CMMC Level 1 Compliance Toolkit
Complete documentation for all 17 CMMC Level 1 practices across 6 domains.
CMMC Level 1 Compliance Toolkit
No CMMC Level 1, no DoD contract. The clock is running.
Starting in 2025, DoD contracts containing Federal Contract Information (FCI) require CMMC Level 1 compliance. 17 security practices across 6 domains. Each practice requires a written policy, defined procedures, and evidence of implementation. Assessors don’t accept verbal assurances — they expect written, traceable documentation.
This toolkit gives you 39 documents covering every practice, every domain, with full traceability to NIST SP 800-171 Rev. 2. Pass your self-assessment with documentation that’s ready, not rushed.
What’s inside
Policies and governance
Board-level policies covering all 6 CMMC Level 1 domains.
6 Domain Policies
Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, System & Information Integrity — each covering all practices in the domain.
The governance foundation assessors evaluate firstSystem Security Plan
Complete SSP template structured for CMMC Level 1 with system boundaries, control descriptions, and implementation status per practice.
The single most important assessment documentProcedures and implementation
Operational procedures and evidence trackers for all 17 practices.
Operational Procedures
Step-by-step procedures for each practice — access provisioning, authentication, media handling, physical access, system protection, and integrity monitoring.
Documented proof that practices are implemented, not just plannedEvidence Workbooks
Excel workbooks mapping evidence to specific practices with collection status, owner assignment, and gap identification.
Know exactly what evidence you have and what's missingAssessment preparation
Self-assessment tools and readiness documentation.
Self-Assessment Workbook
All 17 practices scored with MET/NOT MET status, evidence references, remediation tracking, and overall readiness score.
Practice your assessment before the real onePOA&M Template
Plan of Action and Milestones for any gaps identified — remediation steps, responsible parties, target dates, and status tracking.
Demonstrates commitment to closing gaps on a timelineNIST 800-171 Crosswalk
Full traceability from CMMC Level 1 practices to NIST SP 800-171 Rev. 2 controls, showing exactly which requirements each document satisfies.
Audit trail from practice to policy to evidenceWhat these documents actually look like
Every document traces to specific CMMC practices and NIST 800-171 controls. Excel workbooks include dropdown validation, conditional formatting, and auto-calculated readiness scores. Word documents contain complete content with defence contractor-specific parameters.
All 17 practices. All 6 domains. Assessment-ready documentation.
Policies · Procedures · SSP · POA&M · Evidence · Self-Assessment
When someone asks, here’s what happens
DoD contract requires CMMC Level 1
You have the SSP, all 6 domain policies, procedures for every practice, and evidence workbooks mapping artefacts to requirements. Self-assessment ready — not starting from scratch.
Prime contractor asks about your compliance status
You share the Self-Assessment Workbook with MET/NOT MET status for all 17 practices. Gaps have a POA&M with target dates. Demonstrates seriousness, not hand-waving.
Ready to move to CMMC Level 2
The Level 1 documentation provides the foundation. The CMMC Level 2 Suite extends it to all 110 NIST SP 800-171 controls with C3PAO assessment documentation.
The cost comparison
Who this is for
✓ Right fit
Defence contractors and subcontractors handling Federal Contract Information (FCI) who need CMMC Level 1 self-assessment documentation. Small defence contractors who need to demonstrate compliance quickly without a dedicated GRC team.
✗ Not the right fit
Contractors handling CUI — you need CMMC Level 2 with C3PAO assessment documentation. Organisations outside the defence industrial base — NIST CSF or ISO 27001 documentation is more appropriate.
Common questions
What's the difference between Level 1 and Level 2?
Level 1 covers 17 practices for FCI handling with annual self-assessment. Level 2 covers 110 controls from NIST SP 800-171 for CUI handling and requires C3PAO assessment. If you handle CUI, you need the Level 2 Suite.
Is self-assessment sufficient for Level 1?
Yes. CMMC Level 1 requires annual self-assessment, not third-party certification. This toolkit provides the Self-Assessment Workbook and supporting documentation to conduct and evidence your assessment.
What file formats are included?
Policies and procedures are Word (.docx). Workbooks and trackers are Excel (.xlsx). All compatible with Microsoft 365, Google Workspace, and LibreOffice.
Do I get updates if the product is improved?
Yes. If we update this product within 12 months of your purchase — framework changes, new templates, content improvements — you receive the updated files automatically at no additional cost. After 12 months, you keep everything you have permanently. Future updates are available at a renewal discount.
Is AI used in creating these documents?
Ridgeline uses AI tools in the research and drafting process. All documentation is written, reviewed, and validated by a security practitioner to ensure it is operationally sound and aligned with current frameworks.
What if we need help customising it?
Our Implementation Services team will customise the documentation for your environment. Toolkit tier is $2,997, delivered in 1–2 weeks.
How does this compare?
| Capability | Free templates | CMMC Level 1 Compliance Toolkit | GRC platform ($15K+/yr) |
|---|---|---|---|
| Framework-aligned documentation | Some | ✓ Full coverage | ✓ |
| Editable Word/Excel files | ✓ | ✓ | ✗ Locked in platform |
| Interactive browser app | ✗ | ✗ | ✓ |
| One-time cost | ✓ Free | ✓ $697 | ✗ Annual subscription |
| Implementation time | Weeks | ✓ Hours | Months |
| Audit-ready formatting | ✗ Inconsistent | ✓ Professional | ✓ |
Get notified about updates to this toolkit
Get notified when we launch new toolkits
Product launches only · No spam · Unsubscribe anytime
Implementation Services
Need this customised to your organisation?
We'll customise any product to your organisation and deliver in 1–2 weeks. Fixed price, fully async. You review it, your team runs it.
Foundation $1,997 · Toolkit $2,997 · Suite $5,997 · Program $8,997