A Step-by-Step CMMC Level 1 Checklist

Share This

The Cybersecurity Maturity Model Certification (CMMC) program is the latest assessment method developed by the Department of Defense (DoD). The new program is an amendment to the existing Defense Federal Acquisition Regulation Supplement.

The new program evaluates the cybersecurity standards of potential partners and organizations within the DoD supply chain in order to reduce potential threats to national security. It also serves to make the system easier to navigate for contractors.

The model has five levels, running from CMMC level 1 to level 5. Each step introduces additional requirements to ensure that controlled unclassified information (CUI) handled by third parties is safe. The five levels focus on the following:

  • CMMC Level 1: Safeguarding federal contract information
  • CMMC Level 2: Building a foundation for protecting CUI
  • CMMC Level 3: Protecting CUI
  • CMMC Level 4: Reducing the risk of advanced threats
  • CMMC Level 5: Optimizing cybersecurity controls and practices

Who needs CMMC certification? Any contractors and subcontractors who are looking to acquire government contracts in DoD supply chains.

Level 1 is the most basic level that complies with CMMC requirements. It is necessary for a wide range of contracts that handle CUI. To become CMMC-certified, a business must complete an assessment with an accreditation body CMMC (AB) or a CMMC 2.0 self-evaluation.

The evaluation focuses on the 17 CMMC level 1 controls. In this article, we’ll provide you with a comprehensive CMMC level 1 checklist that will help you ensure your business can pass its assessment with flying colors.


Prepare for Your CMMC Level 1 Assessment with Protek

Ensure you meet CMMC cybersecurity requirements with advice from our experts.


CMMC Level 1 Checklist

This CMMC compliance checklist includes each of the 17 criteria for level 1 compliance from the official DoD CMMC controls list. Meeting these standards means that your business has demonstrated it is able to properly handle and protect CUI.


1.  Authorized Access Control

Your business must limit information system access to authorized users. Authorized users must be clearly identified, use strong passwords, and implement security practices such as always logging out of unattended devices.


2. Transaction and Function Control

Certain types of transactions and functions should only be accessible to specific users. Only a certain number of accounts should have full admin rights, and only the appropriate employees should have access to organizational information.


3. External Connections

All external connections must be secure when working on federal contracts. You must protect your business network and implement additional security requirements for remote access to files and resources.


4. Control Public Information

Any information that you process through public systems must be carefully protected. You should secure any use of cloud storage by using a strong password and proper cloud security practices.


5. Identification

Ensure that every user has a distinct identity, and don’t allow any sharing of accounts or passwords. You should tie privileges to accounts, ensuring that files and resources are only accessible to the appropriate users.


6. Authentication

Your business needs authentication methods to verify that users are who they say they are. Never use default passwords, ensure that devices lock automatically after a period of inactivity, and implement two-factor authentication and other measures.

CMMC Level 1


7. Media Disposal

To ensure that your business complies with CMMC, you must have procedures in place for the safe destruction of media containing any CUI. That means seeking out professional device or hard drive destruction when disposal is necessary.


8. Limit Physical Access

You should limit physical access to your systems and equipment to authorized individuals. Clearly define which areas of an office are private and keep all equipment in those locations. Prime contractors must limit access by subcontractors as much as possible.


9. Escort Visitors

Visitors to your business should be clearly identified and always supervised. Unauthorized individuals should not have unrestricted access to private areas within your office or other facilities.


10. Physical Access Logs

Your business must maintain physical access logs detailing who visits your facility and when. The use of sign-in and sign-out sheets is essential for both employees and visitors, and the use of surveillance cameras is highly recommended, even for small businesses.


11. Manage Physical Access

Manage physical access to your property and systems by keeping doors and windows locked and properly handling your security system to prevent unauthorized access or theft of devices and system components.


12. Boundary Protection

Implement protections such as firewalls and other network security at the boundaries of your information systems.


13. Public-Access System Separation

Use subnetworks to establish boundaries between publicly accessible system components and the rest of your network.


14. Flaw Remediation

Ensure that you and your employees deal with system flaws quickly and that operating systems, security software, and applications are all up to date.


15. Malicious Code Protection

Ensure that your organization has the right cybersecurity solutions in place to deal with malicious code such as malware and ransomware.


16. Update Malicious Code Protection

Always update your cybersecurity solutions to the latest standards to ensure ongoing protection from the latest cybersecurity threats.


17. System and File Scanning

mplement periodic scans using antivirus and antimalware software throughout your organization’s systems and network, along with scanning files from external sources.

Interested in learning more about cybersecurity? Check out these blogs:


Ensure Your Business is Ready for CMMC Level 1 Certification

Meeting these CMMC level 1 requirements is the essential first step to securing lucrative DoD supply chain contracts. These contracts accounted for $398 billion spent in 2021.

Ensuring that your business satisfies all CMMC controls requires a careful evaluation of your cybersecurity posture and the implementation of practical solutions to maintain those standards.

Protek can identify where your business does or does not meet these security requirements with a complete security assessment. Our professional team can then provide the vital cybersecurity requirements that you need to get CMMC certified.

For more information about how we can assist you with CMMC Level 1 certification, contact us today to get started.