CMMC Level 1 Certification and Preparation


CMMC Level 1

Ongoing cyberattacks target the Defense Industrial Base (DIB). They also focus on the Department of Defense’s (DOD) supply chain. Over 300,000 businesses support the DIB and DOD.

This impacts acquisition, research, development, engineering, and production. It also affects the DOD’s operations, networks, delivery, sustainment, capabilities, and services. These contractors must protect Federal Contract Information (FIC) and Controlled Unclassified Information (CUI).

Based on your security involvement, you must meet Cybersecurity Maturity Model Certification (CMMC) levels. CMMC Level 1 describes basic cyber hygiene. The following offers a guide to preparing for the CMMC Level 1 certification.

CMMC Level 1 Controls

The CMMC contains 17 control domains. The strictness varies based on the data's sensitivity. For Level 1, there are six required controls.

These include:

  • Access Control
  • Identification and Authentication
  • Media Protection
  • Physical Protection
  • System and Communications Protection
  • System and Information Integrity

The requirements describe the actions needed to address these controls.

Updated CMMC Compliance Requirements

The NIST Special Publication 800-171, Revision 2 outlines the CMMC standards. The purpose is to protect all CUI held by nonfederal businesses. This data management can affect the Federal Government’s business operations and mission success.

The DoD uses the CMMC to measure contractor’s security compliance. In January 2020, the DOD released new CMMC standards. All applicable contracts must meet these requirements by 2026.

Beginning in 2021, the government only awards contracts to businesses that meet CMMC standards. The contract defines which of the five CMMC levels are required.

Contractors may no longer self-report compliance. Audits are now performed by certified third-party assessment organizations (C3PAO). It’s key to create and institute your CMMC plan now to prepare for the C3PAO audit.

Overview of CMMC level 1: Basic Cyber Hygiene

The emphasis of CMMC certification focuses on performing security measures. Beyond just completing the paperwork, auditors look for evidence of actions that enhance security.


For example, they will look at physical computer location and how you control access. Do users have strong passwords and change them regularly?

Are computers located in locked rooms with controlled access? Have you implemented measures to prevent unauthorized “over-the-shoulder” screen peeking?


You will need to keep inventories of computers and authorized personnel. Outline your procedure for reviewing content prior to public release. At Level 1, there aren’t a lot of requirements for policies or process improvement documents.

CMMC Level 1 Requirements

To ensure you’re meeting the CMMC Level 1 standards, it’s often best to work with an expert. They can help you institute the following requirements.

Limit System Access to Authorized Users

Create individual accounts for each authorized staff member.

Ensure they use strong passwords and change them throughout the year.

Grant privileges based on job responsibilities. Also, establish a system to trace all activity.

Screen all devices before they connect to your network, email, or other systems.

Create a list of the devices and who owns them.

Never continue using default passwords. 

When leaving devices or work areas, disable passwords and lock physical access points. All computers should lock after 10 to 20 minutes of inactivity.

Prevent employees from connecting to cloud solutions from unsecured personal devices.

Ensure that all third-party IT managed service providers meet CMMC Level 1 standards.

Restrict Who Is an Authorized User

Only IT personnel should have admin rights. Set up permissions to control staff access to software and file sharing. This protects sensitive federal contract data.

Control Connectivity with External Information Systems

Isolate business computers and networks from business partner systems or home networks. Use an independent router and company computers when conducting Federal contract tasks. These tasks should never take place on an unsecured personal device.

Have an IT expert set up antivirus software and firewalls. They will also install updates, patches, and run routine scans to enhance cybersecurity.

Set up multi-factor authentication (MFA) to protect access. 

Never allow shared Wi-Fi networks as this can create an opening for hackers.

Control Public Access or Sharing of Federal Contract Data

Any platform that doesn’t require a password should never be used. When using cloud storage platforms, disable “anonymous access” and set up a strong password. Never share cloud documents with unauthorized individuals.

Ensure staff members don’t post sensitive information on public media or websites.

Develop a procedure to review all content prior to placing it on your website.

Sanitize or Destroy Federal Contract Information Before Disposal or Reuse

Have IT professionals sanitize sensitive data before decommissioning or transferring systems. This includes thumb drives, writeable CDs, computers, and mobile devices.

Methods for destroying materials include:

  • Encrypt the drive using a 16-plus character key
  • Manually crushing the data module with a hammer
  • Overwrite the data several times with a program for this purpose
  • Shred CDs and documents

There are IT forensic measures that can retrieve sensitive data that was “deleted”. This is why it’s vital to sanitize and destroy these items as described.

Limit Physical Access by Unauthorized Individuals

Computers used for Federal Contract work should be in controlled access areas. Users must use keys or other authenticators to enter the area and log in. Never discuss security procedures with staff that doesn’t "need to know."

Connect internal networking within the controlled area. Lock the area anytime it’s unattended. Escort all visitors and unauthorized staff when inside controlled access areas.

Have authorized users and visitors sign in and out and maintain these logs.

Security cameras offer another level of security if you can fit them into your business budget.

Maintain Security with Staffing Changes

If an employee leaves or changes roles retrieve all keys in their possession. Change the locks on doors and windows and institute new logins and access codes.

CMMC Level 1 Preparation

Federal government contractors need to implement the correct CMMC Level. This includes specific controls and requirements.

First, determine which CMMC Level addresses how you handle CUI. This includes unclassified data in your system that’s confidential or sensitive. Even with a FedRAMP or FISMA certification, you may still have CUI subject to CMMC.

All defense contractors handling CUI must pass a C3PAO audit by 2026. Begin implementing the CMMC standards while waiting to be CMMC Level 1 Certified. This includes ensuring that your subcontractors are compliant as well.

Are You Searching for the Best IT Solution Services?

To compete for Federal contracts, companies must now become CMMC certified. This article described the preparation for CMMC level 1. Bridgehead I.T. offers cloud migration solutions and custom application development.

Contact us today about a security risk assessment for your business.

[email protected]

(210) 477-7900

DID YOU KNOW?

To compete for Federal contracts, companies must now become CMMC certified. 

Bridgehead IT is a CMMC Registered Provider Organization (RPO).

We have expertise in CMMC Compliance and a full range of Cyber Security and Compliance Solutions.