Plain English CMMC Level 1 Guide
If you've tried reading the official CMMC documentation, you've probably felt your eyes glaze over within minutes. Terms like "system security plans," "assessment objectives," and "organizational systems" pile up fast. For small business owners and managers without IT backgrounds, it can feel like the whole framework was designed to be confusing.
Here's the truth: the concepts behind CMMC Level 1 aren't complicated. The government just explains them in government-speak.
This guide translates everything into plain English. No assumed technical knowledge. No jargon without explanation. Just straightforward information about what CMMC Level 1 actually requires and how to prove you're doing it.
This guide is specifically for small business owners and managers who work with the Department of Defense—machine shops, engineering firms, logistics companies, professional services providers—and need to understand CMMC without hiring an expensive consultant or becoming a cybersecurity expert. If you can run a business, you can understand this. The requirements themselves are mostly common sense. The challenge is cutting through the bureaucratic language to see that.
Let's get started.
What Is CMMC and Why Should You Care?
CMMC stands for Cybersecurity Maturity Model Certification. It's the Department of Defense's system for making sure the businesses it works with are properly protecting sensitive information.
Think of it like a food safety certification for restaurants, but for data. Restaurants need to prove they handle food safely before they can serve customers. Now, DoD contractors need to prove they handle information safely before they can work on contracts.
Before CMMC existed, contractors simply had to promise they were following cybersecurity rules. They'd check a box saying they complied, and that was that. The problem? Many contractors weren't actually doing what they claimed. Sensitive defense information was leaking through weak security practices at small businesses throughout the supply chain.
CMMC changes this. Instead of just promising compliance, you now have to demonstrate it.
Here's the part that matters for your business: without CMMC certification at the appropriate level, you won't be able to bid on new DoD contracts—and you may lose the ones you have. This isn't a someday-maybe requirement. It's being written into contracts now.
CMMC has three levels. Level 1 is the foundation, designed for businesses that handle Federal Contract Information, or FCI. FCI is any non-public information related to your government contracts. This includes things like contract documents, pricing information, delivery schedules, technical specifications, and emails about contract work.
If the government gave it to you or you created it for a government contract, and it's not meant for public release, it's probably FCI.
Level 1 requires 15 basic security practices. It's meant to be achievable for small businesses without massive IT budgets or dedicated security teams. The DoD designed it this way intentionally—they need small businesses in the defense supply chain, and they know most of them aren't cybersecurity experts.
Do You Need Level 1 or Level 2?
This is one of the most common questions, and getting it right matters. The difference affects your costs, timeline, and how much work you'll need to do.
Level 1 applies if you handle Federal Contract Information (FCI). This is the baseline for any DoD contractor. FCI includes:
- Contract documents and modifications
- Pricing and cost information
- Delivery schedules
- Technical specifications and drawings
- Emails and correspondence about contract work
- Proposals and quotes for government work
If your DoD work involves any non-public information—which it almost certainly does—you're handling FCI and need at least Level 1.
Level 2 applies if you handle Controlled Unclassified Information (CUI). CUI is more sensitive than FCI and is specifically marked. You'll see labels like "CUI," "Controlled," or specific category markings on documents, drawings, or data files.
Here's a simple test: Have you ever received a document marked "CUI" from the government or a prime contractor? If the answer is no, you're probably Level 1. If you're unsure, look through the technical documents and data you've received for your contracts. CUI markings are required, so if you're not seeing them, you're likely not handling CUI.
According to DoD estimates, roughly 63% of the Defense Industrial Base falls into Level 1. Most small subcontractors, suppliers, and service providers are in this category. Level 2 is more common among prime contractors and businesses doing design, engineering, or manufacturing work with marked technical data.
The practical differences are significant:
Level 1:
- 15 security requirements
- Self-assessment (you evaluate yourself)
- Annual affirmation
- No third-party audit required
- Lower cost to achieve and maintain
Level 2:
- 110 security requirements
- Third-party assessment required for most contracts
- Significant documentation requirements
- Higher cost (assessments can run $50,000+)
- More complex technical controls
If you're not sure which level applies to your contracts, check your contract documents for DFARS clauses. You can also ask your contracting officer or the prime contractor you're working under. Getting this wrong in either direction is a problem—claiming Level 2 when you only need Level 1 wastes money, while claiming Level 1 when you need Level 2 puts your contracts at risk.
The 15 Controls in Plain English
CMMC Level 1 has 15 security requirements, drawn from a federal standard called NIST SP 800-171. Each requirement has an official identifier (like AC.L1-3.1.1) that you'll see in government documents. Here's what each one actually means.
Access Control (4 requirements)
AC.L1-3.1.1 – Authorized Access Control Only authorized people can access your systems.
This means you know who is allowed to use your computers, network, and business systems, and you prevent everyone else from accessing them. Each person has their own login. You don't have random devices connecting to your network. When someone leaves the company, their access is removed.
AC.L1-3.1.2 – Transaction and Function Control Limit what each person can do based on their job.
Not everyone needs access to everything. Your receptionist doesn't need access to engineering files. Your shop floor workers don't need administrative access to your accounting system. This requirement means people can only do the things their job requires—nothing more.
AC.L1-3.1.20 – External Connections Control connections to external systems.
When your systems connect to the internet, outside networks, or other organizations' systems, those connections need to be managed. This typically means having a firewall, knowing what connections exist, and not allowing unauthorized connections.
AC.L1-3.1.22 – Control Public Information Control information posted publicly.
Before anything related to your contracts gets posted publicly—on your website, social media, or anywhere else—someone should verify it's appropriate to share. Contract information shouldn't end up on your public-facing systems without review.
Identification and Authentication (2 requirements)
IA.L1-3.5.1 – Identification Know who's using your systems.
Every person using your systems should be uniquely identified. This usually means individual user accounts—no generic "shop floor" logins or shared accounts. If something happens, you need to be able to tell who did it.
IA.L1-3.5.2 – Authentication Verify people are who they say they are.
This is about passwords and other ways of proving identity. Users need passwords (or other authentication methods) to access systems. Passwords should be reasonably strong. Default passwords on equipment should be changed. You're confirming that the person logging in is actually the person they claim to be.
Media Protection (1 requirement)
MP.L1-3.8.3 – Media Disposal Dispose of contract information properly.
When you're done with hard drives, USB drives, printed documents, or any other media containing FCI, you can't just throw it in the trash. Hard drives need to be wiped or destroyed. Documents need to be shredded. You need a way to make sure contract information doesn't walk out the door in your garbage.
Physical Protection (4 requirements)
PE.L1-3.10.1 – Limit Physical Access Limit physical access to your systems.
The computers, servers, and networking equipment that touch FCI should be in areas where you control who can physically reach them. Not everyone should be able to walk up to your server or plug into your network. This might mean locked rooms, restricted areas, or simply keeping equipment in spaces where only employees can go.
PE.L1-3.10.3 – Visitor Access Escort visitors and control their access.
When people who don't work for you are in your facility—vendors, customers, repair technicians—you need to manage their access. They should be escorted in areas where they could access your systems. They shouldn't be left alone in your server room or allowed to wander freely through areas with computers containing contract information.
PE.L1-3.10.4 – Physical Access Logs Keep logs of physical access.
You should have some record of who accessed areas where your systems are located. This might be a sign-in sheet, badge access logs, or security camera footage. If there's ever a question about who was in a sensitive area, you need to be able to find out.
PE.L1-3.10.5 – Manage Physical Access Devices Manage keys, badges, and other access devices.
If you use keys, access cards, or codes to control physical access, those need to be managed. You should know who has keys or badges. When someone leaves, their access devices should be collected or deactivated. Codes should be changed when people with access leave.
System and Communications Protection (2 requirements)
SC.L1-3.13.1 – Boundary Protection Monitor communications at system boundaries.
Where your network meets the outside world, you should be monitoring and controlling traffic. This is typically accomplished with a firewall that's properly configured and actively managed. You're watching the doors to your digital building.
SC.L1-3.13.5 – Public-Access System Separation Separate public-facing systems from internal systems.
If you have systems that the public can access—like a web server for your company website—those should be separated from the internal systems where you handle contract information. A visitor to your website shouldn't be able to reach your internal file servers or email.
System and Information Integrity (4 requirements)
SI.L1-3.14.1 – Flaw Remediation Fix system flaws on time.
When security problems are discovered in the software you use (and they're discovered constantly), you need to apply the fixes. This means keeping your operating systems, applications, and other software updated. Patches and updates should be applied in a timely manner, not ignored for months or years.
SI.L1-3.14.2 – Malicious Code Protection Protect against malicious code.
You need protection against viruses, ransomware, and other malware. This typically means antivirus software on your computers. The protection should be active, not something that was installed once and forgotten.
SI.L1-3.14.4 – Update Malicious Code Protection Keep your malware protection updated.
Antivirus software needs regular updates to recognize new threats. Last month's virus definitions won't catch this month's malware. Your protection should be updating automatically and regularly.
SI.L1-3.14.5 – System and File Scanning Scan your systems regularly.
Beyond just running in the background, your antivirus protection should periodically scan your systems and files to catch anything that slipped through. Regular full-system scans are part of maintaining protection.
How to Prove You're Compliant
Understanding the 15 controls is only half the challenge. You also need to prove you're doing them. For Level 1, this means conducting a self-assessment.
A self-assessment isn't just checking 15 boxes and calling it done. Each of the 15 controls has assessment objectives—specific things you need to verify. In total, there are 59 assessment objectives across the 15 controls. For example, the control about limiting physical access (PE.L1-3.10.1) has multiple objectives: you need to verify you've identified authorized individuals, identified the systems to protect, and that you actually limit access.
Every single assessment objective must be marked as "MET." There's no partial credit. You can't be 90% compliant. If one objective isn't met, that control isn't satisfied, and you're not compliant.
For each objective, you should have evidence. Evidence can take many forms:
- Policies and procedures: Written documents describing how you do things
- Screenshots: Showing how systems are configured
- Logs: Records showing the controls are working
- Photos: Physical security measures in place
- Training records: Showing employees received required training
- Interviews: Conversations with staff confirming practices are followed
- Direct observation: Looking at systems and facilities yourself
You don't need to submit this evidence anywhere for Level 1, but you need to have it. If your compliance is ever questioned, you need to be able to demonstrate how you meet each requirement.
The mindset shift many small businesses need to make: it's not enough to do something—you have to prove you do it. Many businesses already have good security practices but no documentation. Undocumented practices don't count as evidence.
Start treating your self-assessment as if an auditor might ask to see your evidence tomorrow. Document as you go. Save those screenshots. Write down your procedures. Your future self will thank you.
Reporting to SPRS
Once you've completed your self-assessment, you need to report it through SPRS—the Supplier Performance Risk System. This is the government's database for tracking contractor compliance.
SPRS is managed by the Defense Logistics Agency. To access it, you'll need a few things:
- An active registration in SAM.gov (the System for Award Management)
- The proper DoD system accounts (through the PIEE portal)
- Your company's CAGE code
The SPRS submission for Level 1 is straightforward. You're not entering a detailed score or uploading evidence. You're providing:
- The date of your assessment
- The scope of your assessment (what systems were included)
- An affirmation that you meet the requirements
This affirmation is important. It's not a casual checkbox. When you affirm compliance, you're making an official statement to the federal government. The person making this statement is called the "Affirming Official."
The Affirming Official should be a senior person in your organization—typically an owner, executive, or officer—who has the authority to make official statements on behalf of the company. This person is putting their name on the line saying your business is compliant. They should understand what they're affirming and have confidence in the self-assessment.
False claims in SPRS can have serious consequences. This isn't theoretical—the Department of Justice has pursued cases against contractors who misrepresented their cybersecurity compliance. The Affirming Official should take this responsibility seriously.
After your initial submission, you'll need to affirm annually that you're still compliant. Your systems and practices will change over time, so your assessment should be a living process, not a one-time event.
Common Mistakes to Avoid
Based on what we've seen with small businesses approaching CMMC Level 1, here are the most common mistakes—and how to avoid them.
Thinking you need a consultant for Level 1. Level 1 is designed for self-assessment. The 15 controls are basic security practices that any business owner can understand and implement. While consultants can help if you're truly stuck, most small businesses can handle Level 1 themselves. Don't let anyone convince you that you need to spend thousands on consulting for something you can do with a little time and attention.
Not documenting what you're already doing. Many small businesses are already doing most of what Level 1 requires—they just never wrote it down. You probably already limit system access. You probably already have passwords. You probably already have antivirus software. The gap isn't in your practices; it's in your documentation. Start documenting now.
Forgetting about mobile devices and remote workers. Your compliance scope isn't just the computers in your office. If employees access contract information from laptops, phones, or home computers, those are in scope. If people work remotely, their home office setup matters. COVID permanently changed how many businesses operate, but security thinking hasn't always caught up.
Assuming your IT provider handles everything. If you use an outside IT company, they're probably handling some of your security. But they might not know about CMMC, understand your contracts, or be doing everything the requirements specify. And even if they're doing everything right, you're still responsible. You can't outsource your compliance—only parts of your implementation.
Not understanding what's "in scope." Scope is one of the most misunderstood concepts. Not every computer in your business necessarily needs to meet CMMC requirements—only the ones that touch FCI. But if you're not careful about where FCI lives and flows, your entire network might be in scope. Understanding scope before you assess saves significant effort.
Next Steps
You now understand what CMMC Level 1 is, whether it applies to you, what the requirements actually mean, and how to prove compliance. The question is: what do you do with this knowledge?
Start by understanding your scope. Where does Federal Contract Information live in your business? What computers, systems, and people touch it? Draw that boundary before you start assessing.
Next, walk through each of the 15 requirements honestly. For each one, ask yourself: Do we do this? Can we prove we do this? If the answer to either question is no, you've found a gap to address.
This is where CMMCheck can help. Instead of interpreting government documents yourself, CMMCheck walks you through each CMMC Level 1 requirement with simple yes/no questions written in plain English. It identifies gaps, provides guidance, and helps you understand exactly where you stand—no IT background required.
Whether you use a tool or go through the requirements manually, the important thing is to start. CMMC requirements are appearing in contracts now. The businesses that get ahead of this will have an advantage over those scrambling at the last minute.
Level 1 is achievable for any small business. The requirements are basic. The process is manageable. You just need to take the first step.
Ready to assess your CMMC Level 1 readiness? Try CMMCheck and walk through each requirement in plain English.
