5 CMMC Level 1 Self-Assessment Myths That Are Tripping Up Small Contractors
Published by Cygile
The CMMC Level 1 self-assessment process is not complicated. Fifteen practices, an annual cycle, a submission to SPRS. On paper, it’s the most straightforward compliance requirement in the Defense Industrial Base.
In practice, the misinformation circulating about how it actually works is creating real compliance gaps — gaps that a contracting officer or prime can see the moment they pull your SPRS record.
We went through this process ourselves. What follows is what we learned, stated plainly.
Myth 1: You need to submit a numerical score in SPRS for Level 1.
Reality: There is no score for CMMC Level 1.
This is one of the most common points of confusion, and it’s understandable — CMMC Level 2 does require a numerical score in SPRS (ranging from 88 to 110). Level 1 does not. The reason is straightforward: Level 1 is binary. Either all 15 practices are fully implemented or they aren’t. There is no partial credit and no Plan of Action and Milestones (POA&M) allowed at this level.
If you’re in SPRS looking for a score field on your Level 1 record and can’t find one, you’re not missing something. It doesn’t exist.
Myth 2: Completing the assessment is the same as being compliant.
Reality: The assessment is step one. SPRS submission is step two. Both are required.
A lot of contractors complete the internal self-assessment — reviewing the 15 practices, documenting findings, confirming implementation — and stop there. That’s not compliance. Until your results and executive affirmation are entered in SPRS and your record reflects a status of “Final Level 1 (Self),” you have no verifiable CMMC status. A contracting officer checking SPRS will see nothing.
The SPRS submission is not a formality. It is the requirement.
Myth 3: The affirmation alone is sufficient.
Reality: The affirmation without a complete SPRS entry is insufficient.
Related to Myth 2 but worth separating: some contractors enter partial information in SPRS — an affirmation date, a CAGE code — and assume the record is complete. It isn’t. The record needs to show both the assessment date and the affirmation, with a resulting status of “Final Level 1 (Self).” Log into SPRS and confirm that status explicitly. If the status field doesn’t reflect that, your submission is incomplete regardless of what else is in the record.
Myth 4: CMMC Level 1 covers Controlled Unclassified Information (CUI).
Reality: Level 1 covers Federal Contract Information (FCI) only.
This distinction matters. CMMC Level 1 is built on FAR 52.204-21, which governs the basic safeguarding of FCI — information provided by or generated for the government under a contract that is not intended for public release. If your contract involves CUI, Level 1 is not sufficient. You are operating under CMMC Level 2 requirements, which involves 110 controls, a NIST SP 800-171 assessment, and a separate SPRS submission process.
If you’re unsure which data types your contract involves, that is a question that needs a definitive answer before your next proposal goes out — not after.
Myth 5: Once you’re done, you’re done.
Reality: CMMC Level 1 self-assessments are valid for one year and must be renewed annually.
Your assessment date starts the clock. If you assessed on April 1, 2026, your status expires April 1, 2027. Miss that renewal and your SPRS record lapses. An expired record looks exactly like no record to a contracting officer — you become ineligible for award or renewal until it’s corrected.
Set the calendar reminder now. Not in March. Now.
What You Actually Need to Walk Away With
A complete, defensible CMMC Level 1 posture requires four things:
- A completed self-assessment against all 15 practices and 59 assessment objectives
- A SPRS record showing status of “Final Level 1 (Self)”
- An executive affirmation on record in SPRS
- Documentation — even basic documentation — that supports what you affirmed
That last point doesn’t appear anywhere in the formal submission process, which is exactly why it gets skipped. But if a contracting officer or prime asks you to demonstrate compliance, the SPRS record tells them you affirmed it. Documentation is what lets you actually prove it.
Need a Starting Point?
Cygile has built a CMMC Level 1 compliance repository based on our own self-assessment process — including evidence frameworks, practice documentation templates, and an SPRS submission checklist. We’re making it available at no cost to small contractors and subcontractors navigating this for the first time.
[Link to lead magnet — coming soon]
If your situation is more complex — multiple CAGEs, subcontractor flow-downs, or uncertainty about whether your contract involves CUI — contact us for a direct conversation.
Cygile is a boutique cybersecurity GRC advisory firm specializing in M&A cyber risk and federal compliance advisory. This post reflects our direct experience with the CMMC Level 1 self-assessment process as of April 2026. It is not legal advice.