If you’re a small business that touches DoD work, you’ve probably felt the pressure building around CMMC Level 1. Maybe you only see “basic contract stuff” like quotes, delivery dates, or invoices, but that still counts as data the DoD expects you to protect.
Here’s the good news. Level 1 is built for this kind of reality. It’s not a paid third-party audit. In late 2025, it’s an annual self-assessment. You check yourself against 17 basic practices, keep proof, then report your status in the DoD system (SPRS) with a senior official affirmation.
CMMC is now rolling in for real. Phase 1 started November 10, 2025, and CMMC requirements can show up in new solicitations and contracts. For many small vendors and subs, Level 1 is the first gate you have to clear to stay eligible.
Photo by qmicertification design
Know what CMMC Level 1 covers (and what it doesn’t)
CMMC Level 1 is about protecting Federal Contract Information (FCI). That’s the key. If you only handle FCI, you should not build a Level 2 program “just to be safe.” Overbuilding wastes time and money, and it often creates new mistakes.
FCI is not classified. It’s still sensitive in a contract sense. Think of it as DoD contract information that isn’t meant for public release, but also isn’t Controlled Unclassified Information (CUI).
Simple examples of FCI I see in small businesses:
- A quote tied to a DoD purchase
- A delivery schedule or shipping details
- Work orders and tasking emails from a prime
- Invoices, line items, and payment details tied to a DoD contract
- Meeting notes about delivery dates or onsite access
Level 1’s deliverable is straightforward:
- Meet the 17 practices (aligned to FAR 52.204-21 fundamentals)
- Perform a self-assessment (using a defined assessment approach)
- Submit the result in SPRS, with a senior official affirmation
If you want the DoD’s own framing for Level 1, I keep the CMMC Level 1 Assessment Guide bookmarked and treat it like the source of truth.
FCI vs CUI: quick rules to keep scope small
When scope gets messy, Level 1 gets hard. The fastest path to “pass” is controlling where FCI lives and how it moves.
Here’s the decision guide I use with small teams:
Where FCI shows up
- Prime or DoD email threads about contract performance
- Shared files for schedules, quotes, invoices, delivery docs
- Ticketing systems or shared folders used by delivery teams
Where FCI should not live
- Personal email accounts
- Text messages and chat threads that aren’t managed
- Random USB drives
- A shared drive with no access controls
- A former employee’s mailbox “because we might need it later”
My scoping tip that saves the most time If possible, I keep DoD work in a separate tenant, folder set, or project space. Even a clean “DoD Projects” team site with strict membership beats scattered files across desktops and inboxes.
What “pass” means for Level 1 in 2025
In December 2025, CMMC is in Phase 1 rollout, which started November 10, 2025. Level 1 is designed as a yearly self-assessment, not a third-party certification audit.
In practice, “pass” means:
- I assess against the 17 practices using the CMMC method (the approach aligns with NIST SP 800-171A style assessments)
- I can show evidence for each practice
- I submit results in SPRS and a senior official affirms the submission
The regulatory language matters too, especially if you need to explain requirements to leadership. I point owners to 32 CFR 170.15 (Level 1 self-assessment and affirmation) when they want to see what’s required in plain black-and-white.
One more expectation I set early: keep your evidence for years. Even if Level 1 is “self-attested,” you still need to prove you did the work if questions come later.
Build your Level 1 checklist around the 17 practices
Level 1 can feel abstract until you turn it into a checklist with owners and proof. The 17 practices group cleanly into six areas. I like to build a one-page tracker that links each practice to (1) the system it applies to, (2) the setting that enforces it, and (3) the evidence file that proves it.
Here’s a practical way to group the work:
| Area | What I implement (plain language) | Evidence I keep |
|---|---|---|
| Access Control | Only approved users access FCI systems, no shared accounts | User lists, role screenshots, account disable records |
| Identification and Authentication | Strong passwords, MFA where required | MFA policy screenshots, login method settings |
| Media Protection | Control removable media, dispose drives safely | Disposal receipts, written media handling note |
| Physical Protection | Limit office and equipment access | Visitor log, badge policy, locked cabinet photos |
| System and Communications Protection | Firewalls, secure Wi-Fi, safe remote access | Firewall snapshot, Wi-Fi security settings |
| System and Information Integrity | Patch, malware defense, monitor alerts | Patch reports, AV/EDR dashboard screenshots |
This isn’t meant to replace the official detail. It’s meant to keep your work tight and finishable. For deeper “practice by practice” language, I reference the DoD guide above, and sometimes cross-check explanations like Pretorin’s CMMC Level 1 guide to all 17 practices when I want a second perspective for a small-business setup.
Access control and MFA: lock down who can get in
If I had to pick the highest impact Level 1 work, it’s access control. Small businesses often “know” who should have access, but the system doesn’t enforce it.
What I put in place:
- No shared logins, even for front-line teams
- Unique named accounts for email, cloud files, and VPN
- Fast offboarding: I disable accounts the same day someone leaves
- Role-based access in Microsoft 365 or Google Workspace, so staff only see what they need
- Screen locks on laptops and desktops
- MFA for remote access (VPN, remote desktop, cloud email)
A small detail that matters: I make sure service accounts (or processes acting on behalf of users) don’t have more access than they need. Level 1 isn’t asking for complex identity governance, but it does expect you to control access paths.
Evidence that usually satisfies Level 1:
- Screenshot showing MFA is enforced for the tenant
- Exported user list showing active accounts
- Ticket or note showing an account was disabled after termination
Physical and media protection: protect offices, laptops, and old drives
Level 1 is not only about “cyber.” Physical gaps can break the story fast, especially if you handle FCI on laptops.
Physical controls I use that don’t slow teams down:
- Exterior doors stay locked during business hours
- Visitors sign in and get escorted
- Network gear is in a locked closet or cabinet
- Laptops aren’t left in cars, and they’re secured onsite
Media protection is where small shops get surprised. If FCI touches removable media, I set a basic rule: only approved drives, and they get scanned before use. If a drive is retired, I wipe it or use certified destruction.
Easy evidence items:
- Visitor log (paper is fine)
- A short written “visitor handling” procedure
- Disposal receipts from an ITAD or shredding vendor
- A written note about USB rules, even one page
Boundary protection and encryption: keep data safe in transit and at rest
For Level 1, I think of boundary protection as “don’t leave doors open.”
I focus on:
- A business-grade firewall, not an ISP modem doing everything
- No accidental port forwards
- Secure Wi-Fi (WPA2 or WPA3, strong passphrase, guest network separated)
- Remote access only through approved tools, not random remote desktop exposure
Encryption doesn’t need to be a big project at Level 1, but it does need to be real:
- Full-disk encryption on laptops (BitLocker or FileVault)
- TLS-protected cloud email (your provider handles much of this)
- Approved cloud storage for DoD work instead of unmanaged file shares
My best “don’t forget” tip: document what tool enforces each setting. In a small shop, tribal knowledge fades fast. I keep a short record like “BitLocker enforced via Intune policy X” or “Google Workspace 2-step verification required for all users.”
Patch and malware defenses: the fastest way to avoid a failed assessment
If you want a simple metaphor, patching is like changing the locks after a key goes missing. You don’t debate it, you just do it.
Level 1 expects you to:
- Fix known flaws in a reasonable time
- Use malware protection
- Keep malware tools updated
- Run scans and watch for alerts
For a small team, consistency beats complexity. Here’s a cadence I can support without hiring staff:
- Weekly: check patch status (OS and key apps)
- Monthly: save a patch compliance report or screenshot
- Continuous: auto-updates for OS and browsers where possible
- Ongoing: AV/EDR dashboard checked during normal IT work
Evidence examples that work well:
- Patch report screenshots (from RMM, Intune, or endpoint tools)
- AV/EDR status page showing coverage and last update time
- A short log entry when a device failed updates and got remediated
Basic documentation: the part most small businesses forget
Most Level 1 “fails” I see aren’t about missing tools. They’re about missing proof.
At Level 1, “document security plans” doesn’t mean a 70-page manual. I keep it simple and readable:
- A short System Security Plan style write-up (what systems handle FCI, who manages them, what controls exist)
- Basic policies: passwords, acceptable use, remote work, visitor handling, media handling
- Proof you follow your policies (screenshots, logs, sign-offs)
My favorite structure is a one-page policy pack plus an “evidence binder” folder. When someone asks “how do you know,” you can answer in 30 seconds.
My practical plan to pass fast: scope, fix, prove it, submit it
When I’m trying to get a small business through Level 1, I plan for 30 to 90 days. The range depends on how scattered the environment is and how fast leadership makes decisions.
The workflow stays the same:
- Scope what counts (FCI systems only)
- Fix gaps against the 17 practices
- Capture evidence as I work
- Submit in SPRS and calendar renewal
If you want a broader set of supplier references, the Defense Logistics Agency keeps a helpful hub at Cybersecurity Resources for Suppliers. I use it when clients need official pointers for training and planning.
Do a gap check in a day, then turn it into a short punch list
I don’t start with policies. I start with reality.
In one day, I can usually map:
- Where FCI lives (email, SharePoint, Drive, file server, ticketing)
- Who can access it
- How remote work happens
- What endpoints exist (laptops, desktops)
- What security tooling exists (MFA, AV/EDR, patch control)
Then I turn that into a punch list in a simple spreadsheet with columns:
- Practice
- Current state
- Fix needed
- Evidence to collect
- Owner
- Due date
That punch list becomes the project plan, and it keeps the team from spiraling.
Collect evidence as I go (screenshots, logs, and short written notes)
I treat evidence like receipts. If I didn’t save it, it didn’t happen.
Evidence that’s usually enough for Level 1:
- MFA enabled screenshots (tenant-wide, not per user)
- User list exports showing active accounts
- Patch status reports
- AV/EDR coverage screenshots
- Firewall configuration snapshot (high-level is fine)
- Visitor log photo or scan
- Security awareness sign-off (even a basic acknowledgment)
- Media disposal record
- Short written procedures (one page each)
File naming helps more than most people expect. I use a pattern like:
AC-01_MFA_Enabled_2025-12-15.pngMP-01_DriveDisposalReceipt_2025-10-02.pdf
A clean evidence binder reduces stress when it’s time to submit.
Submit in SPRS and set an annual reminder so I don’t lapse
SPRS setup can be the most annoying part, not because it’s hard, but because access and identity steps can take time. I make sure I plan for:
- Account setup and approvals
- The right person having authority to affirm
- Enough time to resolve login issues
For a practical walkthrough of self-assessment reporting, I’ve seen teams benefit from guides like Totem’s CMMC Level 1 self-assessment reporting overview, mainly because it calls out common friction points.
After submission, I set renewal habits so compliance doesn’t drift:
- Calendar reminders at 90, 30, and 7 days before the annual due date
- A quarterly mini-check (MFA still enforced, patching still healthy, accounts still clean)
Common Level 1 mistakes that can cost a DoD contract
Level 1 is not meant to be a trap, but the contract impact is real. These are the mistakes I see most, and how I prevent them.
Mixing Level 1 and Level 2 requirements and doing extra work
Teams lose weeks trying to build Level 2 style workflows when they only touch FCI. They write long policies, add complex ticketing steps, and buy tools they don’t need.
My rule is simple: if there is no CUI, I stay in Level 1 scope and I document why. If CUI might exist, I confirm it with the prime or contract language before building anything bigger.
Relying on “we do that” without proof
Self-assessment doesn’t mean “trust me.” It means you attest, and you can back it up.
Quick evidence swaps I use for small businesses:
- A monthly patch screenshot plus a short note beats a long patch policy nobody follows
- A visitor log and locked closet photo beats a complex physical security plan
- An exported user list and MFA screenshot beats a verbal promise that “everyone uses MFA”
If it’s not written down or captured, it’s fragile.
Conclusion
CMMC Level 1 is very doable for small businesses when I keep scope tight, cover the 17 practices, and save proof while I work. The companies that struggle usually don’t fail on tech, they fail on focus and records.
If you want help from RVA Tech Visions, I offer a Level 1 readiness check that starts with FCI scoping, then moves into a clean punch list, an evidence binder, and a clear SPRS submission plan. If you’re trying to stay eligible for DoD work in 2026, don’t wait for a contract to force the rush.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.