How to perform and report a CMMC Level 1 self-assessment

5) Input the information in the self-assessment results interface

As we’ve stated previously, all federal government contractors, even subcontractors, suppliers, and vendors, handle Federal Contract Information (FCI) and must implement the FAR 52.204-21 clause to protect FCI.  The lone exceptions to this are Commercial Off The Shelf (COTS) items and micro-purchase providers.  Those of us in the Defense Industrial Base (DIB) must now also abide the Cybersecurity Maturity Model Certification (CMMC) regulation, which requires us to self-assess our implementation of the FAR 52.204-21 and report the results to the DoD through the Supplier Performance Risk System (SPRS).   In this post we explain how to how to perform the CMMC Level 1 self-assessment, how to get access to the SPRS, and how to report the results of our assessment through SPRS.  Note that we cover this topic much more in-depth in our quarterly CMMC Level 1 Readiness Workshops.  For government contracting assistance professionals, we also offer our CMMC Level 1 Facilitator certification, which ensures a strong working knowledge of CMMC Level 1, and equips the Faciliator with tools to assist with self-assessments.  

Overview of the CMMC Level 1 self-assessment requirement

Althougth the FAR 52.204-21 clause is included in all federal government contracts and contractual flowdowns (except for COTS), the DoD is the first executive branch agency to hold its supply chain accountable for meeting that contractual mandate.  The CMMC is the DoD’s accountability method. 

We explain the CMMC in-depth here, but in a nutshell, all DIB members — which are considered “Organizations Seeking Assessment (OSA)” in CMMC parlance — must implement the fifteen (15) basic cybersecurity safeguards outlined in the FAR 52.204-21 clause, and then perform a self-assessment of that implementation using fifty-nine (59) associated “Assessment Objectives” for those safeguards as published in the National Institutes of Standards and Technology (NIST) 800-171A (revision 2) publication.  NIST 800-171A extrapolates the fifteen (15) FAR 52.204-21 safeguards into seventeen (17) “controls”.  The fifty-nine (59) assessment objectives are dispersed across the seventeen (17) controls.   Note that, even though NIST has released a revision 3 of the 800-171A standard, CMMC is coupled to revision 2 for the time being.  You can learn more about what sort of cybersecurity safeguards are required by the CMMC Level 1 controls here.

To comply with the FAR 52.204-21, an OSA must meet all fifty-nine (59) assessment objectives across what’s called the “assessment scope”.  The scope consists of the components of its system that are used to handle — store, process, or transmit — FCI.  System components include facilities, IT hardware, software, networking equipment, cloud and other external services, and human users of those other system components.  The results of the self-assessment of that scope must then be reported to the DoD through the SPRS.   We’ll talk about CMMC Level 1 self-assessment reporting a bit further below, but first let’s explore the self-assessment methodology.  

Executing the CMMC Level 1 self-assessment methodology

To get some exposure to the FAR 52.204-21 controls as published in the NIST 800-171, you can download our CMMC Level 1 checklist from the form below.  But note that that this checklist is for preliminary use only.  The full self-assessment methodology actually requires assessment of the fifty-nine (59) assessment objectives as listed in the NIST 800-171A rev 2.

The table below shows the fifteen (15) FAR 52.204-21 safegaurds, how they map to the seventeen (17) NIST 800-171A rev 2 FAR controls, and how many assessment objectives are associated with each control. 

A table showing the FAR 52.204-21 safeguards, their corresponding NIST 800-171A rev 2 identifier, and the number of assessment objectives
A table showing the FAR 52.204-21 safeguards, their corresponding NIST 800-171A rev 2 identifier, and the number of assessment objectives

To perform a self-assessment, the OSA assessment team analyzes the organization’s implementation of the safeguard / control, using the NIST 800-171A assessment objectives.  To take credit for fully implementing a control, the OSA must ensure:

  1. That is has a documented policy for that control, detailing expectations for control outcome, and,
  2. Describes processes, procedures and / or technologies that the organization has implemented to enforce the policy. 

NIST has established the control assessment objectives as sort of “mileposts” to indicate where we need to develop policies and where we need to describe processes, procedures, and technology implementation. 

In the assessment methodology, if a single assessment objective for a given control is Not Met, then the entire control is Not Met.  In other words, all control assessment objectives must be Met for the control to be Met.  How this looks in practice is shown in the next two images, which are screenshots from our Totem™ Cybersecurity Compliance Management (CCM) tool.  The Totem™ tool incorporates the entire assessment methodology for all CMMC Levels, and we offer subscriptions to this tool.   Contact us if you’re interested.  

A screenshot of the Totem CCM tool, illustrating the fact that a single Not Met assessment objective "rolls up" to make the entire control Not Met
A screenshot of the Totem CCM tool, illustrating the fact that a single Not Met assessment objective "rolls up" to make the entire control Not Met
A screenshot of the Totem CCM tool, illustrating the fact that when all assessment objectives are Met, the entire control is Met
A screenshot of the Totem CCM tool, illustrating the fact that when all assessment objectives are Met, the entire control is Met

If you need help with the self-assessment, we coach on this process in our CMMC Level 1 Readiness Workshops.  Note that all DIB members must complete and report the CMMC Level 1 self-assessment annually.

Once you complete the CMMC Level 1 self-assessment, you’ll need to report the results to the DoD through SPRS.  So let’s explore how to get access to SPRS, and then how to do the reporting. 

How to get access to SPRS

Once you’ve completed the CMMC Level 1 self-assessment, you need to report the results (hopefully all “Met”) to the DoD through SPRS. To get access to the SPRS website, your organization unfortunately must jump through some hoops. Your organization will need to:

  • Get registered on the DoD’s Procurement Integrated Enterprise Environment (PIEE) site.  You can find guidance on how to register a new account here.  Alternatively, if you have a CAC card or an ECA certificate, you may be able to login to the site using those credentials. We have instructions on how to obtain an ECA certificate in this blog.
  • Setup a workstation according to these instructions for accessing the PIEE site: https://piee.eb.mil/xhtml/unauth/web/homepage/machineSetup.xhtml
  • Browse to https://piee.eb.mil using an approved browser and click Register from top right, then follow the instructions here: https://www.sprs.csd.disa.mil//pdf/PIEE-NonGovInstructions.pdf. NOTE: you’ll need your organization’s CAGE code to register.  Call the DISA Help Desk early in the process if you run into delays: 866-618-5988  or email.
  • If the person at your organization that will be doing the reporting is other than the Electronic Business Point of Contact (EB POC) as listed in SAM.gov, that person will have to have a role of Contractor Administrator (CAM) in PIEE to be able request the proper role in SPRS.   The following are instructions from DISA for obtaining a CAM role:
    • Your role of Contractor Administrator (CAM) must be authorized by your Electronic Business Point of Contact (EB POC) as listed in SAM.gov.
    • If your EB POC has not yet submitted your appointment letter, they will need to complete and return this letter before you can be activated.
    • The latest version of the CAM Appointment Letter may be downloaded here:   https://piee.eb.mil/documentation/CAM-VendorAppointmentLetter.pdf
    • The CAM letter should be filled out as follows:
      • CAM Full Name, Email and Phone number should be the information of PIEE user being appointed as the CAM.
      • The Cage Code should be listed in part #1 where it states “Commercial and Government Entity (CAGE) codes”.
      • The user must sign on the Signature of CAM Appointee.
      • The Electronic Business POC must print and sign.
    • Your Electronic Business POC is listed on the System for Award Management (SAM) website (http://www.sam.gov) per your cage code.
    • Please email us the letter [email address is included on the form] and don’t forget to include the WAWF Username.
    • If you need further assistance, feel free to call us 1-866-618-5988.
  • Also note, the instructions appear to be incorrect so you need to make sure you request the “SPRS Cyber Vendor User” role and not the “Contractor/Vendor (Support Role)” as indicated in the PIEE instructions.  Submit your application and wait for an email with your account approval.
  • Once you have access to SPRS, you’ll need to follow the instructions described here to report a CMMC Level 1 self-assessment: https://www.sprs.csd.disa.mil/pdf/CMMCQuickEntryGuide.pdf.  We’ll also show you the reporting steps in the section below.

Reporting your CMMC Level 1 self-assessment results via SPRS

Once you’re in SPRS, reporting is relatively straightforward.  You will need to submit the following information:

  • Your organization’s CAGE code, as well as CAGE codes for any Higher Level Organizations (HLO) if your organization is owned by another
  • The date the CMMC Level 1 self-assessment was completed
  • The assessment “scope”:
    • Enclave: if your organization limits the handling of FCI only to a small portion of the system, such as a single office, cloud service, or workstation
    • Enterprise: if the entirety of your organization’s systems are used to handle FCI
  • The number of employees in scope for the assessment
  • The Affirming Official’s email, if not you.  The Affirming Official is a senior official at your organization who is responsible for ensuring the FCI assessment at the given scope is accurate and takes responsibility for ensuring the organization complies with CMMC.  Affirmation is a critical part of the annual CMMC Level 1 self-assessment report.  

Note that there is nothing to upload; the reporting process is simply data entry.  The following screenshots take you through the CMMC Level 1 self-assessment reporting process. 

1) Click the SPRS button
1) Click the SPRS button
2) Click the Cyber Reports button
2) Click the Cyber Reports button
3) Select your CAGE code from the drop-down and click the Run Cyber Reports button
3) Select your CAGE code from the drop-down and click the Run Cyber Reports button
4) Make sure the CMMC Assessments tab is selected, and click the Add New CMMC Level 1 Self-Assessment button
4) Make sure the CMMC Assessments tab is selected, and click the Add New CMMC Level 1 Self-Assessment button
5) Input the information in the self-assessment results interface
5) Input the information in the self-assessment results interface
6) If you are the Affirming Official for your organization, click the Continue to Affirmation button. Otherwise, enter the email address of the Affirming Official, who presumably will be sent an email with instructions to affirm
6) If you are the Affirming Official for your organization, click the Continue to Affirmation button. Otherwise, enter the email address of the Affirming Official, who presumably will be sent an email with instructions to affirm
7) If you are the Affirming Official, confirm your information by clicking the Continue to Affirmation button. You can also add additional emails here.
7) If you are the Affirming Official, confirm your information by clicking the Continue to Affirmation button. You can also add additional emails here.
8) Confirm the self-assessment details, check the certification box, and click the Affirm button. Now you've submitted your CMMC Level 1 self-assessment report!
8) Confirm the self-assessment details, check the certification box, and click the Affirm button. Now you've submitted your CMMC Level 1 self-assessment report!

Completed and in-work CMMC Level 1 self-assessment reports are displayed in the “CMMC Level 1 (Self)” table in the Cyber Reports page:

Completed and in-work CMMC Level 1 self-assessment reports will show up in the table.

Wrapping up

So there you have it: how to conduct a CMMC Level 1 self-assessment, and how to report the results of that assessment to the DoD through SPRS.  If you feel like you need help, or you’re just starting your CMMC compliance journey, consider participating in one of our CMMC Level 1 Readiness Workshops.  We spend the majority of the Workshop discussing how to implement and self-assess these controls, and during the Workshop you get access to our Totem™ CCM tool to facilitate the assessment.

To get started on exploring the FAR 52.204-21 controls associated with CMMC Level 1, you can download a simple CMMC Level 1 checklist by submitting the form below.   

Good Hunting!

Adam

Download our CMMC Level 1 Checklist

Like this post? Share it!

Get notified when new blogs are published!

Protect Your Business. Train Your Organization.

If you have any questions, please don’t hesitate to contact us.
Let us know how we can help!
logo
Simplifying your cybersecurity through consulting, compliance training, cybersecurity compliance software, and other cybersecurity services.
Contact Us

(385) 492-3405

[email protected]

Veteran Owned Small Business

Copyright © 2024 Totem Technologies, LLC
All rights reserved. Privacy Policy.

Facebook Twitter Youtube Linkedin