CMMCDocs.comWith the CMMC final rule effective December 16, 2024, Phase 1 implementation is imminent. During Phase 1, the DoD may include CMMC Level 1 or Level 2 self-assessment requirements in new contracts. This article covers exactly what you need to have ready.
Level 1 Requirements
If your contracts involve only Federal Contract Information (FCI), you need CMMC Level 1. The requirements are straightforward: implement the 17 practices from FAR 52.204-21, complete a self-assessment, enter your results in SPRS, and have a senior company official submit an annual affirmation.
The 17 Level 1 practices cover basic cyber hygiene: limit system access, authenticate users, sanitize media, limit physical access, escort visitors, monitor and control communications at system boundaries, fix flaws in a timely manner, update malicious code protection, and perform periodic scans. Most companies with basic IT practices already meet many of these requirements.
Level 2 Self-Assessment Requirements
If your contracts involve CUI, you need CMMC Level 2. During Phase 1, the assessment type is self-assessment — third-party assessments come in Phase 2. But do not mistake self-assessment for easy. A Level 2 self-assessment requires compliance with all 110 NIST SP 800-171 Rev 2 security requirements, a complete and current System Security Plan, a Plan of Action and Milestones for any unmet requirements, a SPRS score that accurately reflects your implementation status, and an annual affirmation by a senior company official.
The Affirmation Requirement
The affirmation is new under CMMC and carries significant weight. A senior official — typically the CEO, CIO, or CISO — must affirm in SPRS that the organization's self-assessment is accurate and that the company is maintaining its security posture. This is a personal attestation, and a false affirmation exposes both the company and the individual to False Claims Act liability.
This is not a rubber stamp. The affirming official should personally understand the company's security posture, review the SSP and SPRS score, and be confident that the assessment is honest. If there are gaps, they should be documented in the POA&M with credible remediation plans.
What to Do Right Now
Verify your SPRS score. Log into SPRS and confirm your score is current and accurate. If you have never submitted a score, do it immediately. If your score is outdated, update it.
Review your SSP. Ensure every one of the 110 requirements is addressed with a description of your actual implementation. Update any sections that have drifted from reality.
Identify your affirming official. Decide who will submit the annual affirmation. Brief them on what they are attesting to and ensure they are comfortable with the accuracy of your self-assessment.
Start preparing for Phase 2. Self-assessment is the beginning, not the end. Phase 2 brings third-party assessments. Use the Phase 1 period to close gaps, strengthen controls, and build the evidence collection practices you will need for a C3PAO assessment.