Complete a CMMC Level 1 Self-Assessment in SPRS
  • Sign in
    • 🛡️

    Complete a CMMC Level 1 Self-Assessment in SPRS

    Purpose: Submit a CMMC Level 1 (Self) attestation for your company.

    ✅ Must have before you start

    • SSP that accurately describes the environment you’ll attest to [enclave or enterprise].
    • Implemented L1 practices (15 total). 
    • No POA&Ms are allowed for CMMC L1 attestation; all 15 basic safeguarding practices must be implemented.
    • Identified Attestation Official (CISO/CIO/CEO) with name, title, and email.

    📔 Steps:

    1. From PIEE, launch SPRS. In the left nav, open Compliance Reports → Cyber Reports (CMMC & NIST).
    2. At top left, set Company Hierarchy to your CAGE (e.g., 86V74*). Click Run Cyber Reports.
    3. Open the CMMC Assessments tab. Click Add New CMMC Level 1 Self‑Assessment.
    4. Fill assessment details:
      • Assessment Type: CMMC Level 1 (Self).
      • Assessment Date: Today (or the date practices were fully implemented).
      • Scope Type: choose Enclave or Enterprise (see guidance below).
      • Attestation Official: Enter Name, Title (CISO/CIO/CEO), Email.
      • Objective Evidence / Notes: Reference your SSP name/version and where records are kept. Do not include CUI.
    5. Review & Submit: Confirm the attestation statement and submit. The record appears under your CMMC Assessments list.

    🕵️‍♀️ Choosing Enclave vs Enterprise

    Which one should you choose?


    Enclave

    Enterprise

    Your CUI is handled inside a bounded subset of the organization (e.g., a tenant, VPC/VNet, or segmented set of systems) that has its own policies, controls, and boundary.

           ✅

              ⛔️

    Typical for small businesses using Microsoft (GCC/GCCH) or AWS workspaces dedicated to CUI.

           ✅

              ⛔️

    Select Enclave when the CUI environment is separate from the rest of IT, and you can point to an SSP specific to that enclave.

    		       ✅

              ⛔️

    CUI is processed across the entire corporate environment under one security program/boundary.

    		       ⛔️

             ✅ 

    You maintain organization‑wide controls that meet CMMC L1 for all in‑scope systems.

          ⛔️

             ✅

    Select Enterprise only if your SSP covers the entire company network and all relevant endpoints.

    		      ⛔️         ✅

    Tip: If you’re unsure, you are likely an Enclave, especially if your CUI lives in a dedicated cloud tenant with restricted users, with separate identity, logging, and data controls from the rest of the business.

    👨‍💼 Attestation Official (who should sign?)

    • CISO, CIO, or CEO; whoever is accountable for the security of the attested environment.
    • They are affirming that all CMMC L1 practices are implemented and maintained. Ensure they have reviewed the SSP and any implementation evidence.

    🔁 After submission

    • The Level 1 self‑assessment becomes visible in SPRS under your cage code.
    • Keep your SSP and evidence current; update the attestation if your scope, controls, or ownership change.

    Reminder: You must update and re‑attest annually to stay compliant.