How to Perform a CMMC Level 1 Self-Assessment

What is CMMC Level 1?

The Cybersecurity Maturity Model Certification consists of three levels with level 1 requiring the least amount of security controls. CMMC Level 1 consists of 15 security controls. The controls are derived from the Federal Acquistion Regulation 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). The controls in FAR 52.204-21 are selected from NIST SP 800-171. The controls selected for CMMC Level 1 are designed to protect federal contract information (FCI). FCI is not as sensitive as controlled unclassified information (CUI), hence it is only protected by 15 security controls instead of the 110 used to protect CUI.

What is the Difference between CMMC Level 1 and FAR 52.204-21?

As far as security requirements are concerned there isn’t any difference between FAR 52.204-21 and CMMC Level 1. CMMC Level 1 does however involve performing an annual self-assessment and affirmation of control implementation.

How Do you Perform a CMMC Level 1 Self-Assessment?

The CMMC level 1 self-assessment should be performed in accordance with the CMMC Assessment Guide for Level 1. This is easier said than done. The Federal Government estimates the cost of performing a CMMC level 1 self-assessment to be $4,042. This is only the assessment cost, not the preparation and security control implementation cost.

The easiest method for performing a CMMC level 1 self-assessment is by using Lake Ridge’s Compliance Accelerator application. Simply answer yes or no questions related to each of the 15 equirements and the solution will determine if you are meeting the requirements or not. If you are not, it will automatically create tasks for you to complete to meet those requirements. The solution also provides the documentation templates required to meet CMMC level 1 requirements.

How do you Meet CMMC Level 1 Requirements?

CMMC level 1 requirements are met by implementing each of the 15 CMMC level 1 security controls. This involves implementing technical, administrative, and physical security controls. The Lake Ridge Compliance Accelerator solution describes in detail how to implement each CMMC level 1 requirement.

Do You Need a System Security Plan for CMMC Level 1?

None of the CMMC level 1 requirements specifically mandate the creation of a system security plan. It is however wise for organizations to create one as it will help document how they implemented each of the 15 CMMC level 1 requirements.

Do You Need a Plan of Action and Milestones for CMMC Level 1?

No. For CMMC level 1 an organization may not operate under a plan of action and milestones and be compliant. For their own project planning purposes, an organization can use a plan of action and milestones.