How to Complete a CMMC Level 1 Self-Assessment

Organizations that work with the Department of Defense must meet cybersecurity requirements to protect sensitive information. One of the first steps in this process is implementing the controls required for the Cybersecurity Maturity Model Certification Level 1.

CMMC Level 1 focuses on basic cybersecurity practices that protect Federal Contract Information. Unlike higher certification levels, organizations can complete a self-assessment to verify that the required security controls are implemented.

This guide explains the requirements for Level 1 and how businesses can perform a practical self-audit.

What is CMMC Level 1

CMMC Level 1 is designed to establish basic cyber hygiene within organizations that work with Department of Defense contractors. The framework requires companies to implement 17 fundamental security practices.

These controls align closely with the security principles described in NIST SP 800-171 and focus on protecting systems that handle Federal Contract Information.

The goal is to ensure that only authorized users can access systems and that those systems are protected from common cyber threats.

Who Needs CMMC Level 1

Businesses that handle Federal Contract Information for Department of Defense contracts must implement Level 1 security practices.

This typically includes:

• IT service providers
• engineering firms
• consulting companies
• manufacturers in the defense supply chain

Even small organizations with limited infrastructure may be required to demonstrate basic cybersecurity protections.

The 17 Security Practices Required for Level 1

The Level 1 controls fall into several categories that address different aspects of security.

Access Control

Access control ensures that only authorized users can access systems and information.

Examples include:

• assigning unique user accounts
• limiting administrative privileges
• restricting access to sensitive systems

Identification and Authentication

Each user must be uniquely identified before accessing systems.

Organizations should implement strong password policies and multi-factor authentication whenever possible.

Media Protection

Organizations must control how sensitive data is stored or transferred using removable media.

Examples include:

• restricting USB drives
• encrypting portable storage
• controlling data transfers outside the organization

Physical Protection

Systems that store Federal Contract Information must be physically protected.

Typical measures include:

• locking server rooms
• restricting building access
• securing workstations in office environments

System and Communications Protection

Network communications must be protected against unauthorized access.

This typically includes:

• firewalls
• secure remote access
• network monitoring

System Integrity

Organizations must protect systems from malware and maintain system integrity.

Examples include:

• installing endpoint protection
• applying operating system updates
• maintaining patch management processes

How to Perform a CMMC Level 1 Self-Assessment

A self-assessment begins by identifying the systems that store or process Federal Contract Information. This may include employee devices, email platforms, cloud storage, and internal servers.

Next, review how users access these systems and verify that access is limited to authorized personnel.

Organizations should also confirm that endpoint security tools are installed and that systems receive regular security updates.

Finally, document security policies that explain how access control, password management, and system protection are implemented.

Download the CMMC Level 1 Self-Assessment Checklist

To simplify the self-audit process, you can use a checklist to verify that all required practices are implemented. Use the Download button above the article to get the PDF.

The checklist provides a quick reference for reviewing access controls, system protection measures, and compliance requirements.

Common Issues Found During Self-Assessments

Many organizations discover simple gaps during their first self-audit.

Common issues include:

• shared administrator accounts
• weak password policies
• missing security documentation
• outdated operating systems

Addressing these issues often resolves most Level 1 compliance gaps.

Final Thoughts

Completing a CMMC Level 1 self-assessment helps organizations establish basic cybersecurity protections and prepares them for future compliance requirements.

By implementing strong access controls, maintaining system security, and documenting policies, businesses can successfully meet Level 1 requirements and strengthen their overall security posture.