CMMC LEVEL 1 SELF-ASSESSMENT QUICK ENTRY GUIDE VERSION 4.0

The Defense Industrial Base (DIB), compliance with the Cybersecurity Maturity Model Certification (CMMC) is no longer optional, it’s a prerequisite for doing business with the Department of Defense (DoD). While CMMC Level 1 is the foundational tier, it still requires contractors to demonstrate compliance with FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and to report their status in the Supplier Performance Risk System (SPRS).

To simplify this process, the CMMC Level 1 Self-Assessment Quick Entry Guide (SPRS V4.0)provides a step-by-step walkthrough for entering your self-assessment results into the Procurement Integrated Enterprise Environment (PIEE). Here’s what DIB contractors need to know.

Step 1: Secure PIEE Access

Before entering any assessment information, contractors must have the correct access in PIEE. Specifically, you’ll need the “SPRS Cyber Vendor User” role. Without this, you cannot add, edit, or delete CMMC assessment data.

Step 2: Navigate to SPRS and Cyber Reports

Once logged into PIEE, contractors select the SPRS application and then the Cyber Reports module. From here, the appropriate Hierarchy Level Organization (HLO) can be chosen from the dropdown menu. A helpful indicator: an asterisk (*) shows users with Cyber Vendor privileges.

Step 3: Add and Complete Your Self-Assessment

Within the Cyber Reports module, you’ll select “Add New Level 1 CMMC Self-Assessment.” The required data includes evidence of compliance with FAR 52.204-21’s 15 security requirements, which form the foundation for Level 1 certification. After entering details, you can proceed to the affirmation stage.

If you are not the Affirming Official (AO), the assessment can be transferred via email to the designated AO for certification and submission.

Step 4: Affirmation and Finalization

The affirmation step is critical. Here, the AO must review all assessment details, certify compliance, and formally affirm the results in SPRS. Once affirmed, the status becomes visible to DoD personnel as “Final Level 1 Self-Assessment.”

Keep in mind:

• Assessments expire after one year and automatically change to “No CMMC Status (Expired Assessment).”
• Only Final Level 1 Self-Assessments are visible to the government.

What This Means for the DIB

For many small and mid-sized contractors, CMMC Level 1 is the entry point into DoD contracting. But even at this level, it’s not just a “check the box” exercise. The government expects contractors to both implement the 15 safeguarding requirements and affirm them annually in SPRS.

Failing to complete or update this affirmation could mean the loss of eligibility for new contract awards. On the other hand, properly entering and maintaining your CMMC Level 1 self-assessment demonstrates a baseline commitment to protecting Federal Contract Information (FCI), a fundamental responsibility for every DIB organization.

Key Takeaway: If you’re a DIB contractor, don’t delay. Ensure your PIEE access is in place.

Luis G. Batista C.P.M., CPSM
luis@cybercomply.us
Office: (305) 306-1800 Ext. 800
Website LinkedIn Schedule Appointment
CAGE: 9QG33 UEI: K6UZHLE1WUA7
CyberComply CMMC GRC
A Product of Armada Cyber Defense