If your organization handles Federal Contract Information (FCI), then you’ll need to meet CMMC Level 1 requirements. And while the idea of compliance might sound intimidating, it doesn’t have to be. Think of CMMC Level 1 as the foundation of good cybersecurity hygiene. Straightforward, manageable, and very achievable with the right roadmap.
Below, we’ll walk through each one in a friendly, easy to-follow way, so you understand not just what to do, but why it matters and how it prepares you for a successful assessment.
Stage 1: Confirm Applicability and Scope
Before anything else, you need to understand whether CMMC Level 1 applies to you, and if it does, which parts of your business are involved.
In simple terms:
Where does FCI live in your organization? And which systems touch it?
What this looks like in practice:
- You identify what contracts require you to protect FCI.
- You track how FCI enters your environment: maybe through email, project portals, or shared folders.
- You map out where FCI gets stored or processed.
- You figure out which laptops, servers, apps, and even people are part of that workflow.
A lot of organizations also take this opportunity to reduce risk (and workload) by segmenting systems: keeping FCI only where it truly needs to be.
Why this matters:
You can’t protect what you haven’t properly scoped. This step sets the stage for everything that follows.
Stage 2: Conduct a Gap Analysis
Once you know your scope, it’s time for a reality check:
How does your current setup compare to the 15 practices required under CMMC Level 1?
This is where you look at what you’re already doing well and what needs improvement.
Here’s how this usually goes:
- You review each of the Level 1 controls.
- You compare them against your existing processes and technologies.
- You document anything missing, outdated, or inconsistent.
- You prioritize your gaps. Some may be quick wins; others may take planning.
Think of this as your “to-do list” to get compliant.
Why this matters:
A strong gap analysis prevents surprises during your assessment and gives you a clear plan forward.
Stage 3: Develop Documentation
Even though Level 1 doesn’t require heavy documentation, you still need clear, written policies and procedures that match what you do.
Typical documents include, but are not limited to:
· Access control policies
· Password and account management guidelines
· Physical access procedures
· Guidelines around handling and storing information
This stage is about making sure your team knows the “how and why” behind your security practices and that they’re being followed consistently.
Why this matters: Good documentation helps you work more predictably and ensures that your controls are being applied on purpose, not by accident.
Stage 4: Implement Controls
Now you move from planning to doing. This is where you fix the gaps and put the necessary cybersecurity protections in place.
This can include:
· Enforcing stronger passwords
· Configuring firewalls correctly
· Limiting access so people only see what they need for their job
· Installing or updating antivirus software
· Locking down physical access to areas with FCI
· Running user training so everyone handles FCI responsibly
While doing this, you’ll also start capturing evidence like screenshots, logs, configuration exports, or training records.
Why this matters: This step ensures that your environment truly meets CMMC Level 1 requirements, not just on paper but in day today operations.
Stage 5: Run a Self-Assessment-.
Once your controls are in place, it’s time to evaluate yourself. This step simulates the official assessment experience.
What this involves:
· Walking through each of the 15 practices and scoring your implementation.
· Double-checking all your evidence.
· Making sure your documentation matches what’s happening in real life.
· Uploading your score to SPRS if needed
· Fixing anything you catch at the last minute.
This stage boosts your confidence and reduces stress when formal assessment happens.
Why this matters: The self-assessment ensures you’re truly ready and that you will walk into the official process with no surprises.
After the Roadmap: Moving Toward Certification
Once you’ve completed all five stages, you’re ready to move toward certification (or self-attestation if that’s acceptable for your contract).
