CMMC Level 1 Certification
Done For You
A complete, fixed-cost assessment and self-certification package covering
all 17 CMMC Level 1 practices across 6 security domains. We handle
everything so you can focus on your mission.
CMMC Level 1 is the entry-level certification within the CMMC framework, focused on basic
cyber hygiene to protect Federal Contract Information (FCI) — information created for or
provided by the government under a contract that is not intended for public release.
$3,995
Fixed Cost
2-3 Wks
Typical Timeline
17
Security Practices
6
Security Domains
Who Needs CMMC Level 1?
CMMC Level 1 applies to organizations that store, process, or transmit Federal Contract Information as part of a Department of Defense contract. As the DoD begins requiring CMMC compliance in contracts, many contractors and subcontractors must achieve Level 1 to continue working with the U.S. government.
Organizations that handle Controlled Unclassified Information (CUI) rather than just FCI typically need CMMC Level 2, which requires significantly more controls.
Defense contractors and subcontractors handling FCI
Examples of FCI Include:
Contract performance details
Non-public documentation supporting contract work
Level 1 Protects Against:
Unauthorized access
Malware and malicious code
Accidental data exposure
Our Turnkey Process
From initial scoping to SPRS-ready documentation, we guide you through every step of
CMMC Level 1 compliance.
Step 1
Scoping & Structured Assessment
We define your CMMC assessment scope by identifying all assets — devices, software, and systems — that process, store, or transmit Federal Contract Information (FCI). We then evaluate all 17 security practices through documentation review, guided questionnaires, and working sessions with your team.
Step 2
Gap Analysis & Remediation
We identify gaps against all 17 CMMC Level 1 practices and work with you to remediate them in a practical, efficient manner — ensuring every practice achieves a finding of MET or NOT APPLICABLE.
Step 3
Documentation & Evidence Package
We develop the full set of required documentation — policies, procedures, audit logs, and supporting artifacts — so you have a complete, defensible self-assessment report with findings and evidence for each objective.
Step 4
Self-Assessment & SPRS Readiness
You receive everything needed for your annual self-assessment and SPRS affirmation. A senior official can confidently submit the affirmation in the Supplier Performance Risk System asserting full compliance.
All 17 CMMC Level 1 Practices
CMMC Level 1 comprises 17 cybersecurity practices derived from FAR 52.204-21, organized
across six security domains. Our assessment covers every one.
Access Control (AC)
4 practices
Authorized Access Control
Limit system access to authorized users, processes, or devices.
Transaction & Function Control
Restrict authorized users to only the specific transactions and functions they are permitted to perform.
External Connections
Verify and limit connections to, and the use of, external information systems.
Control Public Information
Control and review all information before it is posted or processed on publicly accessible systems.
Identification & Authentication (IA)
2 practices
Identification
Uniquely identify system users, processes acting for them, and devices.
Authentication
Verify the identities of users, processes, or devices as a requirement for system access.
Media Protection (MP)
1 practice
Media Disposal
Sanitize or destroy any media containing FCI before it is discarded or reused.
Physical Protection (PE)
4 practices
Limit Physical Access
Restrict physical access to systems, equipment, and operating environments to authorized personnel only.
Escort Visitors
Ensure all visitors are escorted and their activities are monitored.
Physical Access Logs
Maintain records of physical access to the facility or sensitive areas.
Manage Physical Access
Properly identify, control, and manage physical access devices like keys and badges.
System & Communications Protection (SC)
2 practices
Boundary Protection
Monitor and protect communications at the external and key internal boundaries of the network.
Public-Access System Separation
Physically or logically separate publicly accessible system components from internal networks.
System & Information Integrity (SI)
4 practices
Flaw Remediation
Identify, report, and fix system flaws within defined timeframes.
Malicious Code Protection
Protect against malware at all necessary system locations.
Update Malicious Code Protection
Update anti-malware mechanisms automatically or frequently when new releases are available.
System & File Scanning
Perform regular system scans and real-time scans of files from external sources.
How the Self-Assessment Works
Unlike higher CMMC levels, Level 1 compliance is verified through an annual self-assessment rather than a third-party certification. We prepare you completely for this process.
The assessment evaluates all 17 practices using three defined methods:
Examining: Document-based artifacts like policies, procedures, and audit logs
Interviewing: Personnel with security responsibilities across your organization
Testing: System mechanisms to verify they function as intended
For each practice, the finding must be MET, NOT MET, or NOT APPLICABLE. To pass, every practice must achieve MET or NOT APPLICABLE — a single NOT MET finding fails the assessment.
Timeline & Process
The typical timeline is approximately 2 to 3 weeks, depending on responsiveness and the current state of your environment. Our goal is to make this as streamlined and simple as possible while ensuring full compliance.
SPRS Affirmation
Once the review is complete and compliance is confirmed, a senior company official submits an affirmation in the Supplier Performance Risk System (SPRS) to assert full compliance. This must be conducted annually to maintain certification.
Your Complete Deliverables
Everything you need for a defensible self-certification — delivered as a complete, organized
package.
Full self-assessment report with findings for each practice
Asset inventory and scope documentation
Ongoing compliance maintenance guidance
Ready to Get CMMC Level 1 Certified?
For a fixed cost of $3,995, we’ll take you from assessment to a complete
self-certification package in as little as 2 weeks. Annual self-assessment
support included.