If you’re a small business touching DoD work, CMMC can feel like a giant gate you have to squeeze through. The good news is CMMC Level 1 is the “basic hygiene” level, built to protect Federal Contract Information (FCI), not Controlled Unclassified Information (CUI).
In January 2026, the practical reality is simple: the CMMC final rule took effect in 2025, and many new DoD awards (and flow-downs from primes) now expect a current Level 1 self-assessment and a yearly senior official affirmation in SPRS.
This post gives you a step-by-step plan and the proof to collect so you can back up every “Met” answer. Guidance can change, so I always verify details against official sources like the DoD CMMC pages and contract language before I submit anything.
What CMMC Level 1 means for a small business (scope, who needs it, and how self-assessment works)
Level 1 is based on the 15 basic safeguarding requirements in FAR 52.204-21, which I keep bookmarked from the official text at Acquisition.gov FAR 52.204-21. Think “keep FCI from spilling,” not “build an enterprise security program.”
What counts as FCI (in plain English)
FCI is contract-related info that isn’t meant for public release. In my world, that often looks like:
- Contract emails and attachments (tasking, clarifications, deliverables)
- Task orders, schedules, and status reports
- Performance notes, meeting minutes, and internal contract docs
Level 1 shows up for many DoD primes and subs, and it can matter for SBIR/STTR-style work if FCI touches your systems. Some situations may reduce scope (for example, truly COTS-only fulfillment or certain micro-purchases), but I don’t assume I’m exempt. I confirm with the contract and my prime.
How Level 1 self-assessment works (and why honesty matters)
Level 1 is typically a self-assessment. I check each requirement, mark it Met or Not Met, and keep evidence that supports my answers. Then a senior official (often the owner, president, or authorized executive) signs an annual affirmation in SPRS.
I treat that affirmation like a sworn statement. I don’t “future-date” fixes, and I don’t claim controls I can’t prove. For background on the program and updates, I cross-check DoD CIO’s CMMC overview and the rule history in the Federal Register CMMC Program entry.
Find what is in scope: where FCI lives in my business
My scoping method is fast and practical:
- List DoD contracts and subcontracts that involve FCI.
- List systems that touch that FCI (create, store, send).
- Draw a boundary around what’s “in scope,” then keep FCI inside it.
For many small shops, FCI sits in Microsoft 365 after an Office 365 Migration, plus laptops and phones that sync email and files. I map the flow through Cloud Infrastructure and Cloud Management choices (tenant settings, sharing links, guest access), and I sanity-check the design against Secure Cloud Architecture basics (least access, strong sign-in, controlled sharing). If I’m a restaurant or hybrid business, I also check whether a POS back office stores contract invoices or emails, which is where Restaurant POS Support and Kitchen Technology Solutions can unexpectedly become “in scope.”
Roles and responsibilities I need on day one (even with limited staff)
I keep roles simple:
- Owner/senior official: approves scope, signs the SPRS affirmation.
- IT admin or Managed IT for Small Business partner: configures accounts, devices, and logging.
- Office manager/HR: onboarding, offboarding, visitor sign-in, basic records.
- All staff: phishing awareness, device care, reporting issues fast.
When I don’t have in-house staff, I lean on a Business Technology Partner for Technology Consulting, Infrastructure Optimization, and Cybersecurity Services that fit my size.
CMMC Level 1 checklist by control family (what to do, small-biz tools, and evidence to keep)
I like using the DoD’s own checklist language as a compass, including the CMMC Level 1 Self-Assessment Guide (PDF) and practical examples like this CMMC Level 1 guide (PDF). Then I translate it into actions I can actually run.
| Practice (plain-English) | What I do | Suggested tools/processes | Evidence to collect |
|---|---|---|---|
| Limit system access to authorized users | Use named accounts only | Microsoft 365 admin center | User list export |
| Limit access to what users are allowed to do | Role-based access to folders | SharePoint/OneDrive permissions | Screenshot of permissions |
| Control external connections | Approve VPN/remote tools | Firewall, VPN, remote access policy | Approved remote access list |
| Identify users and devices | Keep an asset list | Simple spreadsheet, MDM | Asset inventory |
| Use strong authentication | Enforce MFA where possible | Entra ID security defaults/Conditional Access | MFA settings screenshot |
| Control/limit portable storage | Block USB when feasible | Intune, Endpoint Security policy | USB policy screenshot |
| Protect and sanitize media | Wipe or shred before disposal | Disposal vendor, wipe tool | Disposal receipt/log |
| Restrict physical access to systems | Lock office and network gear | Locks, badge/key control | Photo of locked area |
| Escort visitors when needed | Visitor sign-in and escort rule | Paper log, front desk process | Visitor log photo |
| Protect data in transit | Use HTTPS, VPN, secure sharing | TLS email, secure links | Config screenshot, policy |
| Protect public-facing systems | Separate public website from FCI systems | Hosting separation, firewall rules | Network diagram note |
| Device Hardening baseline | Remove local admin, auto-lock screens | Intune baseline, OS policies | Policy screenshots |
| Patch and update systems | Monthly patch window | Patch management, auto-updates | Patch report |
| Use malware protection | Managed AV/EDR on endpoints | Endpoint Security/EDR | Console status screenshot |
| Track and fix security issues | Simple incident and ticket log | Helpdesk or shared log | Incident entries |
Lightweight evidence matrix: practice to proof examples
I store proof in one dated folder per year (screenshots named with the system and date). If I can’t prove it in two minutes, I assume it won’t hold up later.
| Family | Proof I keep (examples) |
|---|---|
| Access Control | Access list export, SharePoint permission screenshot, access request log |
| Identification & Authentication | MFA/CA screenshot, password policy, password manager admin view |
| Media Protection | USB control policy, wipe record, disposal receipt |
| Physical Protection | Visitor log photo, key/badge list, photo of locked closet |
| System & Communications Protection | Firewall config snapshot, VPN settings, guest Wi-Fi segmentation note |
| System & Info Integrity | AV/EDR status, patch report, incident log example |
Final readiness review, common pitfalls, quick wins, and the yearly maintenance cadence
Before I submit my annual self-assessment and affirmation, I run this quick review:
- Scope is written down, and FCI locations match reality.
- No shared accounts, no shared admin logins.
- Endpoint Security is installed on every in-scope device.
- Encryption is on for laptops and mobiles that store FCI.
- Backups work, and I’ve tested a restore.
- Visitor controls exist (even if it’s just a clipboard log).
- Evidence is dated, organized, and complete.
Common pitfalls I see: assuming “we don’t have FCI,” letting staff use personal devices or personal cloud storage, keeping shared passwords, weak offboarding, unpatched machines, unmanaged antivirus, loose USB usage, an unlocked network gear closet, missing proof, and forgetting the annual SPRS update.
Quick wins that usually pay off fast: move FCI into a controlled M365 tenant, standardize company-managed endpoints, enable encryption, turn on auto-updates, centralize Endpoint Security, segment guest Wi-Fi, and lock down admin rights. If your environment includes Data Center Technology or a busy restaurant stack, pairing Business Continuity & Security with solid operational support (like Restaurant POS Support) keeps compliance from breaking during a Friday night outage. That’s where Innovative IT Solutions and Tailored Technology Services can support real-world operations, not just paperwork.
Cadence that works for me: monthly patch and AV review, quarterly access review, annual self-assessment and senior official affirmation.
Mini-templates I can copy today (policy list, logs, and asset inventory fields)
1-page policy list (titles only): Access Control, Media Handling, Physical Access, Patching, Malware Protection, External Connections.
Access request log fields: Date, requester, user, system/folder, approved by, access granted date, removal date.
Incident log fields: Date/time, what happened, system/device, FCI involved (Y/N), action taken, outcome, follow-up owner.
Training attestation fields: Name, date, topic (phishing, passwords, reporting), trainer, signature/ack.
Asset inventory fields: Device name, serial, assigned user, OS version, encryption on/off, AV/EDR status, last patch date, location.
Conclusion
A CMMC Level 1 checklist is manageable for a small team when I keep the scope tight, lock down access, harden devices, and collect simple proof as I go. The biggest mindset shift is treating Level 1 like routine care, not a one-time sprint.
If you want help scoping FCI, tightening Secure Cloud Architecture, handling an Office 365 Migration the right way, cleaning up Cloud Infrastructure, running Device Hardening, and setting up ongoing Cybersecurity Services, RVA Tech Visions can step in as your Business Technology Partner. Requirements and DoD guidance can change, so I always confirm the latest rules and contract terms before I submit my SPRS affirmation.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.