CMMC Level 1 Preparation


This page serves as a Do-It-Yourself guide to help organizations looking to prepare for their CMMC Level 1 certification without the need to hire a consultant. These are general suggestions and will require some work to modify for specific use cases.


The following is required before you begin: 

  1. IT Knowledge: Having a basic level of IT knowledge is critical to implement the controls successfully. 

  2. Define FCI/CUI: Define what FCI & CUI is for your specific business case.

  3. Establish CMMC Boundary: The following assets need to be created: Network Map, Data Flow Diagram, & Tech/Software Asset Inventory.

  4. Environment Documentation: Create a System Security Plan (SSP) that is bespoke to the organization. Templates are available for free here.

  5. Security Assessment: Identify your current security gaps and place all open issues into a Plan of Action & Milestone (POA&M) document. POA&M templates can be found here.

  6. Create a Plan & Prioritize Resources:  Develop an Org Chart that clearly identifies roles & responsibilities, determine the who, what, why, and where in terms of information access, and determine who in your organization would be able to assist with meeting each control.

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). 

The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. 

CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.


Additional Resources:

CMMC Level 1

CMMC Level 1 is the entry point to the 5 level ecosystem. Level 1 is considered to be Basic Cyber Hygiene practices that enable safeguards for Federal Contract Information (FCI) and is made up of 17 controls. The good news for Level 1: You are not required to have documented policies or procedures in order to be certified. You are just required to show the auditor that each control is being performed.

The following are the Level 1 Categories:

  1. Access Control (AC) (4 Controls): Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources.

  2. Identification & Authentication (IA) (2 Controls): Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be.

  3. Media Protection (MP) (1 Control): These controls are primarily focused on the security of media storage including who can access the stored content, how transportation is controlled, and the safe use of storage devices.

  4. Physical Protection (PE) (4 Controls): Security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property.

  5. System & Communications Protection (SC) (2 Controls): These controls are for managing risks from vulnerable
    system configurations, denial of service, data communication, and information transfer both internally and externally.

  6. System & Information Integrity (SI) (4 Controls): These control help provide assurance that the information being accessed has not been tampered with or damaged by an error in the information system.

Process & Timeline

The total timeline from Preparation to Certification is estimated to be 6 – 9 months. Many factors contribute to this estimate including the time it takes the organization to remediate any vulnerabilities found and implement the solutions offered in this DIY guide.


The following is the high-level process:

  1. Assessment: This is the starting point to determine the correct CMMC level your organization should build a program for. The process provides insight into: Current Security Gaps, Current Risk Gaps, Understand the Current Culture, Business Pipeline, Corporate Structure, and Business Vision.

  2. Preparation: Once the assessment is completed, it’s time to get to work on all of the items listed here in this guide. Once the security controls have been fulfilled, your organization will be ready to put the new security program into practice.

  3. Practice Period: All gaps have been addressed, solutions are operational, and the organization is in compliance capturing evidence proving full compliance.

  4. Certification (Self Assessed): After 6 months of continued practice period, you can perform a new assessment to ensure the organization is in full compliance to officially declare CMMC Level 1 certification.

Control Implementation

Access Control (AC) (4 Controls)

Identification & Authentication (IA) (2 Controls

Media Protection (MP) (1 Control)

Physical Protection (PE) (4 Controls)

System & Communications Protection (SC) (2 Controls)

System & Information Integrity (SI) (4 Controls)

What’s Next - Practice Period

The following is required before you begin:

  1. Capture Updates To Documents – SSP and/or POA&M

  2. Change Control & Maintenance Documentation Notes

  3. Update Network Diagram

  4. Update Data Flow Diagram

  5. Create a Controls Responsibility Matrix Document/Spreadsheet

  6. Review Current Flow Down Contract Requirements

  7. Monitor, Log Capture, Report, and Maintain Program


  1. We Are Proven: We have a deep track record of success and numerous clients who will be happy to speak to our team’s expertise and willingness to go the extra mile. This has helped us receive the award as the Top Cybersecurity Firm in Baltimore.

  2. We Speak Your Language: Our communication style humanizes our technical solutions, leading to greater cultural acceptance and adherence.

  3. We Are Focused: We are driven by one overarching goal – Security Compliance Certification for our client partners.

  4. We Never Lose: 100% of the clients who complete the steps in our process achieve compliance.


Reach Out Today