Cybersecurity Maturity Model Certification (CMMC) provides organizations working with the U.S. Department of Defense (DoD) with a framework of practices and processes needed to secure sensitive information.

‍

The framework is split into three certification levels—Level 1, Level 2, and Level 3—with Level 1 being the entry-level tier that outlines basic cybersecurity hygiene and practices.

‍

Although Level 1 is the least comprehensive of the three, organizations seeking certification still need a methodical approach to ensure all requirements are met efficiently.

‍

This guide will help you determine whether your organization needs a CMMC Level 1 certificate and will outline actionable steps to streamline the compliance process.

‍

Who needs CMMC Level 1 certification?

CMMC Level 1 certification is mainly aimed at contractors and subcontractors that work with the DoD and process, store, or share Federal Contract Information (FCI).

‍

FCI refers to information that is either generated by or provided to the government as part of a contract to deliver a service or a product. FCI is not intended for public release, and any information the government makes publicly available is not considered FCI. Examples of FCI include: 

‍

• Contract proposals and bids
• Technical diagrams such as drawings, designs, and specifications for deliverables
• Employee data
• Tracking information for supplies and materials
• Payment schedules or receipts
• Financial audit information related to the contract

‍

All organizations with access to FCI must meet CMMC Level 1 compliance, regardless of size and industry. The only exception to this rule is organizations that provide commercial off-the-shelf (COTS) items for DoD projects, but this is uncommon and requires confirmation from your contracting officer.

‍

If your organization also handles Controlled Unclassified Information (CUI), Level 1 certification won’t be enough. Depending on the sensitivity of the CUI your organization handles, you’ll need to pursue either Level 2 or Level 3 certification. Note that Level 3 certification requires meeting the practices of both Level 1 and Level 2 first.

‍

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

‍

CMMC Level 1 scope

The first step in preparing for CMMC assessments is determining which assets are considered in scope. For Level 1 certification, all assets that process, store, and transmit FCI must be included in the assessment and evaluated against applicable requirements. Some examples of assets in each category include:

‍

‍

However, these are not the only assets to consider. When scoping for a Level 1 self-assessment, you should also consider the people, facilities, and external service providers (ESPs) involved in storing, processing, or transmitting FCI:

‍

• People: Includes employees, vendors, contractors, and ESP personnel
• Facilities: May include physical office locations, satellite offices, data centers, server rooms, and secured rooms
• ESPs: All organizations that businesses use for comprehensive IT and security services

‍

One more aspect of scoping for CMMC Level 1 is considering specialized assets. According to the DoD, specialized assets can process, store, or transmit FCI but cannot be fully secured. These include technologies such as Internet of Things (IoT) devices, Operational Technology, and Test Equipment, and are not part of the Level 1 assessment scope.

‍

For more detailed information on assets and detailed guidance on establishing scope in preparation for a CMMC Level 1 self-assessment, check out the DoD’s official CMMC Level 1 Scoping Guide.

‍

‍

CMMC Level 1 controls

CMMC Level 1 encompasses 15 practices sourced from FAR clause 52.204-21 spread across 6 of the 14 control areas outlined by the framework. Each area contains practices designed to help organizations maintain basic cybersecurity hygiene, such as:

‍

‍

Organizations with a mature security posture may already have some of these protections in place. For example, if your organization utilizes cloud solutions, you likely have multi-factor authentication (MFA) enabled, or your firewalls might already meet boundary protection requirements.

‍

Exploring and leveraging features built into existing solutions will allow your organization to meet control requirements while keeping implementation costs down. This way, achieving Level 1 certification becomes more about bridging compliance gaps instead of building up your compliance posture from scratch.

‍

“

Pursuing CMMC Level 1 compliance helps mitigate common threats by implementing controls to protect against common attacks. For example, implementing access controls helps protect sensitive information. Another example is ensuring patches are regularly applied to all systems, where possible, to address vulnerabilities. Weak access controls and lazy patch practices are two of the most common ways systems get exploited, so having these controls in place reduces those risks.”

Markindey Sineus

GRC Subject Matter Expert, GTM, Vanta

|

LinkedIn

‍

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

‍

CMMC Level 1 requirements

CMMC Level 1 requires you to conduct a self-assessment against the 15 prescribed practices. The self-assessment methodology is aligned with NIST Special Publication (SP) 800 171A Section 2.1 and involves three groups of activities:

‍

1. Examination: Includes observing, inspecting, reviewing, or studying assessment objects, which can be documents, mechanisms, or activities. When reviewing documentation, only assess the final forms. Drafts should be excluded, as they may not reflect actual practices and are subject to change.
2. Interviews: Conduct interviews of relevant staff, possibly at different organizational levels, to evaluate whether Level 1 practices have been implemented. Also, evaluate if adequate resourcing, planning, and training have been provided to ensure stakeholders can perform the practices.
3. Testing: Test implemented practices through demonstration to confirm they function properly. This may require observing the login process or verifying that user authentication behaves as expected. Testing practices requiring system configuration will prove that they are working as intended.

‍

When you perform a self-assessment for CMMC Level 1 certification, your findings will fall into one of three categories—MET, NOT MET, or N/A. To achieve Level 1 certification, all 15 practices must be either MET or N/A. In contrast, Levels 2 and 3 allow for a Conditional CMMC certificate if at least 80 percent of the required practices are met.

‍

After documenting your assessment results, submit them to the Supplier Performance Risk System (SPRS) to finalize the self-assessment.

‍

How to obtain a CMMC Level 1 certificate

The extensive requirements needed to achieve CMMC Level 1 certification can make the process time-consuming. To streamline certification, follow these five steps:

‍

1. Scope the assessment: Determine which technologies, people, locations, and ESPs must be evaluated and document specialized assets to ensure effective resource allocation.
2. Perform a gap analysis: Review how your organization’s current security posture measures up against the 15 practices outlined by CMMC Level 1. This will allow you to identify security gaps and areas that need improvement, creating a clear roadmap to meeting the requirements.
3. Implement the missing practices: Following the results of your gap analysis, implement the practices that didn’t meet CMMC requirements. This includes updating security policies and software, tightening access controls, and adopting new tools to help you meet criteria.
4. Conduct the self-assessment: Once you have addressed all identified weaknesses, perform the self-assessment following the described methodology. Log your findings, and then submit your logs to the SPRS.
5. Renew the certificate annually: For Level 1, your CMMC certificate is valid for one year. To ensure your organization’s ongoing CMMC compliance, you must get recertified and conduct the self-assessment annually.

‍

Keeping track of and renewing your CMMC certification is essential. Organizations that fail to renew their certificate will be found CMMC non-compliant and may lose eligibility to bid on future DoD contracts.

‍

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

‍

CMMC Level 1 certification challenges

Achieving CMMC Level 1 certification can be challenging for several reasons, most notably:

‍

• Resource constraints: The workflows required for CMMC certification are time- and resource-intensive, making them particularly challenging for small and medium enterprises (SMEs) and resource-constrained organizations. These organizations often lack the in-house expertise and headcounts needed to address workflows efficiently, slowing down compliance.
• Manual compliance workflows: Ensuring ongoing compliance requires repetitive, laborious workflows like tracking security processes, evaluating risks, and maintaining compliance records. Manually completing these workflows increases the administrative burden on your compliance and security teams, increasing the odds of burnout.
• Disparate documentation systems: Compliance documentation is often held in siloed systems across separate departments. This complicates evidence collection, forcing compliance and security teams to sift through disconnected sources to find the required documents, increasing the odds of errors and inefficiencies.

‍

Collecting documentation throughout the certification process is essential to achieving CMMC certification efficiently. Keeping up-to-date records of your compliance efforts will make them more demonstrable to auditors, providing clearer insight into your compliance status and making the process smoother.

‍

To further streamline the compliance process, you can leverage a compliance automation solution. This software can automate some of the most repetitive workflows, such as evidence collection, report generation, and compliance monitoring, freeing up time for your compliance teams to focus on more immediate tasks.

‍

Pursue CMMC certification confidently with Vanta

Vanta is a trust management platform that reduces the resource strain and manual work required for CMMC certification by automating up to 50 percent of related workflows. It streamlines the process by centralizing documentation, automating assessments, and providing step-by-step guidance to eliminate uncertainties.

‍

The platform offers a dedicated CMMC solution that comes with multiple features that streamline compliance workflows, including: 

‍

• Out-of-the-box support for all CMMC certification levels
• Automated evidence collection supported by 375+ integrations
• Automated gap assessments
• Centralized tracking of CMMC requirements
• Continuous monitoring of CMMC practices
• Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172

‍

You can also leverage Vanta when pursuing CMMC Levels 2 or 3. Vanta’s partner network allows you to connect with a certified third-party assessor organization (C3PAO) that can support you at every step toward higher-level compliance.

‍

Schedule a custom demo and see how Vanta can make your CMMC workflows more efficient.

‍

 {{cta_simple33="/cta-blocks"}} | CMMC product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney. 

‍