Performing Level 1 Self-Assessments Under CMMC Requirements

red keyboard key with a padlock on it.

Our previous article discussed what it meant to scope your self-assessment while pursuing Level 1 Maturity under CMMC. This approach included identifying the boundaries of FCI-holding systems and comprehensively cataloging technology, people, and processes that play a part in that system. 

Here, we take the next step and cover CIO guidelines for performing your self-assessment


Assessment Criteria and Methodology Guidelines

The CIO document outlines specific criteria and methodology for conducting a Level 1 self-assessment. This structured approach ensures contractors can accurately assess compliance with CMMC requirements. 

The general assessment criteria are:

  • Objectives for Each Practice: The guide provides self-assessment objectives based on existing criteria, adapted from NIST SP 800-171, for each Level 1 practice, modified to focus on Federal Contract Information (FCI) instead of Controlled Unclassified Information (CUI). These objectives offer contractors a clear benchmark for evaluating their compliance with CMMC Level 1 practices.
  • Authoritative Basis: The criteria serve as an authoritative basis for conducting self-assessments, providing a foundation to assess a practice’s fulfillment.

The methodology outlined in this document is as follows:

  • Self-Assessment Report: The primary result of a self-assessment is a detailed report containing the assessment’s findings. This report is crucial for documenting compliance with CMMC Level 1 practices.
  • Evidence Collection: Contractors need to collect evidence demonstrating that they fulfill the objectives of Level 1 practices. The evidence might come from documentation, computer configurations, network configurations, or training materials.
  • Assessment Methods: The guide adopts three main methods from NIST SP 800-171A for assessing compliance: examination, interview, and test. Each technique plays a critical role in evaluating different aspects of the cybersecurity practices:
  • Examine: Reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., specifications, mechanisms, activities). This method aims to achieve understanding, clarification, or evidence collection.
  • Interview: Discussions with individuals or groups to facilitate understanding, clarify, or obtain evidence. Interviews can cover personnel with various responsibilities, from account management to information security.
  • Test: Exercising mechanisms or activities under specific conditions to compare actual with expected behavior. Testing helps verify that practices are implemented correctly and effectively.
  • Assessment Objects: These include specifications (document-based artifacts), mechanisms (hardware, software, firmware safeguards), activities (actions supporting a system), and individuals involved in applying the practices.
  • Determination Statements: Each assessment objective includes a determination statement linked to the CMMC practice, ensuring traceability of the assessment results to the requirements.
  • Flexibility and Discretion: Organizations can determine the level of effort and assurance required for the assessment. This includes choosing which assessment methods and objects are most helpful in obtaining the desired results.

This structured methodology ensures contractors can systematically assess their cybersecurity practices against CMMC Level 1 requirements, facilitating a comprehensive evaluation of their readiness and compliance.


Practice Categories for Self-Assessment

CMMC organizes the cybersecurity practices that need to be assessed into specific categories or domains. Each domain focuses on a different aspect of cybersecurity and includes practices tailored to protect FCI. Here are the categories for the practices defined in the document:

Access Control (AC) practices are designed to limit information system access to authorized users, processes, or devices and manage the types of transactions and functions that authorized individuals are permitted to execute:

  • AC.L1-3.1.1 – Authorized Access Control: Limit information system access to authorized users, processes acting for authorized users, or devices (including other information systems).
  • AC.L1-3.1.2 – Transaction and Function Control: Limit information system access to the types of transactions and functions authorized users can execute.
  • AC.L1-3.1.20 – External Connections: Verify and control/limit connections to and use of external information systems.


Identification and Authentication (IA) includes practices related to identifying and authenticating users’ identities, processes, or devices before allowing access to the organization’s information systems.

  • IA.L1-3.5.1 – Identification: Identify information system users, processes acting on behalf of users, or devices.
  • IA.L1-3.5.2—Authentication: Before allowing access to organizational information systems, authenticate (or verify) the identities of users, processes, or devices.


Media Protection (MP) focuses on safeguarding digital and non-digital media containing FCI, including procedures for sanitizing and disposing of media to prevent unauthorized access and data leakage.

  • MP.L1-3.8.3 – Media Disposal: Before disposal or release for reuse, sanitize or destroy information system media containing Federal Contract Information.


Physical Protection (PE) covers practices that limit authorized individuals’ physical access to organizational information systems, equipment, and operating environments, protecting them from physical threats.

  • PE.L1-3.10.1 – Limit Physical Access: Authorized individuals must have physical access to organizational information systems, equipment, and the respective operating environments.
  • PE.L1-3.10.3 – Escort Visitors: Escort visitors and monitor visitor activity.
  • PE.L1-3.10.4 – Physical Access Logs: Maintain audit logs of physical access.


System and Communications Protection (SC) aims to monitor, control, and protect organizational communications at the external and critical internal boundaries of information systems to prevent unauthorized access and data exfiltration.

  • SC.L1-3.13.1 – Boundary Protection: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the information systems’ external and vital internal boundaries.
  • SC.L1-3.13.5 – Public-Access System Separation: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.


System and Information Integrity (SI) includes practices that focus on promptly identifying, reporting, and correcting information and information system flaws and providing protection from malicious code at designated locations within organizational information systems.

  • SI.L1-3.14.1 – Flaw Remediation: Identify, report, and correct information and information system flaws promptly.
  • SI.L1-3.14.2 – Malicious Code Protection: Protect malicious code at appropriate locations within organizational information systems.
  • SI.L1-3.14.4 – Update Malicious Code Protection: Update malicious code protection mechanisms when new releases are available.
  • SI.L1-3.14.5 – System & File Scanning: Periodically scan the information system and real-time scan files from external sources as they are downloaded, opened, or executed.

Each domain encompasses specific practices that organizations must implement and assess as part of their CMMC Level 1 self-assessment. The practices within these domains are designed to establish a foundation of cybersecurity measures that protect the confidentiality, integrity, and availability of FCI handled by the contractor.


Track Your CMMC Systems for Assessment with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including support for CMMC certification (along with our sister company and C3PAO, Lazarus Alliance). We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

Continuum GRC