If you work with the DoD, you’ve likely heard the acronym CMMC—Cybersecurity Maturity Model Certification—thrown around more times than you can count. For many contractors, a CMMC compliance checklist feels like just another hurdle in an already complex race, but here’s the reality: CMMC isn’t just red tape. It’s a necessary shield against very real cyber threats.
If you’re just starting your journey, you’re likely looking at Level 1. This foundational level is all about basic cyber hygiene you should probably be doing anyway. But “basic” doesn’t mean “easy” if you don’t know where to look. To help you figure out where you stand, we’ve put together a CMMC compliance checklist to walk you through the essentials.
Who Needs CMMC Level 1?
Before diving into the details of the CMMC compliance checklist, it’s important to know if it applies to you. The CMMC framework is designed to protect sensitive information within the Defense Industrial Base (DIB), and compliance with Level 1 cybersecurity practices is required for any contractor or subcontractor that handles Federal Contract Information (FCI).
This isn’t limited to the big prime contractors building fighter jets. If you’re a small supplier providing janitorial services, landscaping, or basic IT support to a DoD agency, you likely possess FCI—and therefore must achieve Level 1 compliance. As the foundational step in the CMMC framework, it ensures that even the smallest players in the supply chain aren’t a weak link for hackers to exploit.
What Is Federal Contract Information (FCI)?
Before running through the CMMC compliance checklist, you need to know what you’re trying to protect. FCI is defined as information provided by or generated for the government under a contract to develop or deliver a product or service to the government.
It’s not classified information, but it’s not public knowledge either. Examples of FCI include:
- Contract performance reports
- Organizational charts were provided to the government
- Process documentation generated for the contract
- Emails discussing contract deliverables and schedules
Protecting this data matters because it often pieces together a larger puzzle. A hacker might not care about your specific contract for office supplies, but they can use that information to phishing-attack a larger target up the chain.
CMMC Compliance Checklist for Level 1
Level 1 consists of 17 practices grouped into six domains. While we can’t list every specific technical control in this short guide, this CMMC compliance checklist introduces the six basic pillars, with some examples. Essentially, if you want to keep bidding on and winning federal contracts, you need to prove you have these basics locked down.
Access Control
You need to control who goes where in your IT environment. This means limiting information system access to authorized users and identifying who is doing what.
- Do you have unique logins for every employee?
- Do you terminate access immediately when someone leaves the company?
Identification & Authentication
This goes hand-in-hand with access control. You must verify the identity of those users, processes, or devices before allowing access to your systems.
- Are you using complex passwords?
- Is multi-factor authentication (MFA) enabled where possible?
Media Protection
This domain covers how you handle hardware and paper. You need to sanitize or destroy media containing FCI before disposal or release for reuse.
- Do you shred documents containing contract info?
- Do you wipe hard drives before throwing old computers away?
Physical Protection
Cybersecurity isn’t just digital; it’s physical too. You must limit physical access to your organizational information systems and equipment.
- Are your servers in a locked room?
- Do you have visitor logs for people entering your office?
System & Communications Protection
This is about guarding the perimeter. You must monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of information systems.
- Do you have a firewall in place?
- Is your internal network segmented from the public internet?
System & Information Integrity
Finally, you need to keep things running smoothly and safely. This involves identifying, reporting, and correcting information and system flaws in a timely manner.
- Are you running updated antivirus software?
- Do you patch your software updates as soon as they are released?
How to Assess Your Current Security Posture
Running through a CMMC compliance checklist is a great start, but how do you turn that into a passing grade?
Document Your Policies
You can’t prove you are doing it if you don’t write it down. Create simple, clear policies for how your team handles passwords, visitors, and data.
Implement Basic Safeguards
If you found gaps while reviewing the checklist, fix them now. Enable multi-factor authentication, set up automatic updates for your antivirus, and start shredding sensitive documents. These basic safeguards are often low-cost but high-impact.
Common Mistakes to Avoid
One of the biggest mistakes we see is assuming “we’re too small to be a target.” In reality, small businesses are three times more likely to be victims of a cyber attack. Also, avoid the “set it and forget it” mentality. Cyber threats evolve, and your security practices need to keep up.
Preparing for Your Self-Assessment
For Level 1, you don’t need a third-party assessor; you perform a self-assessment annually. However, this self-assessment must be accurate and submitted to the Supplier Performance Risk System (SPRS). Lying or guessing on this assessment can lead to severe penalties, so be as honest and accurate as possible.
Better Security Starts Here
Navigating DoD regulations can be a complex, involved process, and it requires a certain amount of expertise. At Complete Technology, we help businesses secure their networks and simplify the compliance process so they can focus on fulfilling their contracts.
If you’re unsure where your security stands or need help checking off those boxes, let’s talk. Let Complete Technology guide you through the process so you can check compliance off your list with confidence.
