top of page
Search

CMMC Certification Guidance

Below is an overview of what your company may need in-order to complete the assessment and guidance on the 17 practices Contractor’s will need to adhere to. All of the information can be found on the Department of Defense (DOD) website: https://dodcio.defense.gov/cmmc/Resources-Documentation/ 



CMMC Certification Level - 1


Certification Background

  • CMMC Level 1 Certification is the basic security control level for the Department of Defense (DOD) which requires a Self-Assessment for compliance.

  • Organizations must complete a new self-assessment annually for compliance.

  • The Self-Assessment identifies which assets within the Contractor’s and/or Organization Seeking Compliance (OSC) environment will be assessed and the details of the assessment.

  • It does not require a third-party audit.

  • The organization performs the Level 1 self-assessment to demonstrate that its security meets all 17 Level 1 security requirements.

  • Note - The DOD does not have a mandatory standardized template or require you to submit any formal documentation as part of the self-assessment itself.

    • The organization will need to score itself against the Supplier Performance Risk System (SPRS).

    • The organization will enter their results into the DOD’s Supplier Performance Risk System (SPRS) system. Unlike higher levels, Level 1 does not require a third-party audit. Organizations must complete a new self-assessment annually.

  • Certification requires the implementation of 17 Security Practices that align with the Basic Safeguarding Requirements found in FAR Part 52.204-21- Basic Safeguarding of Covered Contractor Information Systems.

  • CMMC Phase 1 implementation begins November 10, 2025

  • October 1, 2026, DOD includes requirements for all OSC’s applications (Levels 1, 2 and 3).

  • There are companies that can help with Assessment, however, they are charging a nominal fee. My understanding is that the Assessment can be completed by Contractor/OSC if you follow the CMMC Self-Assessment Guide Level 1 guideline provided by the DOD/CIO.


Steps for Contractors

  • Review current DOD contracts for CMMC requirements.

  • Assess if your organization handles FCI (Federal Contract Information) and which level.

  • Begin implementing the basic safeguarding practices outlined in FAR Clause 52.204-21.

Self-Assessment

  • Must follow NIST SP 800-171A as guidance.

  • Self Assessment results shall be submitted to the Supplier Performance Risk System (SPRS) https://piee.eb.mil/

  • Submitting your self-assessment score to the SPRS is a critical step since it informs the DOD of your organization's cybersecurity posture.

  • Scores are binary for CMMC Level 1. Organizations shall simply indicate whether they have met each of the 17 security requirements by selecting "Yes" (compliant) or "No" (non-compliant).

  • In order to certify at Level 1, organizations must be fully compliant when submitting their SPRS score, selecting Yes” for all 17 security controls.

  • Organizations shall also submit a formal affirmation that declares their compliance status and asserts that the results are accurate.

  • Each section provides detailed information on how to self-assess each CMMC practice. Each section includes:

  • Assessment Objectives - Identifies the specific set of objectives that must be met.

  • Assessment Methods and Objects - Defines nature and extent of self-assessment. Methods include: examine, interview and test.

  • Examine - Involves reviewing documents, records, system configurations, logs, policies, procedures, or other artifacts to see evidence that the control is in place. (Example: looking at an access control list, viewing audit logs, reviewing policies, checking whether media sanitization procedures are documented, etc.)

  • Interview - The person conducting the self‑assessment) asks an individual (i.e. system administrator, IT staff, security manager) questions about how a security control is applied or enforced. (Example: When was the last time you revoked access for a former employee?)

  • Test - Actively verifying that a control works as intended. (Example: checking whether antivirus software detects known malware or login with a user account to confirm if access is restricted).

  • Discussion - Contains discussions from NIST SP 800-171 security requirement.

  • CMMC Checklist includes 17 practices:

  • Access Control (AC) - Limit information access to authorized users, or devices to access the system -

  • Authorized Access Control - Limit system access to authorized users, processes, and devices.

  • Transaction and Process Control - Limit users' access to only the information and system functions they need.

  • External Connection - Verify and control connections to external systems.

  • Control Public Information - Control the use of removable media (e.g., USB drives) on system components.

  • Identification and Authentication (IA)

  • Identification - Identify system users, processes, and devices before granting access.

  • Authentication - Authenticate users and devices before granting access (e.g., passwords, PINs).

  • Media Protection (MP)

  • Media Disposal - Sanitize media (e.g., wipe drives) before disposal or reuse.

  • Physical Protection (PE)

  • Limit Physical Access - Limit physical access to systems with FCI to authorized personnel.

  • Escort Visitors - Escort visitors and monitor their activity.

  • Physical Access Logs - Maintain physical access logs (e.g., sign-in sheets or access system logs).

  • Manage Physical Access - Control physical access to devices with FCI (e.g., lock doors, secure laptops).

  • System and Communications Protection (SC)

  • Boundary Protection - Monitor, control, and protect communications (e.g., use firewalls, encrypted email).

  • Public-Access System Separation - Protect the integrity of information transmitted over networks.

  • System and Information Integrity (SI)

  • Flaw Remediation - Identify, report, and correct system flaws (e.g., install updates/patches).

  • Malicious Code Protection - Protect systems from malicious code (e.g., antivirus software).

  • Update Malicious Code Protection - Update malicious code protection mechanisms when new releases are available.

  • System and File Scanning - Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed are performed.

 
 
 

Recent Posts

See All
Is it time for a little extra help?

Is your small business starting to gain traction and take on more work? Or are you a just getting started and need help creating a competitive Business Proposal? Lewes Consulting is here to make it al

 
 
 
FAR Overhaul - IT/Engineer

FAR Sections that may impact company's that primarily provide IT/Engineer services: FAR Part 4.19 - Cloud Computing Has been deleted in its entirety. This section has now been moved to FAR Part 40.2.

 
 
 

Comments

bottom of page