CMMC 2.0 Level 1
Small Business DIY Guide

Background & Why

This page serves as a Do-It-Yourself guide to help organizations looking to prepare for their CMMC 2.0 Level 1 certification WITHOUT the need to hire a consultant.

Why is a cybersecurity compliance organization instructing you on how to achieve CMMC 2.0 Level 1 compliance on your own? We know how difficult it is to be a government contractor since we are DoD contractors ourselves. “Sharing is Caring” is one of our core values. We make every effort to be transparent on how to successfully get any security compliance required to meet contract commitments and CMMC is no exception. The truth is, even with this knowledge provided, not everyone will be able to pull this off and will want assistance from a firm like ours at some point.

Disclaimer: These are general suggestions and will require some work to modify for specific use cases. Please follow at your own risk. 

If you have implementation questions or need help understanding any part of this DIY, please send us your questions here: I HAVE A QUESTION


The following is required before you begin: 

  1. IT Knowledge: Having a basic level of IT knowledge is critical to implement the controls successfully.

  2. Define FCI/CUI: Define what FCI & CUI is for your specific business case. Need help with this? Check out this article here.

  3. Establish CMMC Boundary: The following assets need to be created: Network Map, Data Flow Diagram, & Tech/Software Asset Inventory. This will help identify how sensitive data will be handled through the organizations network. Ideally you want to to show the who, the device(s), the location, and where will it be at rest.

  4. Environment Documentation: Create a System Security Plan (SSP) that is bespoke to the organization. Templates are available for free here.

  5. Security Assessment: Identify your current security gaps and place all open issues into a Plan of Action & Milestone (POA&M) document. POA&M templates can be found here.

  6. Create a Plan & Prioritize Resources:  Develop an Org Chart that clearly identifies roles & responsibilities, determine the who, what, why, and where in terms of information access, and determine who in your organization would be able to assist with meeting each control.

  7. Sales Pipeline (ROI): Do you have current or upcoming contracts that require CMMC compliance? If so, identify how data will flow between your organization and the customer.

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). 

The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. 

CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.

Additional Resources:

CMMC Level 1

CMMC Level 1 is the entry point to the 3 level ecosystem. Level 1 is considered to be Basic Cyber Hygiene practices that enable safeguards for Federal Contract Information (FCI) and is made up of 17 controls. The good news for Level 1 is that it has a short list of controls (compared to the other Levels), making it easier to implement for organizations who don’t currently have a security program in place.


The following are the Level 1 Categories:

  1. Access Control (AC) (4 Controls): Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources.

  2. Identification & Authentication (IA) (2 Controls): Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be.

  3. Media Protection (MP) (1 Control): These controls are primarily focused on the security of media storage including who can access the stored content, how transportation is controlled, and the safe use of storage devices.

  4. Physical Protection (PE) (4 Controls): Security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property.

  5. System & Communications Protection (SC) (2 Controls): These controls are for managing risks from vulnerable
    system configurations, denial of service, data communication, and information transfer both internally and externally.

  6. System & Information Integrity (SI) (4 Controls): These control help provide assurance that the information being accessed has not been tampered with or damaged by an error in the information system.

Process & Timeline

The total timeline from preparation to compliance for CMMC 2.0 Lever 1 is estimated to be 1 – 6 months. Many factors contribute to this estimate including the time it takes for the organization to remediate any vulnerabilities found and implement the solutions offered in this DIY guide.

The following is the high-level process:

  1. Assessment: This is the starting point to determine the correct CMMC level your organization should build a program for. The process provides insight into: Current Security Gaps, Current Risk Gaps, Understand the Current Culture, Sales Pipeline, Corporate Structure, and Business Vision.

    How To: Create an spreadsheet that includes of the controls listed in this guide. Evaluate each control and list out the solutions that are in place to meet the control. If you don’t have a solution in place or have a partial solution, then mark the control as a GAP. Each GAP should have an ETA and planned solution written down to insure the GAP will be remediated.

  2. Preparation: Once the assessment is completed, it’s time to get to work on all of the items listed here in this guide. Once the security controls have been fulfilled, your organization will be ready to put the new security program into practice.

  3. Practice Period: All gaps have been addressed, solutions are operational, and the organization is in compliance capturing evidence proving full compliance.

  4. Certification: After 6 months of continued practice period, you can perform a new assessment to ensure the organization is in full compliance of CMMC 2.0 Level 1. Self-assessments are sufficient for CMMC 2.0 Level 1 requirements.

Control Implementation

Access Control (AC) (4 Controls)

Identification & Authentication (IA) (2 Controls

Media Protection (MP) (1 Control)

Physical Protection (PE) (4 Controls)

System & Communications Protection (SC) (2 Controls)

System & Information Integrity (SI) (4 Controls)

What’s Next - Practice Period

Now what? This is when your security program can begin operating knowing that all of the controls have been met. When a security program is operational, activity will be captured via logs to prove that a real program exists (Just like an accounting ledge).

As you go through your security program operation, make sure to be mindful of the following items:

  1. Capture Updates To Documents – SSP and/or POA&M

  2. Change Control & Maintenance Documentation Notes

  3. Update Network Diagram

  4. Update Data Flow Diagram

  5. Create a Controls Responsibility Matrix Document/Spreadsheet

  6. Review Current Flow Down Contract Requirements

  7. Monitor, Log Capture, Report, and Maintain Program

Frequently Asked Questions

Does CMMC Level 1 Require a 3rd Party Auditor?

No. CMMC Level 1 is focused to be just the starting point within the maturity model. Level 2 & Level 3 will require a 3rd party auditor.

If I'm NIST-800-171 Compliant, What's The Overlap With CMMC?

NIST-800-171 closely aligns with CMMC Level 2 requirements. If you are currently a DoD contractor, then you should be aware that your organization must already be NIST-800-171 compliant. Learn  more here: CLICK ME

Will Any DoD Customer Require CMMC Level 1 Only or Would CMMC Level 2 Be The Most Common?

It depends on the contract and the work being performed. Unofficially since NIST-800-171 is a current requirement, chances are CMMC Level 2 will be the most commonly required CMMC practice level. Again this is just an opinion vs fact.

Is There a CMMC Level 2 and/or NIST-800-171 Guide Coming Out?

Yes. Sign up to receive an email notification once the guide is up: Click Me

Questions About CMMC Level 1? Send Them Here: