 52.204-21. A false attestation carries civil and criminal liability under the False Claims Act โ the same statute used to prosecute federal fraud.
Source: DoD CMMC Program Rule; False Claims Act, 31 U.S.C. ยง 3729
A CMMC L1 assessment typically costs $30kโ$80k. The contracts at risk average $500kโ$5M+ annually. The assessment costs a fraction of a single lost award.
Industry assessment market rates 2026
The Cybersecurity Maturity Model Certification (CMMC) Level 1 represents the foundational tier of cybersecurity practices required for organizations handling Federal Contract Information (FCI) in Department of Defense contracts.
A focused set of basic cyber hygiene practices that form the foundation of cybersecurity for DoD contractors.
Level 1 requires annual self-assessment — no third-party certification needed. Results must be entered into SPRS.
Designed to protect Federal Contract Information — information not intended for public release provided by or generated for the government.
CMMC Level 1 practices are organized into 6 security domains, each addressing a specific area of cybersecurity protection.
Limit system access to authorized users, processes, and devices. Control what information users can access and what they can do with it.
Verify the identity of users, processes, and devices before granting access to organizational systems.
Protect information system media containing FCI, both paper and digital, and limit access to authorized personnel.
Limit physical access to systems, equipment, and operating environments to authorized individuals.
Monitor, control, and protect communications at external and key internal boundaries of information systems.
Identify, report, and correct system flaws in a timely manner. Provide protection from malicious code.
Any organization that handles Federal Contract Information (FCI) as part of a DoD contract.
Companies in the defense supply chain that receive FCI from prime contractors.
Organizations preparing to bid on DoD contracts that will require CMMC certification.
Organizations using Level 1 as a stepping stone toward CMMC Level 2 certification.
Our assessment tool guides you through all 17 practices with clear explanations and helps you document your compliance status for SPRS submission.
Navigate through the 6 security domains, reviewing practices in each area.
For each practice, assess your current implementation: Met, Partially Met, or Not Met.
Add notes describing how you implement each practice and any supporting evidence.
Download your assessment report for internal review and SPRS documentation.
A complete Level 1 assessment typically takes 30-60 minutes for organizations with basic documentation already in place.
Generate comprehensive reports to document your CMMC Level 1 compliance status and support your SPRS submission requirements.
Complete assessment results showing compliance status for each practice, organized by domain with summary statistics.
Supporting documentation formatted to help with your Supplier Performance Risk System (SPRS) score submission.
A password-protected JSON file containing all your assessment data. Use it to restore your assessment or transfer between devices.
The right CMMC level depends on the type of information you handle in your DoD contracts.
Sources
Try our CMMC Level 1 assessment tool with a free trial. Document your compliance status and prepare for your SPRS submission.