CMMC Level 1 self-assessment guide for contractors

Written by

Published on March 15, 2025

Contractors and subcontractors who work on construction projects for the Department of Defense (DoD) need to be aware of two new rules regarding their Cybersecurity Maturity Model Certification (CMMC) program. The new rules are intended to help the DoD better protect the Defense Industrial Base (DIB) from cyberattacks that have been growing in frequency and complexity.

These new rules are intended to ensure that contractors and subcontractors are meeting requirements to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that they process, store, or transmit from cyberattacks. CUI is unclassified government information that should only be shared with those performing work for the government. FCI is a subset of CUI that is used for contracting purposes and not intended for release to the public.

Completion of Level 1 and Level 2 Self-Assessments will need to be recorded and affirmed by a senior company official in the Procurement Integrated Enterprise Environment‘s Supplier Performance Risk System (SPRS) Cyber Reports. At this time, only Level 1 Self-Assessment can be recorded and affirmed in SPRS with Level 2 Self-Assessments coming later in 2025.

This step-by-step guide is intended to help you conduct and report your CMMC Level 1 Self-Assessment.

Obtain UEI and CAGE code

To be awarded contracts with the federal government you will need to register with their System for Award Management (SAM) and obtain a Unique Entity ID (UEI) and a Commercial and Government Entity (CAGE) code.

Skip to Step 2 if you are already registered with SAM and have a UEI and CAGE code.

1.1.
Go to SAM.gov and click “Get Started” under Register Your Entity or Get a Unique Entity ID.
1.2.
Read the Terms of Use and click “Agree” on the pop-up.
1.3.
Click on “Create an account” and enter your email address and language preference, click the checkbox to accept the Rules of Use, and click “Submit”.
1.4.
Click the link in the email you receive to confirm your email address, create and confirm your password, and click “Submit”.
1.5.
Select your multi-factor authentication method(s) and follow the steps depending on which method(s) you choose.
1.6.
Read and agree to the Terms of Use by clicking the checkbox and then “Submit”.
1.7.
Enter your one-time password in the email you receive and click “Submit”.
1.8.
Enter your personal info and click “Submit” and skip the step for requesting a role.
1.9.
Choose and assign roles. You will be listed as your SAM Point of Contact (POC) unless you assign it to someone else. You also need to assign an Electronic Business POC since it’s required to use the Procurement Integrated Enterprise Environment.
1.10.
Click “Get Started” under Register Your Entity or Get a Unique Entity ID and then click “Create New Entity” on the next screen.
1.11.
Select your goals and intentions and click “Next”. This will vary depending on whether you are planning to bid as a prime contractor or subcontractor.
1.12.
Click “Select” under All Awards so you can get your UEI and CAGE code. You may need to click “See other options” if the only option showing is Unique Entity ID Only.
1.13.
Select “No” since you aren’t registering a government entity, whether your entity is physically located in the US, and click “Next”.
1.14.
Select whether or not you already have a CAGE code and click “Next”.
1.15.
Review your selections and click “Next”.
1.16.
Review the info you will need to complete your registration and click “Next”. You can download an Entity Registration Checklist to help you prepare.
1.17.
Enter the legal name and physical address of your business and click “Next”.
1.18.
SAM will validate and display a matched entity. If your entity info is correct, click “Next”. If no matches are found, or the info is incorrect, click “Create Incident” to submit a ticket with the Federal Service Desk (FSD) for assistance.
1.19.
Choose whether or not you want your entity record to be publicly displayed in SAM.gov.
1.20.
Confirm you are authorized to conduct transactions for your entity and click “Receive Unique Entity ID”.
1.21.
Your UEI will be displayed and click “Continue Registration”.
1.22.
Enter the required entity information in the next few steps. Once all the info is entered review and click “Submit”. You will receive a message confirming your registration has been submitted.

Register with the PIEE and assign SPRS Cyber Vendor Role

Once you’ve registered with SAM and obtained your UEI and CAGE code you need to register with the Procurement Integrated Enterprise Environment (PIEE) and assign a Supplier Performance Risk System (SPRS) Cyber Vendor.

If you’re already registered with PIEE and have assigned a SPRS Cyber Vendor, skip to Step 3.

2.1.
Set up a Vendor Group with your CAGE code by calling the PIEE Help Desk at 866-618-5988 or sending an email to disa.global.servicedesk.mbx.eb-ticket-requests@mail.mil.
2.2.
Navigate to the PIEE website and click “New User”. On the next page scroll down and click “Register”.
2.3.
Click “Agree” to confirm you’ve read and understand the terms and conditions.
2.4.
Select “Vendor” and then use the dropdown to pick how you will access PIEE. If you choose “User ID / Password” you will create those, complete the CAPTCHA, and click “Next”.
2.5.
Select your three security questions, fill in and confirm your answers to each one, and click “Next”.
2.6.
On the next two screens fill in your user profile supervisor information.
2.7.
Use the first dropdown to select “PIEE” and the second to select “Contract Administrator” and then click “Add Roles”. Adding a Contract Administrator (CAM) must be done by the Electronic Business POC and the easiest way to do that is to have them self-register as the CAM).
2.8.
Repeat the process but select “SPRS” from the first dropdown and “SPRS Cyber Vendor User” from the second and click “Add Roles”. Enter your CAGE code and click “Next”.
2.9.
Type in the justification for requesting access, upload any necessary documents, and click “Next”.
2.10.
Review and verify the registration summary by clicking “Next”.
2.11.
Review the user agreement, click the checkbox to accept, and then click “Signature” to complete your registration.

Conduct CMMC Level 1 Self-Assessment

CMMC Level 1 is the lowest level in the program and applies to contractors who have access to FCI only. For construction, FCI would cover assets like plans and specifications, requests for information (RFIs) and their responses, as-builts, submittals, addenda, and emails and recordings of communication with the DoD.

Level 1 requirements cover the controls and measures needed to protect FCI that your company processes, stores, or transmits from cyberattacks. The requirements and procedures are specified in FAR 52.204-21which includes 15 security controls that need to be met or deemed not applicable.

The 15 security controls correlate with the 17 practices that are grouped into the following six domains as laid out in NIST SP 800-171A:

●
Access Control
●
Identification and Authentication
●
Media Protection
●
Physical Protection
●
System and Communications Protection
●
System and Information Protection

3.1.
Identify Level 1 Self-Assessment Scope
To identify and document your scope you need to determine what FCI Assets are being used to process, store, or transmit FCI. FCI Assets include people, technology, facilities, and external service providers (ESPs). For more information on scope, refer to CMMC Level 1 Self-Assessment Scope.
3.2.
Conduct and Document Level 1 Self-Assessment
To conduct the assessment and create a report you need to confirm and validate that your company has met all of the objectives of NIST SP 800-171A for the FCI Assets identified in your scope. These objectives can be met through different methods depending on what is being assessed including through examination, interviewing, and testing. The DoD has put together a CMMC Level 1 Self-Assessment Guide to help you through the process.

Submit CMMC Level 1 self-assessment

To submit your CMMC Level 1 self-assessment you need to fill out some basic information attesting that you’ve conducted your self-assessment and met all applicable practices. No reports or documents will need to be uploaded but you should keep all records of your self-assessment.

4.1.
Navigate to the PIEE website and log in to your account.
4.2.
Click the SPRS icon and select “Cyber Reports”.
4.3.
Use the dropdown to find and select the Hierarchy that can be identified by the HLO and should have an asterisk to indicate that you have the necessary SPRS Cyber Vendor User role to be able to add, edit, and delete reports.
4.4.
Click on the “CMMC Assessment” tab and click on “Add New Level 1 CMMC Self-Assessment”.
4.5.
Enter assessment details and continue.
4.6.
Add any additional emails and continue.
4.7.
Click “Continue” if you are the Affirming Officer. If not, enter the email address for the Affirming Officer and click “Transfer to AO” for them to complete.
4.8.
Review the assessment details and click the checkbox to certify you’ve reviewed the affirmation statement and click “Affirm”.

The exact timeline for the DoD being able to begin requiring CMMC Level 1 Self-Assessments as a requirement for contract awards is still up in the air but will happen later in 2025. To get your company ready for the changes it’s recommended you start the process now of conducting, recording, and affirming your self-assessment.