32 C.F.R. § 170.15
(a) Level 1 self-assessment. To comply with CMMC Level 1 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 1 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of Final Level 1 (Self).
(1) Level 1 self-assessment requirements. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&Ms are permitted for CMMC Level 1. The OSA must conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in SPRS. To maintain compliance with the requirements for the CMMC Status of Final Level 1 (Self), the OSA must conduct a Level 1 self-assessment on an annual basis and submit the results in SPRS, or its successor capability.
(i) Inputs to SPRS. The Level 1 self-assessment results in the Supplier Performance Risk System (SPRS) shall include, at minimum, the following items:
(c) Procedures—(1) Level 1 self-assessment. The OSA must conduct a Level 1 self-assessment scored in accordance with the CMMC Scoring Methodology described in § 170.24. The Level 1 self-assessment must be performed in accordance with the CMMC Level 1 scope requirements set forth in § 170.19(a) and (b) and the following:
(ii) Mapping table for CMMC Level 1 security requirements to the NIST SP 800-171A Jun2018 objectives.
| CMMC Level 1 security requirements as set forth in § 170.14(c)(2) | NIST SP 800-171A Jun2018 |
|---|---|
| AC.L1-b.1.i | 3.1.1 |
| AC.L1-b.1.ii | 3.1.2 |
| AC.L1-b.1.iii | 3.1.20 |
| AC.L1-b.1.iv | 3.1.22 |
| IA.L1-b.1.v | 3.5.1 |
| IA.L1-b.1.vi | 3.5.2 |
| MP.L1-b.1.vii | 3.8.3 |
| PE.L1-b.1.viii | 3.10.1 |
| First phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.3 |
| Second phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.4 |
| Third phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.5 |
| SC.L1-b.1.x | 3.13.1 |
| SC.L1-b.1.xi | 3.13.5 |
| SI.L1-b.1.xii | 3.14.1 |
| SI.L1-b.1.xiii | 3.14.2 |
| SI.L1-b.1.xiv | 3.14.4 |
| SI.L1-b.1.xv | 3.14.5 |
| * Three of the 48 CFR 52.204-21 requirements were broken apart by “phrase” when NIST SP 800-171 R2 was developed. |