Your CMMC Level 1 package, from one honest interview.
A free CMMC Level 1 self-assessment that interviews you against all 59 official objectives in plain language. Meet every requirement and it generates your complete document package — four PDFs and two workbooks — then walks you through recording the result in SPRS. Fall short anywhere and you get a prioritized gap plan instead, because a package you can’t stand behind is worse than none.
Runs in your browser — your answers never leave it. Save with an email + password and resume any time.
Your CMMC Level 1 package, from one honest interview.
We walk you through all 59 official assessment objectives in plain language. Meet every one and the builder generates your complete Level 1 document package. Fall short anywhere and you get a prioritized gap plan instead — because a package you can’t stand behind is worse than none.
🔒 Runs entirely in your browser — nothing you type leaves this page.
15 requirements · 59 objectives · about 25 minutes
The 15 CMMC Level 1 requirements you’ll assess
CMMC Level 1 is the 15 basic safeguarding requirements of FAR 52.204-21(b)(1), assessed against 59 objectives from NIST SP 800-171A as reproduced in the CMMC Assessment Guide – Level 1 (v2.13). Six domains, no partial credit: one failed objective fails its requirement, and one failed requirement means no package.
AC · Access Control
- AC.L1-b.1.iAuthorized Access ControlNIST SP 800-171 Rev 2 · 3.1.1
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- AC.L1-b.1.iiTransaction & Function ControlNIST SP 800-171 Rev 2 · 3.1.2
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L1-b.1.iiiExternal ConnectionsNIST SP 800-171 Rev 2 · 3.1.20
Verify and control/limit connections to and use of external information systems.
- AC.L1-b.1.ivControl Public InformationNIST SP 800-171 Rev 2 · 3.1.22
Control information posted or processed on publicly accessible information systems.
IA · Identification & Authentication
- IA.L1-b.1.vIdentificationNIST SP 800-171 Rev 2 · 3.5.1
Identify information system users, processes acting on behalf of users, or devices.
- IA.L1-b.1.viAuthenticationNIST SP 800-171 Rev 2 · 3.5.2
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
MP · Media Protection
- MP.L1-b.1.viiMedia DisposalNIST SP 800-171 Rev 2 · 3.8.3
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
PE · Physical Protection
- PE.L1-b.1.viiiLimit Physical AccessNIST SP 800-171 Rev 2 · 3.10.1
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- PE.L1-b.1.ixManage Visitors & Physical AccessNIST SP 800-171 Rev 2 · 3.10.3 / .4 / .5
Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
SC · System and Communications Protection
- SC.L1-b.1.xBoundary ProtectionNIST SP 800-171 Rev 2 · 3.13.1
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- SC.L1-b.1.xiPublic-Access System SeparationNIST SP 800-171 Rev 2 · 3.13.5
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SI · System and Information Integrity
- SI.L1-b.1.xiiFlaw RemediationNIST SP 800-171 Rev 2 · 3.14.1
Identify, report, and correct information and information system flaws in a timely manner.
- SI.L1-b.1.xiiiMalicious Code ProtectionNIST SP 800-171 Rev 2 · 3.14.2
Provide protection from malicious code at appropriate locations within organizational information systems.
- SI.L1-b.1.xivUpdate Malicious Code ProtectionNIST SP 800-171 Rev 2 · 3.14.4
Update malicious code protection mechanisms when new releases are available.
- SI.L1-b.1.xvSystem & File ScanningNIST SP 800-171 Rev 2 · 3.14.5
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
How the self-assessment works
- 01Set save-and-resume accessAn email and password lock your draft on this device, so you can leave and pick the assessment back up. Your answers are saved in your browser and never leave it.
- 02Profile, applicability, and scopeCompany details for the documents, a three-question FCI check that tells you whether Level 1 even applies, and your assessment scope — whole company or a defined enclave — per 32 CFR § 170.19(b).
- 03Answer the 59 objectives honestlyEach objective is a plain-language question with the verbatim official text one line below. Met, Not met, or N/A — and N/A counts as met only with a written justification.
- 04The honesty gate decidesEvery requirement met (or justified N/A) → your six-document package, generated locally. Anything open → a prioritized gap plan with a concrete fix and the evidence to gather for each gap. There is no override.
- 05Record it in SPRSThe builder ends with a step-by-step SPRS walkthrough pre-filled with your scope, CAGE, and employee count, plus a calendar reminder so the annual re-assessment never lapses.
The document package you get
More than a CMMC Level 1 checklist: a populated, brandable document set — every file generated in your browser from your actual answers, with any field you left blank highlighted for completion. Add your logo and it rides the letterhead. The whole set downloads as one zip.
Assessment Scope
Your CMMC Assessment Scope per 32 CFR § 170.19(b) — Enterprise or enclave, asset inventory (technology, facilities, ESPs, people), out-of-scope assets, and review triggers, seeded from your answers.
Information Security Policy
One policy section per requirement, tagged to its FAR 52.204-21(b)(1) clause, with your organization-defined values (patch timeframes, scan frequency, review cadence, MFA, endpoint protection) written in.
Self-Assessment Workbook
The working self-assessment template: all 59 objectives with your findings pre-filled, dropdowns, a requirement-summary rollup, an SPRS worksheet, and an evidence register.
Self-Assessment Report
The determination record — methodology per 32 CFR § 170.15(c)(1), the 15-row findings table from your actual results, N/A justifications, and the SPRS submission record.
AO Designation Memo
Designates your Affirming Official per 32 CFR § 170.22, with the responsibilities that come with the annual affirmation.
Operational Logs
Seven evidence registers — authorized users, device inventory, visitor log, key & badge register, media disposal, flaw & patch log, public content approvals — each mapped to the requirements it supports.
Submit your score in SPRS
A passing self-assessment only counts once it’s recorded. In the Supplier Performance Risk System (SPRS, via PIEE) you enter the assessment with the Add New CMMC Level 1 Self-Assessment button — you’ll need the SPRS Cyber Vendor User role — and your Affirming Official affirms it. SPRS then showsFinal Level 1 Self-Assessment (the rule calls the status “Final Level 1 (Self)”), which expires toNo CMMC Status (Expired Assessment) after one year: Level 1 self-assessments are annual (32 CFR § 170.15(a)(1)), a contracting officer needs both the status and a current affirmation on file before award (§ 170.15(b)), and your evidence must be retained for six years (§ 170.15(c)(2)). The builder’s results screen walks the whole flow with your own values filled in.
Do you need certification? (No — Level 1 is self-attested)
No assessor visits, no certificate, no C3PAO. CMMC Level 1 is a self-assessment: your own honest determination, entered in SPRS and affirmed annually by a senior official who takes responsibility for it — affirmations are subject to the False Claims Act, which is exactly why this builder refuses to generate a package you can’t stand behind. Since the Department of War suspended CMMC Phase II third-party assessments on July 13, 2026, self-assessment is the primary trust artifact: Level 1 (Self) and Level 2 (Self) are the only CMMC levels a contracting officer may currently designate.
CMMC Level 1, answered
What's the difference between CMMC Level 1 and Level 2?
CMMC Level 1 covers the 15 basic safeguarding requirements of FAR 52.204-21 and protects Federal Contract Information (FCI). It is verified by an annual self-assessment entered in SPRS and affirmed by your Affirming Official — no third-party assessor. CMMC Level 2 covers all 110 NIST SP 800-171 Rev 2 requirements and applies when you handle Controlled Unclassified Information (CUI); it is verified by a Level 2 self-assessment or a C3PAO assessment, and the C3PAO track is currently suspended (July 13, 2026). Level 1 is the foundation either way.
What is FCI (Federal Contract Information)?
FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service (FAR 4.1901). It excludes information the Government provides to the public and simple transactional information like payment processing. Think contracting-officer emails, statements of work, drawings, and delivery schedules. If FCI touches your systems, CMMC Level 1 applies.
What does CMMC Level 1 cost?
There is no assessor or certification fee at Level 1 — it is a self-assessment, so the cost is your own time: implementing the 15 requirements, documenting them, and entering the result in SPRS. This builder is free and generates the full document package (scope, policy, workbook, report, AO memo, and operational logs) from your answers, in your browser.
Do I need a C3PAO for CMMC Level 1?
No. Level 1 is self-attested: you assess your own environment against the 59 assessment objectives, record the result in SPRS, and your Affirming Official affirms it annually. C3PAOs (third-party assessment organizations) only come into play for Level 2 (C3PAO) and above — and those third-party assessments were suspended by the Department of War on July 13, 2026 pending review.
How long does a CMMC Level 1 self-assessment take?
The interview itself takes about 25 minutes — 15 requirements, 59 objectives, asked in plain language — if you know your environment. If the honesty gate finds gaps, closing them is the real work: the builder gives you a prioritized gap plan with a concrete fix and the evidence to gather for each open requirement.
Is my assessment data private?
Yes — by architecture, not policy. Your answers, company details, and generated documents never leave your browser: the interview runs entirely client-side and the documents are generated locally. Your draft is saved on your own device, locked with the password you set. The only thing ever sent to Truvisory is the optional follow-up form — your email and company name, never your answers.
This tool generates draft compliance documents and an informational readiness check based on FAR 52.204-21, 32 CFR Part 170, and the CMMC Assessment Guide – Level 1 (v2.13). It is not legal advice, does not certify compliance, and is not affiliated with or endorsed by the U.S. Department of Defense or the Cyber AB. Your organization is solely responsible for implementing the requirements, for the accuracy of its SPRS entries, and for its Affirming Official's affirmation. Documents are generated in your browser; Truvisory does not receive or store your answers.