If your contract requires Cybersecurity Maturity Model Certification (CMMC) Level 1, you do not need a third-party assessor. You can self-attest. But self-attestation is not just checking a box. A senior official at your company signs a legal affirmation, that affirmation gets posted to a federal database, and contracting officers can see it. If the affirmation is wrong, the exposure is real.
This post walks through exactly how CMMC Level 1 self-attestation works: what you are attesting to, who signs it, where it goes, how often you have to do it, and what you should have on file in case anyone ever questions it. It is aimed at small DoD subcontractors who handle Federal Contract Information (FCI) and are figuring out what Level 1 actually demands before they commit.
APT Security Management, based in North Charleston, South Carolina, works with defense contractors at both Level 1 and Level 2. The questions below come from real conversations with subcontractors who discovered the process was more involved than they expected.
What Level 1 Self-Attestation Is
CMMC Level 1 is designed for contractors and subcontractors that handle FCI but do not handle Controlled Unclassified Information (CUI). FCI is any information provided by or generated for the government under a contract that is not intended for public release. It is a broad category that covers a lot of basic contract documentation, order information, pricing schedules, and similar operational data.
Level 1 requires compliance with 15 security practices. These practices come directly from Federal Acquisition Regulation (FAR) clause 52.204-21, referenced in the CMMC model as AC.L1-b.1.i through AC.L1-b.1.xv. They cover basic access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Nothing exotic, but nothing optional either. If you want to look up what any specific practice requires, APT's CMMC Practice Lookup has plain-English explanations for all of them.
Unlike Level 2, which requires either a self-assessment or a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) depending on the contract, Level 1 always uses self-attestation. You assess yourself, and a senior official affirms the result in writing.
One common misconception worth clearing up: the correct practice count for Level 1 is 15, not 17. The figure "17" comes from the original CMMC 1.0 framework and no longer applies. If you see that number in older guidance or a vendor's materials, it is out of date.
Who Signs the Affirmation and What They Are Signing
The affirmation must be signed by a senior company official. Under 32 CFR Part 170, this means someone with the authority to legally commit the company. In practice, that is typically a Chief Executive Officer, a President, a Chief Information Officer, or a similar officer-level role. It is not something an IT manager or a compliance coordinator signs on their own.
By signing, that official is affirming that the company has implemented all 15 Level 1 practices at the time of attestation. The statement is made to the federal government. That matters.
This is not a judgment call about whether you are "mostly compliant" or whether you have plans to address gaps. The affirmation covers whether the controls are in place now. If they are not, the affirmation should not be submitted until they are.
Where the Affirmation Gets Filed
The affirmation is submitted through the Supplier Performance Risk System (SPRS), which is the federal database at piee.eb.mil. SPRS is where DoD maintains contractor performance and compliance data, and contracting officers access it as part of both pre-award evaluation and ongoing contract management.
When you post your Level 1 affirmation, it is not a private filing. Your contracting officer can see it. Your prime contractor can see it if the contract requires flow-down and they check. DFARS 252.204-7021, the implementing clause that places CMMC status requirements on solicitations effective November 10, 2025, ties your SPRS affirmation directly to your eligibility for covered contracts.
The SPRS record includes the date of the affirmation and the name of the official who signed it. This is the record that shows you were compliant at the time of contract award or renewal.
The Annual Requirement
Level 1 self-attestation is not a one-time event. Under 32 CFR Part 170, you are required to affirm compliance annually. That means every year, a senior official has to review your current state, confirm that all 15 practices are still in place, and resubmit the affirmation in SPRS.
This is one of the most common planning oversights we see. A company completes their initial Level 1 work, submits the affirmation, and moves on. Twelve months later the affirmation lapses, or staff changes mean a control that was in place is no longer being followed the same way, and no one has done a fresh check before resubmitting.
Treat the annual affirmation as a renewal process, not just a paperwork step. Before each submission, verify that every practice is still implemented and that evidence is still being collected.
What the False Claims Act Has to Do With It]
The False Claims Act (FCA) is a federal law that creates civil liability for knowingly submitting false claims to the government. Submitting an inaccurate CMMC affirmation, where you attest that controls are in place when they are not, can constitute a false claim.
The Department of Justice has actively pursued FCA cases against defense contractors over cybersecurity compliance misrepresentations. These are not hypothetical. Settlements in these cases have involved millions of dollars, and individuals as well as companies can be named.
This is why the person who signs the affirmation matters. They are not just approving an administrative filing. They are making a legal representation to the federal government. If the underlying compliance does not support that representation, the exposure falls on them and on the company.
The FCA risk does not go away because you are a small subcontractor. The statute applies regardless of contract value. If your contract flows down CMMC requirements from a prime, the obligation and the liability flow down too.
What "Compliant" Actually Means
Meeting the 15 Level 1 practices is not just a documentation exercise. Each practice has to be technically implemented in the environment where FCI lives.
For example, AC.L1-b.1.i requires that you limit system access to authorized users, and AC.L1-b.1.ii requires that you limit system access to the types of transactions and functions those users are authorized to execute. Having an access control policy written down does not satisfy these practices. The access controls have to be configured and enforced in your actual systems.
Similarly, IA.L1-b.1.v requires that you authenticate users, devices, or processes before allowing access to your systems. This requires a working authentication mechanism, not just a policy stating that passwords are required.
The same applies across all six domains covered by Level 1. SI.L1-b.1.xiv requires that you identify, report, and correct information system flaws. SC.L1-b.1.xiii requires that you monitor, control, and protect communications at the external boundaries of your systems. These are operational controls, not paper statements.
When a senior official signs the affirmation, they are attesting that these controls are working, not that the company intends to implement them.
What to Keep on File
Even though Level 1 does not require you to submit evidence to the government at the time of attestation, you need to have it. If a contracting officer questions your compliance, if a prime contractor asks for documentation, or if you end up in a dispute or investigation, the evidence is what protects you.
For each of the 15 practices, keep documentation that shows:
That the control is configured and in place (screenshots, system configuration exports, tool logs)
Who is responsible for it and how it is maintained
When it was last reviewed or tested
Any changes made since the last review
Policy documents alone do not constitute evidence of implementation. A screenshot showing that accounts inactive for 30 days are disabled is evidence. A policy that says inactive accounts will be disabled is not.
An internal gap assessment before each annual attestation is the cleanest way to build and refresh this file. It gives the signing official a documented basis for the affirmation and gives the company a record of due diligence in case questions arise later.
If you want a walkthrough of what the 15 practices actually require at the implementation level, see CMMC Level 1 Practices: What They Actually Require.
Why a Third-Party Gap Check Matters Before You Attest
A pre-attestation gap check is not required. But it protects the executive who signs.
Here is the practical reason: most small subcontractors do not have a full-time security person. The IT function is often handled by a generalist, an outside managed service provider, or the owner. They may believe the controls are in place. They may even be right. But "we think it is covered" is not the same as "we have verified it against the actual practice requirements."
A gap check before attestation does a few things. It gives you an independent confirmation that each of the 15 practices is actually implemented. It surfaces any gaps before they become compliance failures. It builds the evidence file that supports the affirmation. And it gives the signing official a documented basis for their signature rather than relying on a verbal assurance from the IT lead.
At APT Security Management, our Level 1 gap check is scoped specifically for this: we verify each practice against your actual environment, document what we find, and help you close anything that is not fully in place before you submit. Our registered practitioner works directly with your team, not a distant checklist reviewer.
For more on how Level 1 fits your specific situation, see When You Can Stop at Level 1: Handling FCI Without Touching CUI.
What to Do Before Your Next Attestation
Whether you are preparing your first Level 1 affirmation or coming up on your annual renewal, here is where to start.
If you do not have the internal capacity to work through those steps confidently, a gap assessment scoped to your environment is the most direct path to an affirmation you can actually stand behind. If you want a quick read on where you stand before booking anything, APT's CMMC Readiness Quickcheck takes about five minutes and will show you where your biggest gaps are.
Get a Quote for Your Environment
If you are preparing for your first CMMC Level 1 attestation or coming up on your annual renewal, APT Security Management can help you verify each practice, build your evidence file, and get to a submission you can stand behind. Contact us to request token-based pricing scoped to your situation.
