If your organisation handles Federal Contract Information (FCI) for the U.S. Department of Defense, CMMC Level 1 compliance is no longer optional. The Cybersecurity Maturity Model Certification program is rolling out, and contractors must demonstrate compliance to maintain eligibility for DoD contracts.
Level 1 is the entry point — 17 practices focused on basic cyber hygiene. No third-party assessment required for Level 1, but you must conduct an annual self-assessment and submit results to the Supplier Performance Risk System (SPRS).
Here’s what you actually need to document.
The 17 CMMC Level 1 Practices
CMMC Level 1 practices come from FAR 52.204-21 and align with selected NIST SP 800-171 controls. They’re organised across six domains:
Access Control (AC) — 4 Practices
AC.L1-3.1.1 — Limit system access to authorised users, processes acting on behalf of authorised users, and devices.
AC.L1-3.1.2 — Limit system access to the types of transactions and functions that authorised users are permitted to execute.
AC.L1-3.1.20 — Verify and control/limit connections to and use of external systems.
AC.L1-3.1.22 — Control information posted or processed on publicly accessible systems.
Documentation needed: Access Control Policy, User Access Request Form, External Connection Agreements, Public Information Review Procedures.
Identification and Authentication (IA) — 2 Practices
IA.L1-3.5.1 — Identify system users, processes acting on behalf of users, and devices.
IA.L1-3.5.2 — Authenticate (or verify) the identities of users, processes, or devices as a prerequisite to allowing access.
Documentation needed: Identification and Authentication Policy, Password Standard, Account Management Procedures.
Media Protection (MP) — 1 Practice
MP.L1-3.8.3 — Sanitise or destroy system media containing FCI before disposal or release for reuse.
Documentation needed: Media Sanitisation Policy, Media Disposal Procedures, Sanitisation Log Template.
Physical Protection (PE) — 4 Practices
PE.L1-3.10.1 — Limit physical access to organisational systems, equipment, and the respective operating environments to authorised individuals.
PE.L1-3.10.3 — Escort visitors and monitor visitor activity.
PE.L1-3.10.4 — Maintain audit logs of physical access.
PE.L1-3.10.5 — Control and manage physical access devices.
Documentation needed: Physical Security Policy, Visitor Management Procedures, Physical Access Log, Key/Badge Control Procedures.
System and Communications Protection (SC) — 2 Practices
SC.L1-3.13.1 — Monitor, control, and protect communications at the external boundaries and key internal boundaries of organisational systems.
SC.L1-3.13.5 — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Documentation needed: Network Security Policy, Boundary Protection Standard, Network Architecture Documentation.
System and Information Integrity (SI) — 4 Practices
SI.L1-3.14.1 — Identify, report, and correct system flaws in a timely manner.
SI.L1-3.14.2 — Provide protection from malicious code at appropriate locations within organisational systems.
SI.L1-3.14.4 — Update malicious code protection mechanisms when new releases are available.
SI.L1-3.14.5 — Perform periodic scans of organisational systems and real-time scans of files from external sources.
Documentation needed: Vulnerability Management Policy, Patch Management Procedures, Anti-Malware Standard, Scanning Procedures.
Self-Assessment Requirements
CMMC Level 1 requires annual self-assessment against all 17 practices. You must:
- Evaluate each practice as Met, Not Met, or Not Applicable
- Document your assessment methodology
- Maintain evidence of compliance for each practice
- Calculate your SPRS score (110 points maximum for Level 1)
- Submit results to SPRS and maintain POA&Ms for any gaps
The self-assessment isn’t a casual exercise. You need documented evidence for every practice you claim as “Met.” Auditors conducting Level 2 assessments (if you advance) will review your Level 1 documentation as baseline evidence.
Common Compliance Gaps
Missing formal policies. Having technical controls without documented policies fails the practice. You need written, approved policies that employees can reference.
No evidence of implementation. A policy document alone doesn’t demonstrate compliance. You need logs, screenshots, configuration exports, or other evidence showing the control operates.
Incomplete scope definition. Which systems process FCI? If you can’t answer this precisely, you can’t demonstrate that controls apply to the right systems.
Overlooking physical security. Four of 17 practices address physical protection. Organisations focused on technical controls often neglect visitor logs, physical access controls, and badge management documentation.
Ignoring media sanitisation. The single media protection practice requires documented procedures for sanitising or destroying media containing FCI. This includes hard drives, USB devices, and paper documents.
Building Your Documentation Package
A complete CMMC Level 1 documentation package includes:
System Security Plan (SSP) — Describes your system boundaries, implemented controls, and security posture. Required for SPRS submission.
Policies — Written policies covering all six domains. Each policy needs an owner, approval date, and review cycle.
Procedures — Step-by-step operational procedures for implementing policy requirements. Who does what, when, and how.
Standards — Technical specifications like password requirements, encryption standards, and configuration baselines.
Forms and Templates — User access request forms, visitor logs, media sanitisation records, incident report forms.
Evidence Repository — Organised collection of compliance evidence including configuration exports, log samples, training records, and assessment results.
Timeline for Compliance
If you’re starting from scratch:
Weeks 1-2: Scope definition and gap assessment. Identify all systems handling FCI and assess current state against 17 practices.
Weeks 3-4: Policy development. Create or update policies for all six domains.
Weeks 5-6: Procedure and standard development. Document operational procedures and technical standards.
Weeks 7-8: Implementation and evidence collection. Implement missing controls and gather compliance evidence.
Weeks 9-10: Self-assessment and SPRS submission. Conduct formal self-assessment and submit results.
For organisations that need to compress this timeline, pre-built documentation packages aligned to CMMC Level 1 can reduce the policy and procedure development phase from weeks to days.
Ridgeline Cyber Defence provides CMMC Level 1 Compliance Toolkit with 39 documents covering all 17 practices across 6 domains. Includes SSP template, self-assessment workbook, and evidence collection guidance.
Related Reading
- CMMC Level 2 Compliance Documentation Guide
- Starting a GRC Program: The Minimum Documentation You Need
CMMC Level 1 Compliance Toolkit
Complete documentation for all 17 CMMC Level 1 practices across 6 domains.
Implementation Services
Need this customised to your organisation?
We'll customise any product to your organisation and deliver in 1–2 weeks. Fixed price, fully async. You review it, your team runs it.
Foundation $1,997 · Toolkit $2,997 · Suite $5,997 · Program $8,997
Get compliance insights and product updates
Product launches only · No spam · Unsubscribe anytime