CMMC and Scoping Level 1 Self-Assessments

lock and USB drive on keyboard

One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance. 

Here, we’re covering the CIO’s guidance for organizations performing self-assessments, specifically how to scope their self-assessments for Level 1 maturity. 


What Is Level 1 Maturity for CMMC Compliance?

Under the CMMC framework, Level 1 maturity is designed for contractors within the DiB that handle Federal Contract Information (FCI) but do not process, store, or transmit Controlled Unclassified Information (CUI). CMMC 2.0 simplifies the original CMMC framework into three levels instead of five, with Level 1 being the entry-level tier focusing on basic cyber hygiene practices.

  • Practices and Requirements: Level 1 consists of 15 basic cybersecurity practices that align with the requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21. These practices cover fundamental aspects of cybersecurity, such as using antivirus software, performing regular backups, and ensuring that employees can identify phishing attempts.
  • Self-Assessment: Organizations at Level 1 are allowed to conduct annual self-assessments. This approach reduces the burden on small to medium-sized businesses (SMBs) by not requiring third-party assessment certification for Level 1, as opposed to the more stringent requirements for handling CUI at Levels 2 and 3.
  • Focus: At Level 1, the focus is on protecting FCI from unauthorized access and disclosure. The practices aim to establish a cybersecurity foundation to protect sensitive information related to government contracts.
  • Documentation and Reporting: While the self-assessment process allows organizations to certify themselves against Level 1 requirements, they are encouraged to maintain proper documentation of their cybersecurity practices and may be required to submit their self-assessment scores to the Department of Defense through the Supplier Performance Risk System (SPRS).

CMMC Level 1 ensures all contractors, especially smaller firms, have basic cybersecurity measures to protect information vital to national defense, albeit not classified as CUI–primarily FCI. It’s part of a broader effort to raise the cybersecurity posture of the entire defense supply chain, recognizing that even foundational cybersecurity practices can significantly mitigate the risk of cyber threats.

Under the CMMC framework, organizations that meet Level 1 standards can conduct self-assessments. 


What Is Federal Contract Information?

FCI, or Federal Contract Information, refers to information not intended for public release. It is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. However, it does not include information the Government provides to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

FCI is protected by various laws, regulations, and policies to prevent unauthorized disclosure. This protection is crucial because FCI can include sensitive information about government contracts, proprietary or technical data, and other details that, if disclosed improperly, could potentially harm the interests of the United States or give an unfair advantage to other contractors or foreign entities.

Contractors or subcontractors’ handling, processing, storing, and transmitting FCI are subject to specific cybersecurity requirements to safeguard this information from cyber threats and vulnerabilities. For example, the CMMC framework includes practices and processes that contractors must implement to protect FCI and more sensitive CUI within their information systems.


How Can These Organizations Scope Their Self-Assessment?

Organizations scoping their Level 1 CMMC self-assessment should follow a structured approach to accurately determine which parts of their environment are included in the assessment. Here’s a summary of how organizations are advised to scope their self-assessment:

  • Identify FCI Assets: Organizations must first identify assets that process, store, or transmit FCI. These activities include accessing, editing, generating, storing, printing, or transmitting. These FCI assets are within the CMMC self-assessment’s scope and evaluated against applicable CMMC practices.
  • Out-of-Scope Assets: Assets that do not process, store, or transmit FCI are considered out-of-scope. They should not be included in the self-assessment as they are not evaluated against CMMC practices. Organizations must delineate which assets are out-of-scope to focus their assessment efforts appropriately.
  • Specialized Assets: The document also specifies certain specialized assets considered out of scope for a Level 1 self-assessment, provided they are properly documented. This includes Internet of Things (IoT) devices, government property, operational technology, restricted information systems, and test equipment. These specialized assets are not assessed against CMMC practices at Level 1.
  • Comprehensive Scope Consideration: Organizations are advised to consider all aspects of their environment that could process, store, or transmit FCI. This includes people (employees, contractors, etc.), technology (servers, mobile devices, applications, etc.), facilities (offices, data centers, etc.), and external service providers (cloud services, managed security service providers, etc.). This broad approach ensures that the self-assessment accounts for all potential vectors for handling FCI handling.
  • Iterative Process: An asset types approach allows organizations to determine how to meet CMMC Level 1 practices iteratively. This means that organizations must revisit and adjust which assets are included in the scope during the scoping process based on a deeper understanding of how FCI is processed, stored, and transmitted within their environment.


What Are Out-of-Scope Assets?

In the CMMC self-assessment process context, out-of-scope assets refer to those components of an organization’s information system environment that do not process, store, or transmit FCI or CUI. These assets are deemed outside the boundary of what needs to be assessed against the CMMC practices for a specific certification level. 

Identifying out-of-scope assets is a critical part of the scoping process for a CMMC assessment because it helps organizations focus their cybersecurity efforts and resources on the parts of their systems that directly impact the protection of sensitive government information.

Characteristics of Out-of-Scope Assets:

  • Non-involvement with Sensitive Information: These assets do not handle or have access to FCI or CUI, meaning they are not used to process, store, or transmit this information in any capacity.
  • Exclusion from Assessment: Out-of-scope assets are not included in CMMC assessments since they do not impact the security of FCI or CUI. This exclusion helps streamline the assessment process and allows organizations to concentrate on securing assets critical to protecting sensitive information.
  • No Documentation Requirements: For CMMC compliance, out-of-scope assets typically do not have documentation requirements regarding their adherence to CMMC practices, given their non-involvement with FCI or CUI.


Line Up Your Self-Assessment Capabilities with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve. If you are starting your CMMC journey and scoping out your Level 1 self-assessment, our cloud tools can help. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

Download our company brochure.

Continuum GRC