Phase 1 of the CMMC Program is the point where cybersecurity stops being a clause you scroll past and becomes a gate on the award itself.

Under 32 CFR part 170, the Department of Defense rolls CMMC out in four phases, each starting a year after the last. Phase 1 is the first one, and its entire job is to put a required CMMC level into applicable DoD solicitations and contracts as a condition of contract award.

If your organization processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on your own systems, the question is no longer "should we do a self-assessment." It's "is our self-assessment, our SPRS score, and our affirmation strong enough to survive a source-selection review and a possible DIBCAC look."

This is an operator's walkthrough of what Phase 1 actually changes, which self-assessment you owe, how the score works, and how to stop treating it as a once-a-year fire drill.

What Is CMMC Phase 1, and What Actually Changed in DoD Solicitations?

CMMC is DoD's mechanism for verifying that defense contractors implement the cybersecurity requirements already expected of them, at the volume of the defense industrial base. The program itself does not invent new controls. It verifies implementation of the requirements in 48 CFR 52.204-21 and NIST SP 800-171 R2 that many contractors have technically owed for years.

What changed with Phase 1 is verification-as-a-gate.

The rule implements CMMC over four phases. Each phase begins one calendar year after the start of the previous one, and Phase 4 is full implementation across all applicable solicitations and contracts including option periods. Phase 1 is the leading edge: DoD intends to include the requirement for a CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable solicitations and contracts as a condition of award.

Practically, that means a solicitation you bid now can name a required CMMC Status. No status in the Supplier Performance Risk System (SPRS), no eligibility. The scoping work you used to do after winning is now pre-award work.

One thing to keep straight: this applies to contracts above the micro-purchase threshold where FCI or CUI will touch your systems, and it excludes acquisitions exclusively for commercial off-the-shelf (COTS) items. Your DoD Program Manager or requiring activity selects which level applies based on whether the contract involves FCI or CUI.

Which DFARS Clause Now Makes a CMMC Level Condition of Award?

Here is where two rules meet, and where a lot of teams get confused.

32 CFR part 170 is the CMMC Program rule. It defines the levels, the assessments, the scoring, and the affirmation. It is the "what."

The companion 48 CFR part 204 CMMC acquisition rule is the "how it shows up in your contract." The program rule explicitly ties Phase 1 to the effective date of that complementary acquisition rule. The DFARS clause that carries the requirement into a solicitation and makes a specific CMMC level a condition of award is generally understood in the acquisition community as DFARS 252.204-7021, the contractor-compliance-with-CMMC-level clause. When that clause appears in a solicitation, the named level is not aspirational. It is a bid prerequisite.

Do not confuse it with the clauses you already live under. The program rule still references 48 CFR 252.204-7012 for safeguarding covered defense information, and DoD retains the right under 48 CFR 252.204-7020 to send DCMA DIBCAC to assess you directly. CMMC layers verification on top of those. It does not replace them.

The operator takeaway: when a solicitation carries the CMMC clause, treat the required level as a go/no-go item in your capture checklist, next to your CAGE code and your SAM registration.

Do You Need a Level 1 Self-Assessment or a Level 2 Certification for Your Contracts?

The level is driven by the type of information on your systems, and the requiring activity sets it.

Level 1 covers FCI. Its security requirements are the 15 basic safeguarding requirements in 48 CFR 52.204-21(b)(1)(i) through (xv). A CMMC Level 1 self-assessment is what you owe here, performed against the assessment objectives in NIST SP 800-171A that map to those 15 requirements. There is no third party. You assess, you score, you affirm.

Level 2 covers CUI. Its security requirements are identical to the 110 requirements in NIST SP 800-171 R2. Level 2 comes in two flavors:

  • Level 2 (Self) is a self-assessment, valid in Phase 1 for many contracts, redone every three years.
  • Level 2 (C3PAO) is a certification assessment performed by an authorized CMMC Third-Party Assessment Organization. In Phase 1, DoD may, at its discretion, require Level 2 (C3PAO) in place of Level 2 (Self) on a given procurement.

That discretion is the trap. A Level 2 (Self) posture you built for one contract does not guarantee eligibility for the next one if that solicitation names Level 2 (C3PAO). And achieving a higher status satisfies the lower one for the same scope: a Level 2 (C3PAO) certification also satisfies Level 1 (Self) and Level 2 (Self) for that assessment scope, not the other way around.

Read the clause on every solicitation. The level is per-procurement, not per-company.

How Is a NIST SP 800-171 Self-Assessment Scored and Affirmed in SPRS?

Whether Level 1 or Level 2 (Self), the mechanics run through the CMMC Scoring Methodology and end in SPRS.

For a NIST SP 800-171 self-assessment at Level 2, each of the 110 requirements is assessed as MET or NOT MET against the NIST SP 800-171A objectives. Under the scoring methodology, a NOT MET requirement subtracts points from the maximum: 5 points where non-implementation could lead to significant exploitation or exfiltration of CUI, 3 points for a specific and confined effect, and 1 point for a limited or indirect effect. Multi-factor authentication is the notable partial-credit case: 3 points off if MFA covers only remote and privileged users, 5 points off if it covers none. That produces your SPRS score.

Level 1 is simpler and harsher. All 15 requirements must be MET. There is no partial credit and no POA&M at Level 1. You either meet all fifteen or you do not have a Final Level 1 (Self) status.

Here is the numbered workflow for a defensible self-assessment cycle:

  1. Lock your CMMC Assessment Scope. Identify every information system that processes, stores, or transmits FCI or CUI, plus anything providing security protection for those systems or not isolated from them. Scope errors invalidate everything downstream.
  2. Assess each requirement against the NIST SP 800-171A objectives. For Level 1, substitute FCI for CUI in the objectives where they reference CUI. Record MET or NOT MET per objective, not per requirement headline.
  3. Score it. Apply the CMMC Scoring Methodology. Confirm your System Security Plan (SSP) exists at the time of assessment. Its absence (control CA.L2-3.12.4) means the assessment cannot even be completed.
  4. Build POA&Ms where allowed. At Level 2, a NOT MET requirement can carry a Plan of Action and Milestones only if your score divided by total requirements is at least 0.8 and the requirement is not one of the excluded high-weight controls.
  5. Submit results into SPRS. Include your CMMC level, status date, assessment scope, associated CAGE codes, and the compliance result.
  6. Affirm. Your Affirming Official submits a CMMC affirmation of continuing compliance into SPRS.

The affirmation is not a footnote. It is a senior official attesting to compliance, and it is required after every assessment and annually thereafter. Get the wrong signature on it and you have a governance gap on top of a technical one.

What Evidence Makes Your Self-Assessment Defensible if DIBCAC Reviews It?

A self-assessment is a self-attestation, and DoD knows it. That is exactly why the rule preserves DoD's right to send DCMA DIBCAC to assess you under 48 CFR 252.204-7020. If a subsequent DIBCAC assessment finds you did not achieve or maintain the required posture, those results take precedence over whatever status sits in SPRS, and standard contractual remedies apply.

So the real question is not "did we click MET." It is "can we defend MET."

Two corpus requirements set the evidence bar directly:

  • Artifact retention. The artifacts you used as evidence must be retained for six years from the CMMC Status Date. That is a records-management obligation, not a nice-to-have. Six years of traceable evidence per assessment cycle.
  • A current SSP. The System Security Plan must describe every system in scope and must exist at assessment time. No SSP, no completable assessment.

What breaks: Teams score MET from tribal knowledge and a spreadsheet, submit to SPRS, and move on. Twelve months later the person who "knew" the firewall config is gone, the screenshot is stale, and the artifact does not exist. When DIBCAC or a POA&M closeout arrives, the score cannot be reconstructed. A NOT MET reassessment can make you ineligible for additional awards at that level until you achieve a new status. The failure is never the control. It is that the evidence for the control was never captured as evidence at the moment it was true.

Defensible means every MET maps to a named artifact, the artifact is dated, and the mapping survives staff turnover. Answer once, and keep the answer.

How Do You Move From a Point-in-Time Score to Continuous Contract-Eligibility?

An SPRS score is a snapshot. DoD contract eligibility is a running state.

The rule makes the running-state expectation explicit. Level 1 self-assessments are conducted annually. Level 2 self-assessments are redone every three years. Affirmations of continuing compliance are submitted after every assessment and annually. A Level 2 POA&M must be closed out within 180 days of the Conditional CMMC Status Date, or the Conditional status expires, and if it expires mid-contract, standard remedies apply and you can lose eligibility for further awards at that level.

Point-in-time tooling cannot carry that. If your controls drift in month four and your next affirmation is in month eleven, you are affirming continuing compliance you can no longer prove.

The structural fix is to stop treating each cycle as a fresh project:

  • Map your NIST SP 800-171 R2 controls to your evidence sources once, so re-scoring is a refresh, not a rebuild.
  • Bind every requirement to a live artifact reference, so the six-year retention obligation is a byproduct of normal operation, not a scramble.
  • Track affirmation and reassessment dates as monitored obligations, so the annual affirmation and the 180-day POA&M clock surface before they lapse.

When the mapping is done once and maintained, the SPRS evidence pack becomes a query against your current state instead of a quarter of re-collection. The audit pack is a query, not a project.

That is precisely the posture Aegis GRC is built to hold. Map your NIST SP 800-171 controls once and generate an audit-ready, continuously maintained SPRS evidence pack at aegis-grc.com. See how control mapping turns 110 requirements into a maintained baseline and how audit readiness keeps your affirmation defensible between assessments.

FAQ: CMMC Phase 1 Contract Eligibility

Does CMMC Phase 1 mean every DoD contractor needs a third-party certification now? No. Phase 1 makes a CMMC Status a condition of award, but for many contracts that status is Level 1 (Self) or Level 2 (Self), which are self-assessments. DoD may, at its discretion, require Level 2 (C3PAO) on specific procurements, so read the clause on each solicitation.

What is the difference between DFARS 252.204-7021 and 252.204-7012? 252.204-7012 is the long-standing safeguarding and incident-reporting clause. The CMMC acquisition clause (generally understood as 252.204-7021) is what makes a specific CMMC level a condition of award and points at your SPRS status. CMMC verifies implementation on top of the existing safeguarding requirement rather than replacing it.

Can I win an award with an open POA&M? Only within limits. At Level 2 a POA&M is permitted for select NOT MET requirements when your score divided by total requirements is at least 0.8 and the requirement is not one of the excluded high-weight controls. It must be closed out within 180 days of the Conditional CMMC Status Date or the Conditional status expires. Level 1 permits no POA&Ms at all.

How long do I keep the evidence from a self-assessment? Six years from the CMMC Status Date. The artifacts used as evidence must be retained across that window, which is why capturing evidence at the moment a control is true beats reconstructing it before a DIBCAC review.

Who signs the affirmation? An Affirming Official, the senior representative responsible for your organization's CMMC compliance, submits the affirmation electronically in SPRS after every assessment and annually thereafter.