bigforceone
FORCE// CMMC LEVEL 1

Level 1 is self-assessed. Not corner-cut.

CMMC Level 1 covers Federal Contract Information (FCI) — the 17 controls in FAR 52.204-21, derived from NIST SP 800-171. The DoD lets you self-attest. Most subcontractors interpret that as "spreadsheet once a year, hope nothing changes." FORCE customers do it differently.

Self-assessment isn't an excuse for thin evidence. It's a commitment by a senior official of the company that every one of those 17 controls is implemented and operating. When that senior official signs the affirmation, you want to know the evidence is real, current, and defensible — not a snapshot from eleven months ago.

FORCE wires every Level 1 control to live AWS, Azure, and Microsoft 365 configuration. The SSP narrative writes itself from that evidence. The POA&M writes itself from gaps. The SPRS submission packages it. Continuous monitoring keeps it current between annual affirmations so when a customer or prime asks for proof, the answer is one click, not one quarter.

What "professional self-assessment" means at FORCE

Continuous, not annual

Evidence collection runs every day, not once a year before the affirmation. The senior-official sign-off is on a posture you've actually held all year — not a number you reverse-engineered the week before submission.

Live SSP narrative

System Security Plan generated from real configuration. Each of the 17 controls has a paragraph that cites the actual evidence — IAM policy, S3 bucket policy, M365 conditional access — not generic boilerplate.

POA&M as a working document

When a control drifts, the POA&M opens an item automatically. When you remediate, it closes. The OSCAL POA&M you submit is the same one your team works against day to day — not a separate Word doc.

SPRS submission, included

L1 still submits a self-assessment score to SPRS. FORCE generates the package — score, supporting evidence references, narrative — directly from your live evidence chain.

The 17 controls FORCE evidences automatically

FAR 52.204-21 / NIST 800-171 Level 1 controls — six families, 17 individual controls. FORCE collects evidence for all 17 from your AWS / Azure / M365 environment without manual upload.

  • AC — Access Control (4 controls): identity, authorization, least privilege, external system connections
  • IA — Identification & Authentication (2 controls): user/ process identity verification, password complexity
  • MP — Media Protection (1 control): sanitize media before disposal or reuse
  • PE — Physical Protection (4 controls): facility access, escort, logging, device control
  • SC — System & Communications Protection (2 controls): boundary protection, public-facing system isolation
  • SI — System & Information Integrity (4 controls): flaw remediation, malicious-code protection, monitoring, alerts

What the senior-official affirmation actually requires

CMMC L1 affirmation is signed by a senior company official. The affirmation states that the contractor has implemented all 17 FAR 52.204-21 controls. Submitted annually to SPRS. False attestation carries False Claims Act exposure — civil penalties, treble damages, and possible criminal liability.

That's why "self-assessment" being self-attested doesn't make it casual. It makes evidence quality the senior official's personal exposure. FORCE exists so that exposure is backed by something real.

Continuous monitoring posture

Built for the small business that handles FCI

Most CMMC L1 targets are small businesses — sub-50 headcount, modest IT budget, no compliance staff. FORCE Level 1 pricing is set so a defense subcontractor with a single contract worth holding onto can afford the platform that keeps them in the supply chain. Wire your AWS or M365 in under an hour. The next morning, evidence is flowing.

Start Level 1View pricingNeed Level 2?

Questions about your specific FCI exposure or the self-attestation process — partners@bigforgeone.com