CMMC Level 1 Compliance
We help U.S. DoD contractors meet CMMC Level 1 compliance requirements so they can continue to participate in DoD contract awards, while securing their IT infrastructure against growing cybersecurity threats.
Focus on your business. We'll handle CMMC.
Don’t let the CMMC pull your IT team away from daily operations. We take the burden of CMMC Level 1 off your shoulders by managing implementation and developing your System Security Plan (SSP) and all required DoD documentation.
You focus on your core IT goals—we’ll prove your compliance.
1
Discovery
We meet with your team to learn about your current IT setup and how Federal Contract Information (FCI) flows within your organization.
Assessment
We conduct an assessment of your IT infrastructure to see what gaps you have against the controls in FAR 52.204-21.
3
Implementation
We implement the controls necessary to fill the gaps found in the assessment and develop your System Security Plan (SSP).
Proof
We submit your proof of compliance to the DoD — demonstrating your organization’s commitment to national security and enabling you to participate in current and future DoD contracts.
What is CMMC Level 1?
CMMC Level 1 (Foundational) is the entry-level cybersecurity standard required for any company doing business with the Department of Defense (DoD). It focuses on protecting Federal Contract Information (FCI) through 15 basic “cyber hygiene” controls.
Unlike higher levels, Level 1 is designed to be achievable for small-to-midsized businesses. It requires an annual self-assessment and a formal affirmation from a company to prove that basic safeguards—like strong passwords, antivirus software, and physical locks—are consistently in place.
CMMC Level 1 FAQ
Who needs to comply with CMMC Level 1?
Any Department of Defense (DoD) contractor or subcontractor that handles Federal Contract Information (FCI). If your contract involves non-public information generated for or provided by the government—even just for billing or scheduling—you must meet Level 1 requirements.
What is the difference between CMMC Level 1 and Level 2?
Level 1 (Foundational): Protects FCI through 15 controls (FAR 52.204-21) and requires an annual self-assessment.
Level 2 (Advanced): Protects Controlled Unclassified Information (CUI) through 110 controls (NIST SP 800-171) and typically requires a third-party audit (C3PAO) every three years.
How do I know if my company needs to be CMMC Level 1 or Level 2?
The level you need depends entirely on the type of data you handle:
CMMC Level 1 is for companies that only handle Federal Contract Information (FCI)—basic information like contract awards, schedules, and billing data that isn’t intended for public release.
CMMC Level 2 is required if you handle Controlled Unclassified Information (CUI)—sensitive technical data, blueprints, or specifications that require specific safeguarding.
Pro-Tip: Check your current or upcoming contracts for the DFARS 252.204-7012 clause. If it’s there, you are almost certainly required to meet Level 2 standards. When in doubt, ask your Contracting Officer (CO) or your Prime contractor directly.
Will basic Microsoft 365 be sufficient for CMMC Level 1, or do I need GCC High?
Standard Microsoft 365 Commercial is generally sufficient for CMMC Level 1 because Level 1 only involves FCI. GCC High is typically only required for Level 2 or 3 compliance, or if your contract involves export-controlled data (ITAR/EAR).
What are the 15 controls of Federal Acquisition Regulation (FAR) clause 52.204-21?
These controls cover six “cyber hygiene” domains:
Access Control: Limiting system access to authorized users.
Identification & Authentication: Verifying user identities (e.g., passwords).
Media Protection: Sanitizing or destroying media before disposal.
Physical Protection: Limiting physical access to systems (locks, logs).
System & Communications: Protecting network boundaries.
System & Information Integrity: Patching flaws and using antivirus.
What is a System Security Plan (SSP) for CMMC?
An SSP is a foundational document that details how your company implements each required security control. It identifies the system boundaries, the personnel responsible, and the specific technical or physical measures in place to meet the CMMC standards.
What is a Plan-of-Action & Milestones (POA&M) for CMMC?
A POA&M is a document used to track the “gaps” in your security. It lists which controls are not yet met, how you plan to fix them, and the timeline for completion. Note: For CMMC Level 1, you cannot have any open POA&Ms; all 15 controls must be fully “Met” at the time of your annual affirmation.
What are the benefits of outsourcing CMMC Level 1 Compliance to an expert like Complete Technology?
Outsourcing allows your IT team to stay focused on daily operations and strategic goals instead of getting buried in regulatory paperwork. Experts ensure your SSP is audit-ready, help you avoid “over-engineering” expensive solutions, and provide a defensible path for your executive’s annual legal affirmation.
How much will it cost to implement CMMC Level 1 requirements?
For most small-to-midsized businesses, the total first-year cost for Level 1 typically ranges from $5,000 to $15,000. This includes gap analysis, basic security software (like antivirus or MFA), and the development of required documentation like the SSP.
Who is Complete Technology?
Complete Technology is a nationwide Managed Service Provider (MSP) and cybersecurity firm specializing in IT solutions for DoD contractors. We bridge the gap for businesses that need to meet CMMC Level 1 but lack the internal resources to manage complex regulatory requirements.
With a long history of managing IT systems across the U.S.A., we provide a “turnkey” compliance experience. Our team handles the technical implementation of all 15 FAR controls and develops your System Security Plan (SSP), allowing you to stay focused on your core business while we secure your eligibility for government contracts.