Breaking Down the CMMC Level 1 and Level 2 Self-Assessment Process

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program designed to strengthen the cybersecurity posture of the defense industrial base (DIB). For many contractors, the first step toward compliance is a self-assessment—a structured review of your organization’s cybersecurity practices to verify they meet CMMC’s required controls.

In this guide, we’ll explain how the CMMC Level 1 and CMMC Level 2 self-assessments work, the controls you must comply with, and best practices for preparing your organization for success.

Can You Self-Assess for Both CMMC Level 1 and Level 2?

Let’s start off with the basics. Yes, you can self-assess for both CMMC Level 1 and Level 2, but only under certain conditions.

• CMMC Level 1
  • CMMC Level 1 is always self-assessed. The DoD requires contractors handling only Federal Contract Information (FCI) to conduct an annual self-assessment.
  • No Certified Third-Party Assessor Organization (C3PAO) involvement is needed.
  • Results must be entered into the Supplier Performance Risk System (SPRS) and evidence must be maintained for DoD review.
• CMMC Level 2
  • Sometimes CMMC Level 2 is self-assessed, sometimes it’s third-party assessed.
  • If you handle Controlled Unclassified Information (CUI) that’s critical to national security for “prioritized” contracts, the DoD requires a third-party assessment by an Authorized C3PAO every three years.
  • If you handle CUI for “non-prioritized” contracts that’s not critical to national security, you may be allowed to complete an annual self-assessment instead.
  • Whether you qualify for self-assessment depends on contract requirements and DoD determinations.
  • Some Level 2 requirements may be addressed via a Plan of Action & Milestones (POA&M) with agreed remediation dates, but certain high-priority practices must be met before award.

Why CMMC Self-Assessments Matter

Whether you’re working toward Level 1 or Level 2 compliance, the self-assessment serves two critical purposes:

• Gap Identification: Pinpointing where your current security practices fall short.
• Evidence Collection: Documenting proof of compliance so you can report accurate results to the SPRS.

The DoD relies on your self-assessment scores to determine whether you can be awarded or maintain a contract, so accuracy and thoroughness are essential.

How the CMMC Self-Assessment Process Works

The CMMC self-assessment process follows a clear methodology outlined in the official DoD assessment guides for Level 1 and Level 2:

1. Define the Scope
   • Identify the information system (people, processes, technologies, and facilities) that handle FCI for Level 1 or CUI for Level 2.
   • Include cloud environments, remote work setups, and third-party systems if they process relevant data.
2. Review the Required Practices
   • Compare your organization’s cybersecurity policies, procedures, and technical configurations against CMMC requirements.
   • Understand the intent of each practice—compliance isn’t just about “checking the box.”
3. Gather Evidence
   • Use the three DoD-approved assessment methods: Examine (review documentation), Interview (speak with responsible personnel), and Test (validate technical configurations).
   • Collect system logs, screenshots, network diagrams, and written policies as proof.
4. Score Your Organization
   • For Level 1, practices are either met or not met—there’s no partial credit.
   • For Level 2, follow 32 CFR 170.24, starting at 110 points and subtracting for unmet requirements.
5. Report Results to SPRS
   • Submit your score, assessment date, and any applicable POA&M to the SPRS database.
   • Keep your records on file in case of a DoD review or third-party audit.

CMMC Level 1 Requirements

CMMC Level 1 is the foundational tier. It covers 15 basic cybersecurity practices from FAR 52.204-21, which are organized into six key domains:

1. Domain 1: Access Control (AC)
   • Limit information system access to authorized users, processes, or devices.
   • Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
   • Verify and control/limit connections to and use of external information systems.
   • Control information posted or processed on publicly accessible information systems.
2. Domain 2: Identification and Authentication (IA)
   • Identify information system users, processes acting on behalf of users, or devices.
   • Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access.
3. Domain 3: Media Protection (MP)
   • Sanitize or destroy information system media containing FCI before disposal or reuse.
4. Domain 4: Physical Protection (PE)
   • Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
   • Protect and monitor the physical facility and support infrastructure for organizational systems.
   • Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
5. Domain 5: System and Communications Protection (SC)
   • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries.
   • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
6. Domain 6: System and Information Integrity (SI)
   • Identify, report, and correct information system flaws in a timely manner.
   • Provide protection from malicious code at appropriate locations within organizational information systems.
   • Update malicious code protection mechanisms when new releases are available.
   • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

CMMC Level 2 Requirements

CMMC Level 2 is the intermediate tier. It covers 110 practices that are mapped directly to NIST SP 800-171 and spread across 14 domains:

1. Domain 1: Access Control (AC)
   • Limit system access to authorized users, devices, and processes.
   • Implement least privilege and separation of duties.
   • Control external system connections.
   • Manage remote access and wireless access.
2. Domain 2: Awareness and Training (AT)
   • Provide cybersecurity awareness training for all users.
   • Train personnel on recognizing and reporting security threats.
   • Provide role-based training for individuals with significant security responsibilities.
3. Domain 3: Audit and Accountability (AU)
   • Generate, review, and retain system audit logs.
   • Protect audit information from unauthorized access.
   • Alert on audit log failures.
4. Domain 4: Configuration Management (CM)
   • Establish and maintain baseline configurations.
   • Enforce security configuration settings.
   • Track and approve changes to systems.
   • Restrict the use of nonessential programs and services.
5. Domain 5: Identification and Authentication (IA)
   • Assign unique IDs to all users.
   • Require multifactor authentication.
   • Enforce password complexity and expiration policies.
   • Authenticate devices before establishing connections.
6. Domain 6: Incident Response (IR)
   • Establish an incident response plan.
   • Detect and report incidents promptly.
   • Analyze, contain, and eradicate threats.
   • Document and track incident response activities.
7. Domain 7: Maintenance (MA)
   • Perform and record maintenance activities.
   • Control and monitor maintenance tools.
   • Sanitize equipment before removal for off-site repair.
8. Domain 8: Media Protection (MP)
   • Mark and label media containing CUI.
   • Control access to CUI media.
   • Encrypt CUI stored on removable media.
   • Sanitize or destroy media before disposal or reuse.
9. Domain 9: Personnel Security (PS)
   • Screen personnel prior to granting access to CUI.
   • Ensure access to CUI is revoked when employment ends or roles change.
10. Domain 10: Physical Protection (PE)
    • Limit access to facilities containing CUI systems.
    • Escort and monitor visitors.
    • Maintain visitor access logs.
    • Control physical access devices.
11. Domain 11: Risk Assessment (RA)
    • Conduct regular security risk assessments.
    • Scan for vulnerabilities periodically and after significant changes.
    • Remediate vulnerabilities promptly.
12. Domain 12: Security Assessment (CA)
    • Develop and maintain a system security plan (SSP).
    • Conduct periodic self-assessments of controls.
    • Implement plans of action to correct deficiencies.
    • Monitor and update security plans.
13. Domain 13: System and Communications Protection (SC)
    • Protect the confidentiality of CUI in transit using encryption.
    • Separate public and internal network zones.
    • Monitor and control communications at network boundaries.
14. Domain 14: System and Information Integrity (SI)
    • Identify and correct system flaws in a timely manner.
    • Provide protection from malicious code.
    • Update malware protection mechanisms.
    • Perform periodic and real-time system scans.

Best Practices for a Successful CMMC Self-Assessment

• Start Early: Give yourself months, not weeks, to identify gaps and implement fixes.
• Document Everything: Keep clear, organized evidence for every practice.
• Train Your Team: Make sure staff understand their role in meeting requirements.
• Use the DoD Guides: Follow the official CMMC assessment guides step-by-step.
• Consider a Readiness Review: Even if you’re self-assessing, a C3PAO pre-assessment can help you avoid costly surprises.

A CMMC Level 1 self-assessment is all about proving you have the basic cybersecurity hygiene needed to protect FCI, while CMMC Level 2 self-assessments demand a much deeper dive into policies, technical safeguards, and documented processes to protect CUI. In both cases, the key to success is preparation—define your scope, understand the requirements, gather detailed evidence, and report accurate results to SPRS. The better prepared you are, the smoother your path to compliance and contract eligibility will be.

IS Partners can help. With more than 20 years of experience in cross-industry compliance, we make it easy to navigate the CMMC audit readiness and compliance process. Our team of experts provides personalized support across the full CMMC lifecycle, from the initial gap assessment through readiness preparation and straight into the compliance audit. We’re also an Authorized C3PAO, certified to conduct CMMC Level 2 cybersecurity assessments and ensure your organization meets the necessary security standards. Whether you’re self-assessing or seeking third-party certification, IS Partners can help ensure you meet your CMMC requirements.

Ready to start your journey toward CMMC audit readiness and compliance? Check out our full suite of CMMC compliance services.

FAQs

About The Author

Ian Terry

Ian Terry is a highly respected thought leader and subject matter expert in the field of cybersecurity.

As the Director of Cybersecurity Services for IS Partners, Ian leverages his extensive knowledge and experience to provide valuable insights and guidance to clients across various industries.

Ian has performed numerous risk assessments and audits related to NIST, HIPAA, HITRUST, FISMA, PCI, and CMSR. He is also an expert in third-party risk management having built a SaaS security platform for streamlining third-party risk assessments. Ian's cybersecurity writings have been published in Hackernoon, Security Boulevard and CISO Mag.

He holds a B.S. in Cybersecurity from a national center of academic excellence in cybersecurity as recognized by the NSA and DHS and has CSM, HCISPP, and SSCP certifications.