.svg)
As of November 2025, CMMC is no longer a concept the DoD is considering. It is a contract requirement. Contracting officers are now including CMMC clauses in solicitations, and any company that handles Federal Contract Information (FCI) in the defense supply chain needs at least Level 1 compliance to remain eligible for awards.
For small businesses, this creates a specific problem. The 15 Level 1 practices are technically straightforward, but the compliance mechanism around them is surprisingly rigid. There are no Plans of Action and Milestones (POA&Ms) at Level 1. No grace period. Either all 15 practices are fully implemented when a senior official signs the annual affirmation in SPRS, or the company is non-compliant. That binary pass/fail structure is unusual in compliance frameworks, and it catches organizations off guard when they assume they can document gaps and fix them later.
This guide covers what the 15 practices require in practice, how to scope the assessment to reduce effort, where CMMC overlaps with frameworks like SOC 2 and ISO 27001, and how GRC platforms fit into the picture.
The Three Obligations of CMMC Level 1
Level 1 compliance comes down to three specific requirements:
Obligation 1
Implement all 15 security practices
Derived from FAR 52.204-21. These cover access control, identification and authentication, media protection, physical security, communications protection, and system integrity.
Obligation 2
Conduct an annual self-assessment
Using the examine-interview-test methodology from NIST SP 800-171A. Examine means reviewing documentation and configurations. Interview means confirming that personnel understand and follow the procedures. Test means verifying that controls work in practice.
Obligation 3
Submit an annual affirmation in SPRS
A senior company official (CEO, president, or owner) formally attests that all 15 practices are fully implemented. This is a legal declaration to the U.S. Government, not an internal IT sign-off.
The zero-tolerance rule
POA&Ms are not permitted at Level 1. The DoD considers these 15 practices so fundamental that partial implementation is treated as non-compliance. A score of 14 out of 15 is a failing grade. At higher CMMC levels, organizations can document gaps and remediate over time. At Level 1, there is no runway.
Scoping: The Decision That Controls Cost and Effort
Before assessing anything, define what needs to be assessed. The CMMC Level 1 assessment scope includes all assets that process, store, or transmit FCI. Everything outside that boundary is out of scope.
This matters because scoping is the most effective cost-control tool available. A company that segments its FCI-handling systems into a defined enclave (specific workstations, a dedicated file server, a controlled set of cloud services) dramatically reduces the number of assets that need to meet the 15 practices. A company that lets FCI flow through every system on the network has to secure everything.
Four categories to inventory
- People: Anyone who touches FCI, including employees, contractors, and external service providers
- Technology: Hardware, software, network appliances, cloud services
- Facilities: Physical locations where FCI is processed or stored
- External Service Providers (ESPs): Third-party IT and cloud providers (Microsoft 365, managed IT, cloud hosting)
Specialized assets are excluded. IoT devices, operational technology (ICS, building management), government-furnished equipment, and test equipment are explicitly carved out of the Level 1 assessment scope, even if they handle FCI. This is a significant concession for manufacturers and companies with industrial environments.
Practical note
The exclusion of specialized assets does not eliminate the risk they represent. An unassessed OT device that connects to the same network as in-scope systems can still be the entry point for an incident that compromises FCI. Segmentation is the answer, and it reinforces why scoping decisions and network architecture should be treated as the same conversation.
The 15 Practices: What Each One Actually Requires
The 15 practices are organized across six security domains. None of them require specialized security staff or significant technology investment. What they do require is documented policy, consistent execution, and evidence.
4 practices
Limit system access to authorized users
Every user gets a unique account. No shared logins. Formal onboarding/offboarding process. Screen lock after inactivity.
Typical Evidence
Limit access to authorized functions
Role-based permissions. Least privilege. Separate admin accounts for IT staff performing maintenance.
Typical Evidence
Control connections to external systems
Firewall rules, web filtering, approved list of external services. Block unauthorized cloud storage like personal Dropbox or Google Drive.
Typical Evidence
Control public-facing information
Review process before publishing content. No FCI on public systems. Network separation between public and internal systems.
Typical Evidence
2 practices
Identify all users, processes, and devices
Unique usernames for every individual. Maintained device inventory. Service accounts with documented purpose.
Typical Evidence
Authenticate identity before granting access
Enforced password policy (12+ characters, complexity). All default vendor passwords changed before deployment. MFA where supported.
Typical Evidence
1 practice
Sanitize or destroy media before disposal
Cross-cut shredding for paper. Drive-wiping tools for digital media. Physical destruction when wiping is not possible. Documented disposal policy.
Typical Evidence
2 practices
Limit physical access to systems
Locked offices. Secured server rooms with restricted access. Screens positioned away from public view.
Typical Evidence
Manage physical access devices
Visitor logs (name, organization, time in/out). Escort policy. Key/card issuance tracking. Retrieval during offboarding.
Typical Evidence
2 practices
Protect communications at boundaries
Firewall with deny-all-permit-by-exception rules. Regular rule review to remove stale entries.
Typical Evidence
Separate public-facing systems
DMZ or VLAN for any publicly accessible servers. Firewall rules limiting traffic between public and internal segments. Mark N/A if no public-facing systems exist.
Typical Evidence
4 practices
Fix system flaws in a timely manner
Patch management process. Automatic OS and application updates where possible. Vulnerability awareness through vendor mailing lists or scanners.
Typical Evidence
Protect against malicious code
Antivirus or EDR installed on all in-scope servers and workstations. Active and running at all times.
Typical Evidence
Keep malware protections updated
Automatic definition updates configured. Checking for new signatures at least daily.
Typical Evidence
Perform periodic and real-time scans
Real-time/on-access scanning enabled. Scheduled weekly full-system scans to catch dormant threats.
Typical Evidence
Where small businesses actually get stuck
The practices that trip up small businesses are rarely the technical ones. Antivirus and firewalls are usually in place. The gaps show up in documentation (no written policy for media disposal), process (no offboarding checklist that revokes access the same day), and evidence (the patch management process works but nobody can prove it ran). This is the difference between doing security and being able to prove it during a self-assessment.
The System Security Plan: Not Required, But Essential
The DoD classifies the SSP as a best practice for Level 1, not a formal requirement. That phrasing is misleading. Attempting a defensible annual self-assessment without an SSP means the senior official signing the SPRS affirmation is doing so based on memory and informal checks. That is a position of significant personal and legal risk.
An SSP for Level 1 does not need to be complex. It should document:
What belongs in a Level 1 SSP
- The system boundary and assessment scope (which assets handle FCI)
- A network diagram showing internal, external, and segmented systems
- For each of the 15 practices: how it is implemented, referencing specific policies and tools
- The asset inventory (people, technology, facilities, ESPs)
The process of creating an SSP forces the kind of systematic thinking that makes compliance sustainable. It maps the network, documents procedures, and creates the evidence trail that makes the annual self-assessment repeatable instead of a scramble.
SPRS Submission: The Administrative Hurdle
Submitting the self-assessment to SPRS requires navigating the DoD's Procurement Integrated Enterprise Environment (PIEE), which has its own registration process. The company needs an active SAM.gov registration, a CAGE code, a designated Contractor Administrator (CAM) approved by the EB POC listed in SAM.gov, and a user with the SPRS Cyber Vendor User role.
This administrative setup can take weeks, particularly if the company's SAM.gov records are outdated. Budget time for it. A failure to report correctly in SPRS can negate all the technical compliance work.
Where CMMC Level 1 Overlaps with SOC 2 and ISO 27001
Companies pursuing CMMC Level 1 alongside other frameworks will find significant overlap:
CMMC Level 1 and SOC 2
Access control practices (AC.L1-3.1.1, AC.L1-3.1.2) map closely to SOC 2's CC6.1 (logical access controls). Patch management (SI.L1-3.14.1) aligns with CC7.1 (configuration management). Authentication requirements overlap with CC6.1 and CC6.2. A company with existing SOC 2 controls will find many Level 1 practices already met, though evidence format and assessment methodology differ.
CMMC Level 1 and ISO 27001
ISO 27001 Annex A controls cover access management (A.9), physical security (A.11), communications security (A.13), and operations security (A.12) in ways that directly support CMMC Level 1 practices. The key difference: ISO 27001 operates through an ISMS with risk-based control selection, while CMMC Level 1 prescribes all 15 practices with no flexibility.
The efficient path
Build the security program first, then map frameworks onto it. Companies that pursue CMMC Level 1 in isolation and then discover they also need SOC 2 or ISO 27001 end up rebuilding documentation and controls for each framework. Companies that build a single program and map multiple frameworks against it do the work once. This is the difference between framework-driven security (which creates redundant work) and program-first security (which creates efficiency across every compliance requirement).
GRC Platforms and CMMC Level 1
Several GRC platforms now support CMMC workflows. Secureframe and Vanta both offer CMMC modules that map the 15 Level 1 practices to automated evidence collection and readiness tracking.
For Level 1 specifically, a GRC platform is helpful but not essential. The 15 practices are simple enough that a well-organized SSP, documented policies, and an evidence folder can meet the requirements. Where platforms add value is when a company also needs SOC 2 or ISO 27001: the platform becomes the single system of record across frameworks, and the overlap between CMMC controls and SOC 2/ISO controls gets managed in one place instead of three separate spreadsheets.
The trap to avoid
Buying a platform and assuming configuration is compliance. The platform tracks evidence and maps controls. Someone still has to design the program, write the policies, configure the tool correctly, and keep the evidence flowing. That is the operational layer that platforms do not replace.
The Implementation Timeline
CMMC is rolling out in four phases:
| Phase | Requirement |
| Phase 1 (Nov 2025) | Level 1 and Level 2 self-assessment requirements appear in solicitations |
| Phase 2 (Nov 2026) | Level 2 third-party (C3PAO) assessments required |
| Phase 3 (Nov 2027) | Level 3 (DIBCAC) assessments required; Level 2 may apply to option periods |
| Phase 4 (Nov 2028) | Full implementation across all applicable solicitations and contracts |
For small businesses focused on Level 1, Phase 1 is already active. If a solicitation includes a CMMC clause and the company cannot demonstrate Level 1 compliance, it is ineligible for award. The compliance requirement also flows down through the supply chain: prime contractors must ensure subcontractors meet the required CMMC level.
Start With an Effective Security Program
CMMC, SOC 2, ISO 27001 - the framework changes, the foundation doesn't.
Book a Strategy CallFrequently Asked Questions
What are the 15 CMMC Level 1 security practices?
The 15 practices come from FAR 52.204-21 and cover six domains: access control (4 practices), identification and authentication (2), media protection (1), physical protection (2), system and communications protection (2), and system and information integrity (4). They represent foundational security hygiene: unique user accounts, firewalls, antivirus, patch management, physical access controls, and media sanitization. No specialized security staff or major technology investment is required.
How much does CMMC Level 1 compliance cost for a small business?
Direct costs are typically a few thousand dollars for any gaps in basic controls like antivirus, MFA, or drive-wiping tools. The larger cost is staff time for documenting policies, configuring systems, creating the SSP, and navigating the SPRS submission process. Because Level 1 uses self-assessment rather than third-party auditors, there are no assessor fees. Companies that already have SOC 2 or ISO 27001 controls in place will find significant overlap and lower incremental effort.
What is the difference between CMMC Level 1 and Level 2?
Level 1 protects Federal Contract Information (FCI) with 15 basic practices and annual self-assessment. Level 2 protects Controlled Unclassified Information (CUI) with 110 practices aligned to NIST SP 800-171 and requires either self-assessment or third-party certification by a C3PAO. Level 2 allows POA&Ms for certain gaps; Level 1 does not.
Can I use a GRC platform like Vanta or Secureframe for CMMC Level 1?
Yes. Both Vanta and Secureframe offer CMMC modules that map the 15 practices to evidence collection and track readiness. For Level 1 alone, a platform is helpful but not strictly necessary given the small number of controls. Where platforms add the most value is when a company also needs SOC 2 or ISO 27001, allowing all frameworks to be managed from a single system of record.
How does CMMC Level 1 relate to SOC 2?
Several CMMC Level 1 practices overlap with SOC 2 Trust Services Criteria, particularly in access control (CC6.1), patch management (CC7.1), and authentication (CC6.1/CC6.2). A company with existing SOC 2 compliance will likely have many Level 1 practices already in place, though the evidence format and assessment methodology differ. The efficient approach is to build one security program and map both frameworks onto it.
Do subcontractors need CMMC compliance?
Yes. CMMC requirements flow down through the supply chain. If a prime contractor's solicitation includes a CMMC clause, subcontractors handling FCI must achieve at least Level 1 compliance. Subcontractors handling CUI must achieve Level 2. This applies regardless of whether the subcontractor has a direct contract with the DoD.
What happens if I fail the Level 1 self-assessment?
Because POA&Ms are not permitted at Level 1, a single unmet practice means non-compliance. The company cannot submit an affirmation in SPRS and is ineligible for contract awards requiring CMMC Level 1. The path forward is to implement the missing practice, repeat the self-assessment, and then submit. There is no formal remediation timeline at Level 1 because the expectation is full compliance before affirmation.
Not Sure Where You Stand?
Find out which practices are met, which aren't, and what to fix first.
Book a Strategy CallAbout the Author
Ali Aleali, CISSP, CCSP
Co-Founder & Principal Consultant, Truvo Cyber
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.