Module 7: Level 1 and Level 2 Self-Assessments and Scoring

Step 1 – Where Self-Assessments Fit in Today’s CMMC/DFARS Landscape

Before you can score anything, you need to know which rules apply right now and how they interact.

1.1 Regulatory anchors (as of December 2025)

• DFARS 252.204-7012 (Safeguarding Covered Defense Information)
• Requires implementation of NIST SP 800-171 for systems handling CUI.
• Still in force; applies to most CUI-handling DoD contractors.

• DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements)
• Requires contractors to have a NIST SP 800-171 Assessment (Basic/Medium/High) and to post the score in SPRS.
• The Basic assessment is effectively a self-assessment.

• DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
• Governs how DoD conducts Medium and High assessments and how results are shared.

• DFARS 252.204-7021 (CMMC Requirements)
• Establishes CMMC as a condition of contract award.
• DoD has been phasing in CMMC (Phase 1, etc.). In the early deployment, Level 1 and some Level 2 are self-assessments with annual affirmation.

> Key idea: For Level 1, you are essentially doing a CMMC self-assessment of basic cyber hygiene. For Level 2, you are doing a NIST SP 800-171–aligned self-assessment (Basic Assessment methodology) that feeds into SPRS scoring and CMMC expectations.

1.2 What this module focuses on

• CMMC Level 1 self-assessment (protecting FCI)
• CMMC Level 2 self-assessment mapped to NIST SP 800-171 and the DoD Assessment Methodology
• How to:
• Plan and scope the self-assessment (building on Modules 5 and 6)
• Collect evidence for each practice/requirement
• Calculate and interpret scores (esp. NIST 800-171 scoring for Level 2)
• Report scores in SPRS and maintain documentation
• Understand annual affirmation and executive accountability

Keep in mind: CMMC = maturity model + assurance mechanism, but its technical core for Level 2 is NIST SP 800-171 Rev. 2. Your self-assessment must be defensible under both CMMC and DFARS.

Step 2 – Clarifying Level 1 vs. Level 2 Self-Assessments

2.1 CMMC Level 1 – Focus on FCI

• Scope: Systems handling Federal Contract Information (FCI) but not CUI.
• Practices: 17 basic cyber hygiene practices (largely from FAR 52.204-21).
• Assessment type in early CMMC rollout: Annual self-assessment + annual affirmation by senior official.
• No NIST 800-171 scoring; instead, you check implementation of each practice.

2.2 CMMC Level 2 – Focus on CUI (NIST SP 800-171)

• Scope: Systems handling Controlled Unclassified Information (CUI).
• Practices: 110 security requirements from NIST SP 800-171 Rev. 2.
• Early-phase CMMC:
• Some contracts: self-assessment (especially for less critical CUI programs).
• Other contracts: require third-party certification (C3PAO) or government-led assessment.
• Scoring: Uses the NIST SP 800-171 DoD Assessment Methodology (maximum score 110).
• DFARS 252.204-7019 links this score to SPRS.

2.3 Conceptual differences

| Aspect | Level 1 | Level 2 |

|---------------------------|------------------------------------|---------------------------------------------|

| Data type | FCI only | CUI (and often FCI too) |

| Framework | 17 practices (FAR-based) | NIST SP 800-171 (110 requirements) |

| Scoring model | Pass/Fail per practice | Weighted scoring (0 to 110, often negative) |

| Reporting destination | Contract file / internal records | SPRS (via DFARS 7019) |

| Assessment complexity | Low | High (technical & documentation-heavy) |

> Critical insight: Level 2 self-assessments are not just checklists; they are risk-informed, evidence-backed evaluations that must stand up to Medium/High DoD assessments later.

Step 3 – Planning and Scoping Your Self-Assessment

This step connects Module 6 (Scoping and Boundaries) to concrete self-assessment tasks.

3.1 Confirm your assessment boundary

From Module 6, you should already have:

• A documented CMMC assessment boundary (systems, networks, locations).
• An asset inventory categorized as:
• CUI assets (for Level 2)
• Security protection assets (e.g., firewalls, SIEM, identity providers)
• Specialized assets (OT, IoT, test equipment) and how they’re handled
• Out-of-scope assets and justification

For Level 1, your boundary is where FCI is stored, processed, or transmitted.

3.2 Build an assessment plan

At minimum, your plan should specify:

1. Objectives

• Level 1: Demonstrate full implementation of 17 practices.
• Level 2: Produce a defensible NIST 800-171 score and POA&M.

1. Team and roles

• Technical leads (sysadmins, network engineers)
• Compliance lead (e.g., security manager, ISSO)
• Business owner / program manager
• Legal/Contracts (for DFARS, SPRS submission)

1. Schedule

• Time-box each domain (e.g., Access Control, Incident Response).
• Reserve time for evidence collection and internal challenge/peer review.

1. Methodology

• Use the CMMC Assessment Guides (Level 1 & Level 2) + NIST 800-171A.
• Decide on tools: GRC platform, spreadsheets, ticketing system for POA&Ms.

3.3 Evidence strategy (high-level)

For each practice/requirement, pre-plan:

• Policy evidence (e.g., written access control policy)
• Process evidence (e.g., onboarding checklist, incident playbooks)
• Technical evidence (e.g., screenshots, config exports, logs)
• Records evidence (e.g., training logs, audit logs, change tickets)

> Edge case: Cloud environments (e.g., Microsoft 365 GCC High, AWS GovCloud) require mapping shared responsibility: what controls the cloud provider implements vs. what you must demonstrate (e.g., identity management, configuration baselines).

Step 4 – Worked Example: Level 1 Self-Assessment for a Small Contractor

Consider a small engineering firm with ~40 employees doing unclassified design work for DoD, handling only FCI (no CUI).

4.1 Identify applicable practices (Level 1)

Level 1 includes 17 practices across domains such as:

• Access Control (AC) – limit information access to authorized users.
• Identification and Authentication (IA) – require unique user IDs.
• Media Protection (MP) – control physical access to systems.
• System and Information Integrity (SI) – update antivirus, patch systems.

4.2 Assess one practice end-to-end

Take the practice analogous to FAR 52.204-21(b)(1) – limit information system access to authorized users.

1. Define the practice in your own words:

• Only authorized employees should be able to access systems holding FCI.

1. Gather evidence:

• Policy: Written access control policy specifying account approval and revocation.
• Process: HR onboarding/offboarding checklist with IT steps.
• Technical: Screenshot of Active Directory OU structure, sample user access review report.

1. Evaluate implementation:

• Are there any shared accounts? If yes, practice is not fully met.
• Are terminated employees promptly disabled? Check last 3 terminations.

1. Record result:

• Status: MET / NOT MET.
• Rationale: Short narrative (2–4 sentences) referencing evidence.
• Reviewer: Name, date.

4.3 Edge case: Partial implementation

Suppose all corporate laptops are well-controlled, but an older file server with FCI is accessible via a generic local account used by a small team.

• Under CMMC guidance, partial implementation is treated as NOT MET.
• You must:
• Mark practice as NOT MET.
• Create a remediation task (e.g., eliminate shared account, migrate data).
• Document target date and responsible owner.

> Takeaway: Even for Level 1, the self-assessment must be evidence-based and binary per practice. There is no scoring weight; a single critical NOT MET can be a contract risk if it contradicts your annual affirmation.

Step 5 – NIST SP 800-171 Scoring for Level 2: Mechanics and Nuances

For Level 2, you must understand the NIST SP 800-171 DoD Assessment Methodology, which converts your implementation status into a numeric score.

5.1 Scoring overview

• Maximum score: 110 (all 110 requirements fully implemented).
• Each requirement has a point value (typically 1, 3, or 5 points).
• You start at 110, then subtract points for each requirement that is not fully implemented.
• Some high-value requirements (e.g., multi-factor authentication, incident response) subtract more points.
• The score can be negative (down to –203 in the original methodology, depending on weighting).

5.2 Implementation status categories

For each NIST 800-171 requirement (e.g., 3.1.1, 3.1.2, …):

• Implemented: No points subtracted.
• Not Implemented: Full point value subtracted.
• Alternative but equivalent implementation: Allowed if it meets the security objective; should be documented and justified.
• Planned (POA&M): Still treated as Not Implemented for scoring until complete.

There is no partial credit in the official DoD scoring methodology.

5.3 Example: MFA requirement (IA domain)

Suppose requirement 3.5.3 (implement multi-factor authentication) is worth 5 points.

• If MFA is enforced for all remote and privileged access to CUI systems → no subtraction.
• If MFA is only enforced for VPN but not for cloud email containing CUI → requirement is Not Implemented; subtract 5 points.

5.4 Scoring vs. CMMC expectations

• CMMC Level 2 expects substantive alignment with all 110 requirements.
• In early Phase 1 rollout, DoD may allow POA&Ms for a limited number of requirements, with constraints (e.g., you must meet all high-weight controls, and all POA&Ms must be closed within a defined period).
• Your NIST 800-171 score in SPRS must match your documented reality; overstatement is a False Claims Act risk.

> Key nuance: The score is not a maturity rating; it is a snapshot of implementation gaps. A score of 88 can be acceptable if gaps are well-documented and actively remediated, but lying about a 110 is far worse than honestly reporting 88.

Step 6 – Thought Exercise: Calculating a Mini NIST 800-171 Score

Imagine your organization is assessing only 5 NIST 800-171 requirements (for simplicity). Their point values and implementation status are:

| Requirement | Description (simplified) | Points | Status |

|------------|--------------------------------------------------|--------|------------------|

| 3.1.1 | Limit system access to authorized users | 5 | Implemented |

| 3.1.12 | Monitor and control remote access sessions | 3 | Not Implemented |

| 3.3.1 | Create and retain system audit logs | 5 | Implemented |

| 3.5.3 | Multi-factor authentication | 5 | Partially done |

| 3.13.8 | Implement boundary protection (firewalls, etc.) | 3 | Implemented |

Assume partial implementation = Not Implemented for scoring purposes.

Your task

1. Start from 21 points (sum of all points: 5 + 3 + 5 + 5 + 3).
2. For each Not Implemented requirement, subtract its full point value.

Questions (answer mentally or in notes):

1. What is your final score?
2. Which two requirements caused point deductions?
3. If you remediate only one of the two gaps, what would the new score be?

---

Check your reasoning

• Missing 3.1.12 (3 points) and 3.5.3 (5 points) → total subtraction = 8 points.
• Final score = 21 – 8 = 13.
• If you remediate MFA (3.5.3) but still lack remote session control (3.1.12):
• New score = 21 – 3 = 18.

> Reflection: Which gap is more critical for your environment? The scoring model is weighted, but your risk analysis should also consider threat landscape, not just points.

Step 7 – Quiz: Mapping NIST 800-171 Scoring to CMMC Expectations

Test your understanding of how NIST SP 800-171 scoring aligns with CMMC Level 2.

Step 8 – Documenting Results: SPRS, POA&Ms, and Evidence Packages

8.1 SPRS reporting (DFARS 252.204-7019)

For Level 2 self-assessments, you must submit your NIST SP 800-171 Assessment score to the Supplier Performance Risk System (SPRS).

Typical data elements include:

• Assessment score (e.g., 88)
• Assessment type (Basic for self-assessment)
• Date of assessment
• CAGE code and system identifier
• Expected date to achieve full implementation (if not at 110)

> Important: The score you submit must be traceable to your internal assessment records and evidence.

8.2 POA&Ms (Plans of Action and Milestones)

For each Not Implemented requirement:

• Define the gap (what is missing and in which systems).
• Specify the corrective action (technical, process, or policy change).
• Assign a responsible owner and target completion date.
• Track status (open, in progress, closed).

CMMC allows limited use of POA&Ms under specific conditions; high-priority controls often cannot be left on POA&M at the time of certification.

8.3 Evidence packages

Create a structured evidence package so that if DoD or a C3PAO conducts a Medium/High or certification assessment later, you can demonstrate consistency:

• Assessment report summarizing methodology, scope, and overall findings.
• Control-by-control workbook (or GRC export) with:
• Status (Implemented / Not Implemented)
• Evidence references (file paths, ticket IDs, URLs)
• Notes on alternative implementations or risk-based decisions.
• Supporting artifacts:
• Policies, procedures, training records
• System diagrams, network topology
• Configuration baselines, screenshots, log excerpts

> Edge case: If you rely on a managed security service provider (MSSP) or cloud provider for some controls, ensure contracts and SLAs are part of your evidence package to show those controls are actually in force.

Step 9 – Annual Affirmation and Senior Leadership Accountability

CMMC’s early-phase rules emphasize annual affirmation by a senior official—this is not a rubber stamp.

9.1 What is annual affirmation?

• A formal statement, typically submitted electronically to DoD, where a senior company official (e.g., CEO, COO, CIO, CISO) attests that:
• The organization has conducted the required self-assessment (Level 1 and/or Level 2 Basic).
• The SPRS score (for Level 2) is accurate and current.
• Any POA&Ms are legitimate, actively managed, and within allowed parameters.

9.2 Legal and ethical implications

• The affirmation is a representation to the U.S. government.
• If it is knowingly false or recklessly indifferent to the truth, it can trigger:
• False Claims Act liability (treble damages, penalties).
• Suspension or debarment from federal contracting.
• Personal liability for executives in extreme cases.

9.3 Best practices for executives before signing

Senior leadership should demand at least:

1. Executive-level summary of the self-assessment, including:

• Current NIST 800-171 score (if applicable)
• Major residual risks and open POA&Ms
• Any known non-compliance with DFARS 7012, 7019, 7020, 7021.

1. Evidence sampling:

• Ask to see evidence for a few high-impact controls (e.g., MFA, incident response, backups).

1. Independent challenge:

• Encourage internal audit, security committees, or external advisors to critically review the self-assessment before affirmation.

> Key insight: The annual affirmation turns your technical assessment into a governance and accountability artifact; it forces alignment between security reality and what leadership tells DoD.

Step 10 – Flashcard Review: Core Terms and Concepts

Use these flashcards to reinforce key terminology related to CMMC self-assessments and scoring.

Step 11 – Capstone Exercise: Designing Your Own Self-Assessment Checklist

Apply what you’ve learned by sketching a mini self-assessment plan.

Your task (do this in writing or a notes app)

1. Choose a level:

• If your hypothetical organization handles only FCI, choose Level 1.
• If it handles CUI, choose Level 2.

1. Define your scope in 3–5 bullet points:

• Which systems are in scope?
• Which users/roles are in scope?
• Any cloud services or MSSPs involved?

1. List 5 practices/requirements you will assess first (e.g., MFA, logging, access control, backups, incident response).

1. For each of the 5, answer:

• Evidence: What concrete artifacts will you collect?
• Status scale: How will you label them (e.g., Implemented / Not Implemented)?
• Scoring: If Level 2, what is the point value and how will it affect your score?

1. Executive briefing: Write two sentences you would say to your CEO summarizing:

• Your current implementation status (qualitative).
• Why their annual affirmation must align with your findings.

---

If you can complete this exercise with realistic, defensible answers, you are ready to participate in (or lead) a real-world CMMC self-assessment conversation.