How to Complete Your CMMC Level 1 Self-Assessment: A Step-by-Step Walkthrough

CMMC Level 1 compliance is the foundation of cybersecurity readiness for any organization handling Federal Contract Information (FCI) under a Department of Defense (DoD) contract. With enforcement required as of November 10, 2025, contractors must be able to show they have implemented and documented the 17 required practices and completed an annual self-assessment.  

Nine Steps for CMMC Self-Assessment

This walkthrough explains how to move from a blank checklist to a complete, verifiable Level 1 self-assessment using only official DoD guidance.

Step 1: Confirm that Level 1 applies to you

Start by verifying that your organization handles FCI but not Controlled Unclassified Information (CUI). If you process or store CUI, you’ll need to meet Level 2. If you only work with FCI, Level 1 is your target. Review the data you handle and the requirements in your contract to confirm.

Step 2: Build your Level 1 inventory

To help you through this process, we’ve created a simple checklist with each of the 17 required practices listed, as well as their associated Evidence Location, Owner, and Status.  

Download the checklist here.

Use this document as your self-assessment tracker and living record of compliance. Every practice must have a clear owner, proof of implementation, and supporting evidence.

Step 3: Gather and verify evidence

For each practice, identify the systems, devices, and processes that apply. Collect screenshots, logs, or policy documents that prove controls exist.  

For example, when documenting Access Control, capture user permissions or authentication settings from your directory service. For Physical Protection, keep access logs or badge-system records. The goal is to have tangible proof for every “MET” marking in your checklist.

Step 4: Assess current status

Work through each practice one by one. Mark it as MET, NOT MET, or N/A if it doesn’t apply. Be honest. A self-assessment loses credibility if everything is marked “MET” without documentation. If a control doesn’t exist or hasn’t been consistently applied, mark it “NOT MET” and move on: you’ll handle it in remediation.

Step 5: Remediate gaps

Once you complete the initial pass, review all “NOT MET” items and plan corrective actions. For example:

• If you don’t sanitize media before disposal, create and enforce a written policy and test it.
• If physical access logs aren’t maintained, set up an electronic or paper logging process.
• If malicious-code protection isn’t regularly updated, enable automatic updates and keep version records.
• Set deadlines for each remediation item and track completion.

Step 6: Conduct the self-assessment

When all 17 practices have been addressed, perform your formal self-assessment. Review every checklist line, verify evidence, and confirm that remediation actions are complete. Have department heads or control owners sign off where applicable. The designated senior official must affirm that your organization meets Level 1 practices and that evidence supports each claim.

Step 7: Retain documentation

Save your completed checklist, all related evidence, and the signed affirmation in a secure repository. DoD guidance requires Level 1 organizations to perform self-assessments annually, so you’ll revisit this process each year. Keeping records from prior years makes each assessment faster and demonstrates consistency.

Step 8: Maintain readiness throughout the year

CMMC compliance is not a one-time project. Keep your documentation current as systems or personnel change. Review access lists quarterly, ensure antivirus tools stay updated, and test backup and restoration procedures. By treating the checklist as an active document rather than a static form, you stay prepared for contract reviews or spot checks.

Step 9: Validate your results if needed

If you’re unsure whether your self-assessment is accurate or if a contracting officer requests independent validation, engage a Certified Third-Party Assessor Organization (C3PAO). A C3PAO can verify your results and identify issues before they impact contract eligibility.

Moving Forward with Your Self-Assessment

Completing your CMMC Level 1 self-assessment is not complicated, but it demands structure, documentation, and discipline. Following this walkthrough helps ensure every required practice is accounted for, every gap is closed, and your evidence stands up to review. With CMMC enforcement beginning this November, organizations that build these habits now will be ready to meet the DoD’s expectations and maintain eligibility for future defense contracts.

It's important to be proactive now to ensure you can support CMMC Level 1; companies that don’t risk losing federal contracts and facing potential fines. See firsthand how a proactive approach to CMMC compliance helps win deals and amaze clients: read this case study to learn more.