# 170.15 CMMC Level 1 self-assessment and affirmation requirements.
(a) *Level 1 self-assessment.* To comply with CMMC Level 1 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 1 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of Final Level 1 (Self).
(1) *Level 1 self-assessment requirements.* The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&Ms are permitted for CMMC Level 1. The OSA must conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in SPRS. To maintain compliance with the requirements for the CMMC Status of Final Level 1 (Self), the OSA must conduct a Level 1 self-assessment on an annual basis and submit the results in SPRS, or its successor capability.
(i) *Inputs to SPRS.* The Level 1 self-assessment results in the Supplier Performance Risk System (SPRS) shall include, at minimum, the following items:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope.
(E) Compliance result.
(ii) [Reserved]
(2) *Affirmation.* Affirmation of the Level 1 (Self) CMMC Status is required for all Level 1 self-assessments. Affirmation procedures are set forth in § 170.22.
(b) *Contract eligibility.* Prior to award of any contract or subcontract with a requirement for the CMMC Status of Level 1 (Self), OSAs must both achieve a CMMC Status of Level 1 (Self) and have submitted an affirmation of compliance into SPRS for all information systems within the CMMC Assessment Scope.
(c) *Procedures*—(1) *Level 1 self-assessment.* The OSA must conduct a Level 1 self-assessment scored in accordance with the CMMC Scoring Methodology described in § 170.24. The Level 1 self-assessment must be performed in accordance with the CMMC Level 1 scope requirements set forth in § 170.19(a) and (b) and the following:
(i) The Level 1 self-assessment must be performed using the objectives defined in NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) for the security requirement that maps to the CMMC Level 1 security requirement as specified in table 1 to paragraph (c)(1)(ii) of this section. In any case where an objective addresses CUI, FCI should be substituted for CUI in the objective.
(ii) Mapping table for CMMC Level 1 security requirements to the NIST SP 800-171A Jun2018 objectives.
Table 2 to § 170.15**(c)(1)(ii)**—CMMC Level 1 Security Requirements Mapped to NIST SP 800-171A Jun2018
| CMMC Level 1 security requirements as set forth in § 170.14(c)(2) | NIST SP 800-171A Jun2018 |
| --- | --- |
| AC.L1-b.1.i | 3.1.1 |
| AC.L1-b.1.ii | 3.1.2 |
| AC.L1-b.1.iii | 3.1.20 |
| AC.L1-b.1.iv | 3.1.22 |
| IA.L1-b.1.v | 3.5.1 |
| IA.L1-b.1.vi | 3.5.2 |
| MP.L1-b.1.vii | 3.8.3 |
| PE.L1-b.1.viii | 3.10.1 |
| First phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.3 |
| Second phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.4 |
| Third phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.5 |
| SC.L1-b.1.x | 3.13.1 |
| SC.L1-b.1.xi | 3.13.5 |
| SI.L1-b.1.xii | 3.14.1 |
| SI.L1-b.1.xiii | 3.14.2 |
| SI.L1-b.1.xiv | 3.14.4 |
| SI.L1-b.1.xv | 3.14.5 |
| * Three of the 48 CFR 52.204-21 requirements were broken apart by “phrase” when NIST SP 800-171 R2 was developed. | |
(iii) Additional guidance can be found in the guidance document listed in paragraph (b) of appendix A to this part.
(2) *Artifact retention.* The artifacts used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.