CMMC Level 1 for Small Businesses: Where to Actually Start
For a lot of small businesses, CMMC stops being an abstraction the day a prime contractor sends a notice, or a clause shows up in a contract, and suddenly cybersecurity compliance is your problem too. If you've just had that moment, here's where to actually start — without panic, and without handing five figures to a consultant.
CMMC is a real contract requirement now, not a someday concern. The good news is that for most small businesses, the level that applies is the most achievable one, and the path through it is short and concrete. Here it is, step by step.
Step 1: Figure out if you're in scope
CMMC applies if your business handles government contract information. The trigger is Federal Contract Information (FCI) — information provided by or generated for the government under a contract that isn't meant for public release. Contract numbers, delivery schedules, order details, the working paperwork of the job.
If your work touches that kind of information — directly with the DoD or as a subcontractor to someone who does — you're in scope and you'll need to act. If you genuinely never touch any government contract information, you may not be. Most businesses that ask the question are in scope.
Step 2: Figure out your level
There are two levels that matter for small businesses, and the difference is the kind of information you handle:
- Handle FCI only → Level 1
- Handle Controlled Unclassified Information (CUI) → Level 2
Most small contractors are Level 1. Level 2 is a heavier requirement reserved for more sensitive information. Getting this right early matters, because it determines everything that follows — so if you're unsure which side you're on, settle that before you do anything else.
The rest of this is about Level 1.
Step 3: Understand what Level 1 really is
Level 1 is built on 15 basic safeguarding practices — the kind of things most businesses already do in some form: use passwords, run antivirus, control who has access, dispose of old equipment carefully.
The part that catches people off guard is how it's handled:
- You assess your own systems against the 15 requirements.
- A senior official in your company affirms the results are accurate.
- You submit them to a government system called SPRS.
- You repeat it once a year.
There's no third-party auditor for Level 1. But the standard is real — every requirement has to be genuinely met, and a senior person is putting their name to it. It's achievable, not optional.
Step 4: Map where your information lives
Before you fix anything, find out where FCI actually sits in your business — which computers, which email, which cloud accounts, which people touch it. This is the most useful hour you'll spend, because the smaller you can keep that footprint, the less you have to secure. Information scattered across every system means securing everything; information kept to a defined set of systems means a much shorter list.
Step 5: Work the requirements and write it down
Here's the encouraging part: most Level 1 gaps aren't technology problems, they're documentation problems. You likely already have antivirus, passwords, and basic access control. What's usually missing is having turned a few settings on, closed a couple of small gaps, and — most often — written down what you do.
So work through the 15 requirements one at a time, fix the small things, and document each one. That record is what stands behind your self-assessment.
What you don't need
For Level 1, you do not need a consultant, you do not need special compliance software, and you do not need a government-cloud version of your everyday tools. The commercial email, file storage, and antivirus you already use can meet Level 1 when they're configured and documented correctly. Spending on those things is solving a problem Level 1 doesn't give you.
Don't wait for a deadline scramble
CMMC requirements are now appearing in DoD solicitations and contracts, and readiness increasingly affects whether you're even eligible to bid. The contractors who struggle are the ones who wait until an award is on the line and then try to do everything at once. Starting early — even just mapping your scope and working a few requirements — turns a fire drill into a manageable to-do list.
The bottom line
If you're a small business that handles FCI, Level 1 is within reach using the tools and people you already have. Confirm you're in scope, confirm your level, map where your information lives, work the 15 requirements honestly, and document it. No consultant required.
All of that is far simpler when the requirements are laid out plainly, one question at a time.
See exactly where you stand on CMMC Level 1.
CMMCheck walks you through every Level 1 requirement as plain-English yes / no / not-sure questions — no consultant, no jargon — and hands you a clear report showing what's done and what's left.
→ Start your Level 1 self-assessment at cmmcheck.com