CMMC Level 1 Self-Check

WHY THIS MATTERS

Know your Level 1 standing before you self-attest.

If you handle Federal Contract Information (FCI), CMMC 2.0 Level 1 asks you to affirm — every year — that all 17 Foundational practices are in place. There is no partial credit at Level 1: a practice is met or it isn’t. This free self-check walks all 17 (straight from FAR 52.204-21), so you can see exactly where you stand before you sign. No signup, nothing stored.

Get a readiness roadmap → What is CMMC?

THE SELF-CHECK

Walk all 17 practices

Mark each practice Met, Not sure, or Not yet. Your readiness updates live.

0 / 17 met

START THE CHECK

Not yet

0

Not sure

0

CMMC 2.0 Level 1 (Foundational) covers the 17 practices that protect Federal Contract Information (FCI), drawn from FAR 52.204-21. Level 1 requires an annual self-assessment affirming all 17 are met and an annual senior-official affirmation in SPRS — there is no partial credit at Level 1. This is an unofficial readiness aid, not an assessment of record. Handling Controlled Unclassified Information (CUI) instead of FCI moves you up to Level 2 and the full 110 NIST 800-171 controls.

Email me my CMMC L1 readiness summary + a remediation roadmap

We'll send a copy and, if you want, help you take the next step. No spam.

HOW TO READ YOUR RESULT

All 17, or it’s a gap

Level 1 is pass/fail by design. Here’s the honest read.

17 / 17

Ready to self-attest

Every Foundational practice met. You can complete the annual self-assessment and the senior-official affirmation in SPRS with a clear conscience — and keep the evidence.

CLOSE

A few gaps

Most Level 1 gaps are quick wins — boundary protection, malware defense, access limits, physical controls. They’re rarely expensive; they just need to actually be done and documented.

NOT SURE

Unknowns are gaps too

“Not sure” is not “met.” If you can’t point to how a practice is implemented and who owns it, treat it as open. That’s exactly where a short readiness engagement pays for itself.

COMMON QUESTIONS

CMMC Level 1, answered

How many practices are in CMMC Level 1?

17. CMMC 2.0 Level 1 (Foundational) consists of 17 practices across six domains, drawn directly from the basic safeguarding requirements in FAR clause 52.204-21. They protect Federal Contract Information (FCI).

Do I need a third-party assessment for Level 1?

No. Level 1 is met through an annual self-assessment plus an annual affirmation by a senior company official, recorded in SPRS. Third-party C3PAO assessments come into play at Level 2 for most contracts that involve Controlled Unclassified Information (CUI). Always confirm the level a specific solicitation requires.

What is the difference between FCI and CUI?

FCI is information provided by or generated for the government under a contract that is not intended for public release — Level 1 protects it. CUI is a defined category of sensitive (but unclassified) government information requiring stronger safeguards; handling CUI moves you to CMMC Level 2 and the full 110 NIST 800-171 controls.

Is “Not sure” good enough to self-attest?

No. The annual affirmation is a senior official’s statement that the practices are met. If you can’t demonstrate how a practice is implemented, treat it as a gap and close it before you attest — a false affirmation carries real risk.

Does this tool submit anything to the government?

No. It runs entirely in your browser, stores nothing, and submits nothing. Your official self-assessment and affirmation still have to be recorded in SPRS. This is an unofficial readiness aid to help you get there.