Expert Advice

Cybersecurity in Federal Contracting – CMMC Level 1 for Everyone!

All business owners are aware of the term cybersecurity, and have a basic understanding of its importance.  Most are aware of terms such as Data Breach, Ransomware, Phishing, Trojan Horse, and Malware Attack, and there are many, many more.  As you can imagine, the United States Federal Government is in a never-ending battle to prevent cyber-attacks within all its federal agencies.  Unfortunately, one of the most vulnerable paths to cyber-attacks for federal agencies is through its suppliers – this includes both Prime Contractors and their subcontractors. This article will provide an overview of the Federal Government’s cybersecurity measures and how you can begin working towards full cybersecurity compliance through CMMC Level 1 self-certification.

Image: padlock cloud computing shield folder global cybersecurity data protection vector illustration

What is Cybersecurity Maturity Model Certification (CMMC)


CMMC Level 1 focuses on the protection of Federal Contract Information (FCI), which is defined as follows:

Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. 

CMMC Level 1 encompasses the basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and is the first level of cybersecurity certification you will need as a contractor.

Key benefits:

  1. CMMC Level 1 Requirement in many RFP’s: Submission of Proposals and Bids to ANY DoD agency now requires a statement of being compliant with Level 1 self-certification requirements, in some cases at the time of submission.  Additionally, all firms in the manufacturing sector that need to obtain sensitive unclassified information, such as blueprints and drawings from the Defense Logistics Agency will have to obtain a Joint Certification Program (JCP).  A firm can only obtain a JCP by having the Level 1 self-certification score reported in the Supplier Performance Risk System (SPRS)
  2. Submitting Invoices under Wide Area Work Flow: This is a sub-system of the Procurement Integrated Enterprise Environment (PIEE).  It’s the primary enterprise procure-to-pay application used by the Department of Defense and its supporting agencies. PIEE helps automate and streamline the procurement process, reducing manual data entry and administrative tasks from pre-award through contract closeout. Your CMMC level 1 certification requires a PIEE account to access the Supplier Performance Risk System.

Steps required:

  1. Read Federal Acquisition Regulation (FAR) Clause 52.204-21.
  2. Take the System Security Plan
  3. Take the CMMC Self-Assessment Test
  4. Input your score into the Supplier Performance Risk System (SPRS) website

While it can be challenging, if you are serious about doing business with the Federal Government now or in the near future, becoming CMMC Level 1 self-certified is critical for your success. A great resource that allows you to obtain the latest information is Project Spectrum; a DoD-sponsored resource designed to assist suppliers with the latest cybersecurity news, resources, and training. Norcal APEX Accelerator is collaborating with Project Spectrum to host an informational webinar on October 24, 2024. Register today!


If you are looking for help with cybersecurity compliance or want no-cost help to find federalcontracting opportunities, please contact your Norcal APEX Accelerator counselor for assistance or apply for services today!

If you have more questions, please contact us at info@apexnorcal.org or 707.267.7561


Authored by: Thomas Burns, Norcal APEX Accelerator Procurement Specialist