CMMC Level 1 Compliance Guide for Small Businesses

IV. The 15 Foundational Safeguards: A Control-by-Control Implementation Guide

The core of CMMC Level 1 is the implementation of 15 specific security controls, also known as practices. These controls are derived directly from the basic safeguarding requirements in FAR 52.204-21 and are organized into six domains. They are intentionally foundational, with a heavy emphasis on preventative measures—establishing basic “locks on the doors” and “vaccinations” for information systems. This section provides a detailed, control-by-control guide to implementation.

A. Domain: Access Control (AC) – 4 Controls

This domain focuses on ensuring that only authorized individuals, using authorized methods, can access systems and data.

AC.L1-3.1.1: Limit information system access to authorized users…

• Purpose: To ensure that only people who have been given explicit permission can get into your computer systems.
• Implementation Guidance:

• • Establish formal processes for creating and deleting user accounts. An “onboarding” process should grant access when an employee starts, and an “offboarding” process must immediately revoke all access when an employee leaves.
  • Every user must have their own unique username. Shared accounts (e.g., “admin,” “frontdesk”) for multiple people are not permitted.
  • Configure systems to automatically lock after a period of inactivity (e.g., 15 minutes) to prevent unauthorized access to an unattended workstation.

• Examples of Evidence: A documented user account management policy, onboarding/offboarding checklists, a current list of active user accounts, and screenshots of system settings for screen locks.

AC.L1-3.1.2: Limit information system access to the types of transactions and functions…

• Purpose: To enforce the “principle of least privilege,” meaning users should only have the minimum level of access necessary to perform their job duties.
• Implementation Guidance:

• • Avoid granting administrative privileges to standard users. Day-to-day work should be done using a non-privileged account.
  • Use access control lists (ACLs) on file servers to restrict access to folders and files based on job roles. For example, personnel in the finance department should not have access to engineering project files unless there is a specific business need.
  • System administrators should use separate, dedicated administrative accounts only when performing maintenance tasks.

• Examples of Evidence: A documented access control policy, screenshots of file server permissions showing role-based access, and a list of users with administrative privileges with justification for each.

AC.L1-3.1.20: Verify and control/limit connections to and use of external information systems.

• Purpose: To control the flow of data to and from systems outside of your direct control, such as the public internet or cloud services.
• Implementation Guidance:

• • Use a firewall to manage and restrict network traffic between your internal network and the internet.
  • Implement web content filtering to block access to known malicious websites and categories of sites that are not required for business purposes (e.g., personal webmail, unauthorized cloud file sharing services).
  • Establish a policy that defines which external services (e.g., Dropbox, Google Drive) are approved for business use and block all others.

• Examples of Evidence: A policy on the use of external systems, screenshots of firewall rules, and reports from a web filtering solution.

AC.L1-3.1.22: Control information posted or processed on publicly accessible information systems.

• Purpose: To prevent FCI from being accidentally or intentionally placed on systems that are accessible to the public, like a company website.
• Implementation Guidance:

• • Establish a clear policy that explicitly prohibits the posting or storing of any FCI on public-facing systems.
  • Implement a review and approval process for all content before it is published on the company’s website or social media channels.
  • Ensure that any publicly accessible systems are on a separate network segment from the internal network where FCI is stored (see SC.L1-3.13.5).

• Examples of Evidence: A documented policy on public information, records of content review and approval, and a network diagram showing the separation of public systems.

B. Domain: Identification & Authentication (IA) – 2 Controls

This domain ensures that a system can identify who a user is and verify that they are who they claim to be.

IA.L1-3.5.1: Identify information system users, processes acting on behalf of users, or devices.

• Purpose: To uniquely identify every person, device, or automated process that connects to your network.
• Implementation Guidance:

• • Assign a unique username to every individual employee, as required by AC.L1-3.1.1.
  • Maintain an inventory of all devices (laptops, servers, printers, etc.) that are authorized to connect to the network.
  • For automated processes or service accounts, ensure they have unique identifiers and are not shared across different services.

• Examples of Evidence: A list of all active user accounts, a hardware asset inventory, and a list of service accounts with their designated purpose.

IA.L1-3.5.2: Authenticate (or verify) the identities of those users…

• Purpose: To require users to prove their identity, typically with a password, before they are granted access to a system.
• Implementation Guidance:

• • Enforce the use of passwords on all systems.
  • Establish and enforce a password policy that requires a minimum length (e.g., 12 characters) and complexity (e.g., use of uppercase, lowercase, numbers, and symbols).
  • Change all default vendor-supplied passwords on new hardware and software before they are put into service.

• Examples of Evidence: A documented password policy and screenshots of system settings (e.g., Active Directory Group Policy) that enforce the policy requirements.

C. Domain: Media Protection (MP) – 1 Control

This domain covers the secure handling of physical and digital media.

MP.L1-3.8.3: Sanitize or destroy information system media…

• Purpose: To ensure that FCI cannot be recovered from media (e.g., hard drives, USB drives, paper) after it is no longer needed.
• Implementation Guidance:

• • For paper documents, use a cross-cut shredder.
  • For digital media like hard drives or SSDs, simply deleting files is not sufficient. Use a dedicated drive-wiping tool that overwrites the data multiple times to make it irrecoverable.
  • Physically destroy media that cannot be effectively sanitized (e.g., with a drill or hammer).
  • Establish a policy that outlines the required procedures for media disposal.

• Examples of Evidence: A documented media disposal policy, logs from drive-wiping software, or certificates of destruction from a third-party disposal service.

D. Domain: Physical Protection (PE) – 2 Controls

This domain focuses on securing the physical locations and equipment that house your information systems.

PE.L1-3.10.1: Limit physical access to organizational information systems…

• Purpose: To prevent unauthorized individuals from physically touching your computers, servers, and networking equipment.
• Implementation Guidance:

• • Keep office doors locked outside of business hours.
  • Secure server rooms or closets with key or card access that is restricted to authorized IT personnel.
  • Position workstations so that screens are not easily visible to passersby.

• Examples of Evidence: A physical security policy, photos of locked doors and server closets, and an access list for sensitive areas.

PE.L1-3.10.5: Control and manage physical access devices.

• Purpose: To manage the keys, access cards, and codes used to enter your facilities.
• Implementation Guidance:

• • Maintain a log of all visitors, including their name, organization, date, time in, and time out.
  • Require that all visitors be escorted by an employee at all times within the facility.
  • Keep a record of who has been issued keys or access cards and retrieve them from departing employees as part of the offboarding process.

• Examples of Evidence: Visitor logs, a documented visitor policy, and records of key/card issuance and retrieval.

E. Domain: System and Communications Protection (SC) – 2 Controls

This domain is concerned with protecting the integrity and confidentiality of information as it moves across your networks.

SC.L1-3.13.1: Monitor, control, and protect organizational communications…

• Purpose: To use a firewall to create a secure perimeter around your network, controlling what traffic is allowed in and out.
• Implementation Guidance:

• • Deploy a firewall at the boundary between your internal network and the internet.
  • Configure the firewall with a “deny all, permit by exception” rule set. This means all traffic is blocked by default, and only specific, necessary traffic (e.g., web browsing on port 443) is explicitly allowed.
  • Regularly review firewall rules to ensure they are still necessary and appropriate.

• Examples of Evidence: A network diagram showing the location of the firewall, screenshots of the firewall rule set, and records of rule reviews.

SC.L1-3.13.5: Implement subnetworks for publicly accessible system components…

• Purpose: To isolate systems that need to be accessible from the internet (like a web server) from your secure internal network where FCI is stored. This is often called a Demilitarized Zone (DMZ).
• Implementation Guidance:

• • If your organization hosts its own public-facing servers (e.g., a website or email server), configure your firewall to place them on a separate network segment (VLAN or physical network) from your internal corporate network.
  • Firewall rules should strictly limit the traffic that can pass between the public subnetwork and the internal network.

• Examples of Evidence: A network diagram clearly showing the separate subnetwork for public systems and screenshots of the firewall rules that enforce this separation. Note: If your organization has no publicly accessible systems, this control would be Not Applicable (N/A).

F. Domain: System and Information Integrity (SI) – 4 Controls

This domain ensures that your systems are protected from malware and that vulnerabilities are fixed in a timely manner.

SI.L1-3.14.1: Identify, report, and correct information and information system flaws…

• Purpose: To implement a process for “patch management”—the timely application of security updates for operating systems (e.g., Windows, macOS) and software applications (e.g., Adobe Reader, Microsoft Office).
• Implementation Guidance:

• • Enable automatic updates for operating systems and common applications where possible.
  • Establish a process to regularly check for and install patches for software that cannot be updated automatically.
  • Subscribe to vendor security mailing lists or use a vulnerability scanner to stay aware of new flaws.

• Examples of Evidence: A documented patch management policy, screenshots of automatic update configurations, and reports from a vulnerability scanner showing that systems are patched.

SI.L1-3.14.2: Provide protection from malicious code…

• Purpose: To install antivirus or anti-malware software on your systems.
• Implementation Guidance:

• • Install a reputable antivirus/anti-malware solution on all in-scope servers and workstations.
  • Ensure the software is configured to be active and running at all times.

• Examples of Evidence: A policy requiring antivirus software, a list of computers with the software installed (from a central management console), and screenshots showing the software is active on a sample workstation.

SI.L1-3.14.4: Update malicious code protection mechanisms…

• Purpose: To ensure that your antivirus software is constantly receiving the latest “definitions” (the signatures it uses to identify new malware).
• Implementation Guidance:

• • Configure your antivirus software to check for and download new definition files automatically and frequently (at least daily).

• Examples of Evidence: Screenshots from the antivirus management console showing the automatic update configuration and the current definition version on client machines.

SI.L1-3.14.5: Perform periodic scans of the information system and real-time scans of files…

• Purpose: To ensure your antivirus software is actively looking for threats.
• Implementation Guidance:

• • Configure the antivirus software to perform “real-time” or “on-access” scanning, which checks files as they are opened, downloaded, or executed.
  • Schedule regular full-system scans (e.g., weekly) to check all files on the system for dormant threats.

• Examples of Evidence: Screenshots from the antivirus management console showing that real-time scanning is enabled and that full scans are scheduled, as well as logs from completed scans.

V. Documenting Your Defenses: Creating a System Security Plan (SSP)

A System Security Plan (SSP) is a comprehensive document that details how an organization implements the security requirements for a given information system. It is the narrative that connects policies, procedures, and technical configurations to the specific controls required by a compliance framework.

A. Why You Need an SSP, Even if It’s Not “Required”

The official DoD guidance for CMMC Level 1 states that an SSP is considered a “best practice” but is not a formal requirement to conduct the self-assessment. However, this should not be misinterpreted. Attempting to conduct a thorough, defensible, and repeatable self-assessment without an SSP is exceptionally difficult and ill-advised.

The SSP serves as the central repository for all compliance artifacts. It is the primary tool for organizing the evidence and documenting the rationale for how the company meets each of the 15 security controls. More importantly, it provides the documented proof that a senior leader needs to confidently and legally make the required annual affirmation in SPRS. Without an SSP, that affirmation would be based on memory and informal checks, which is a position of significant personal and corporate risk.

Furthermore, the process of creating an SSP provides benefits far beyond compliance. It forces a small business to systematically inventory its IT assets, map its network, and document its security procedures. These activities are fundamental to good IT governance and are invaluable for employee training, system troubleshooting, and disaster recovery planning, thereby improving the overall operational maturity and resilience of the business.

B. Key Components of a Level 1 SSP

A Level 1 SSP does not need to be overly complex. It should be a clear, concise document that provides an auditor or reviewer with a complete picture of the security posture of the in-scope environment. Based on standard templates and best practices, a Level 1 SSP should include the following components :

1. System Identification & Authorization:

• Organization Name, Address, CAGE Code
• System Name (e.g., “Corporate Network for FCI”)
• Authorization block for a senior management official to sign and date, indicating their approval of the plan.

1. System Environment & Scope:

• A brief description of the system’s function and purpose.
• A clear definition of the CMMC Assessment Scope boundary, referencing the scoping decisions made in Section III.
• A simple network diagram showing the system boundary, key components, and connections to external networks like the internet.

1. Asset Inventory:

• A summary of the in-scope assets, categorized by people, technology, facilities, and ESPs. This can reference the more detailed asset scoping matrix.

1. Control Implementation Details:

• This is the core of the SSP. It should contain a dedicated section for each of the 15 Level 1 controls. For each control, the SSP should describe how it is implemented, referencing the specific policies, procedures, and technologies in place.

The following table provides a practical guide for the type of information to include in the SSP for each control.

VI. The Annual Mandate: Conducting the CMMC Level 1 Self-Assessment

With the controls implemented and the SSP documented, the next step is to conduct the formal self-assessment. This is the annual process of systematically evaluating each of the 15 controls to determine if they are fully implemented according to the required methodology.

A. The Assessment Methodology: Examine, Interview, Test

The DoD requires that the CMMC Level 1 self-assessment be performed using the assessment procedures defined in NIST Special Publication 800-171A. This methodology is not a simple checklist; it is a multi-faceted approach designed to ensure that security controls are not just documented, but are also understood by personnel and are functionally effective. It consists of three distinct methods of verification:

1. Examine: This involves reviewing, inspecting, or studying assessment objects to facilitate understanding and gather evidence. For a Level 1 self-assessment, this is the process of reviewing the SSP, policy documents, system configuration settings, log files, and any other documentation that supports the implementation of a control. This method validates that security is “on paper.”
2. Interview: This involves conducting discussions with individuals or groups within the organization to confirm their understanding and consistent application of security policies and procedures. An assessor might interview an IT administrator about the user onboarding process or ask an office manager about the visitor escort policy. This method validates that security is understood by people.
3. Test: This involves exercising assessment objects to compare their actual behavior with expected behavior. This is the process of verifying that a control works in practice. Examples include attempting to access a restricted folder to confirm permissions are working, or trying to visit a blocked website to confirm the web filter is active. This method validates that security is functional in practice.

This three-pronged approach is designed to prevent “shelf-ware” compliance, where policies are written but never implemented or followed. By requiring evidence from all three methods, the methodology ensures a holistic and accurate picture of the organization’s security posture.

B. Determining the Outcome: MET, NOT MET, or N/A

As the self-assessment proceeds, a finding must be determined for each of the 15 security requirements. There are three possible outcomes :

• MET: The requirement is fully and satisfactorily implemented. All evidence gathered through examination, interviews, and testing supports this conclusion.
• NOT MET: One or more aspects of the requirement are not implemented or are only partially implemented.
• NOT APPLICABLE (N/A): The requirement does not apply to the CMMC Assessment Scope. For example, control SC.L1-3.13.5 (Implement subnetworks for publicly accessible system components) would be N/A for an organization that has no publicly accessible systems. For the purposes of the final score, an N/A finding is equivalent to a MET finding.

To achieve CMMC Level 1 compliance, the organization must have a finding of MET or N/A for all 15 security requirements. As previously stated, a single “NOT MET” finding results in non-compliance for the entire assessment.

VII. Official Reporting: Submitting Your Assessment and Affirmation to SPRS

The final step in the annual compliance cycle is to report the results of the self-assessment to the DoD. This is done through the Supplier Performance Risk System (SPRS), a web-based application that serves as the DoD’s authoritative source for supplier security information. Accessing and using this system involves a multi-step administrative process that should not be underestimated.

The administrative complexity of this process can be a significant, non-technical compliance barrier for small businesses. It is a compliance task in itself, and organizations must budget administrative time and resources to navigate it successfully. A failure to report correctly in SPRS can negate all the technical compliance work that has been completed.

A. Gaining Access: Registering for PIEE and SPRS

Access to SPRS is managed through a separate DoD portal called the Procurement Integrated Enterprise Environment (PIEE). Before an assessment can be submitted, the organization must successfully register and be granted the correct roles in this system.

The registration process generally follows these steps:

1. Prerequisites: The organization must have an active registration in the System for Award Management (SAM.gov) and be assigned a Commercial and Government Entity (CAGE) code.
2. Designate a CAM: The organization must designate a Contractor Administrator (CAM). The CAM is the “gatekeeper” who controls user access for the company within the PIEE system.
3. CAM Registration: The designated CAM must register for a new user account at the PIEE portal (piee.eb.mil).
4. CAM Approval: The CAM’s registration must be approved by the organization’s Electronic Business Point of Contact (EB POC), who is officially listed in the company’s SAM.gov record. This step may require the EB POC to submit a formal CAM Appointment Letter to the PIEE help desk. This can often be the most time-consuming step, especially if the EB POC information in SAM.gov is outdated.
5. User Registration and Role Request: Once the CAM is active, the individual who will be submitting the CMMC assessment can register for their own PIEE account. During or after registration, this user must request the specific role required for CMMC submissions: “SPRS Cyber Vendor User”.
6. Role Approval: The organization’s CAM must then log in to PIEE and approve the user’s request for the “SPRS Cyber Vendor User” role.

B. Entering Your Level 1 Self-Assessment Data

Once a user has been granted the “SPRS Cyber Vendor User” role, they can proceed with submitting the self-assessment results.

The submission process follows these steps:

1. Log in to the PIEE portal and navigate to the SPRS application.
2. Click on the “Cyber Reports” link in the navigation menu.
3. Select the appropriate company CAGE code from the drop-down menu.
4. Navigate to the “CMMC Assessments” tab and click the button labeled “Add New CMMC Level 1 Self-Assessment”.
5. On the submission screen, enter the following required information:

• Assessment Date: The date the self-assessment was completed.
• Assessing Scope: Select either “Enterprise” (for the whole organization) or “Enclave” (for a specific, segmented part of the network).
• Total number of employees applicable to this assessment.
• A confirmation checkbox or button to attest that the organization is in full compliance with all security requirements of FAR clause 52.204-21 (which are the 15 Level 1 controls).

1. Click the button to continue to the affirmation step.
2. The final step requires the designated senior company official to review the submission and provide their formal, binding affirmation of its accuracy.

C. The Annual Rhythm

It is critical to remember that this entire process—conducting the self-assessment, documenting the results, and submitting the affirmation in SPRS—is not a one-time event. It must be completed annually to maintain an active and compliant CMMC Level 1 status.

VIII. Strategic Outlook: Maintaining Compliance and Preparing for the Future

Achieving CMMC Level 1 compliance for the first time is a significant accomplishment. However, the true goal is to establish a sustainable cybersecurity program that maintains compliance over time and positions the business for future success within the Defense Industrial Base.

A. Compliance is a Program, Not a Project

CMMC Level 1 is an ongoing commitment, not a one-time project with a finish line. The annual assessment and affirmation cycle requires that cybersecurity be treated as a continuous business process.

• Establish an Annual Cycle: Businesses should create an internal compliance calendar. This should trigger a review of the SSP and a new self-assessment well in advance of the anniversary of the previous SPRS submission. This proactive approach avoids a last-minute rush and ensures continuous compliance.
• Implement Change Management: The CMMC Assessment Scope is not static. Changes to the business—such as hiring new employees, deploying new software, opening a new office, or engaging a new cloud provider—can all impact the scope. A simple change management process should be established to evaluate how these changes affect the FCI data flow and whether new assets need to be brought into the scope and secured. An outdated scope is a primary cause of falling out of compliance.

B. Leveraging Compliance for Competitive Advantage

While CMMC is a mandatory requirement, a proactive and robust approach to compliance can also be a business enabler.

• Building Trust in the Supply Chain: In a competitive environment, being able to demonstrate a mature and well-documented CMMC Level 1 status can be a powerful trust signal to prime contractors. Primes are taking on significant risk by managing their supply chains, and they will favor subcontractors who can clearly and confidently prove their cybersecurity posture.
• Preparing for Future Growth: For businesses that aspire to work on more complex DoD projects, the data involved will likely be classified as CUI, which requires CMMC Level 2. Achieving a solid Level 1 compliance posture is the ideal foundation for this growth. The disciplines, processes, and documentation—especially the SSP—developed for Level 1 are directly scalable and provide a significant head start on the journey to Level 2.

The implementation of CMMC Level 1 should be viewed as a “gateway” to improved overall business and cyber hygiene. The required controls and documentation force a level of operational discipline in areas like user management, physical security, and patch management that benefits the entire organization. This investment in compliance pays dividends in reducing the risk from all types of cyber threats, not just those targeting FCI, making the business more secure, organized, and resilient.

C. Staying Informed

The cybersecurity landscape and the CMMC program will continue to evolve. It is essential for businesses to stay informed by relying on official and authoritative sources. The primary resources for CMMC information are:

• The DoD Chief Information Officer (CIO) CMMC Website: https://dodcio.defense.gov/cmmc/
• The Cyber AB (the CMMC accreditation body) Website: https://cyberab.org/

By periodically checking these sites for new guidance, FAQs, and program updates, a small business can ensure its compliance program remains aligned with the latest DoD requirements and expectations.