CMMC Level 1 - Frequently Asked Questions

CMMC stands for Cybersecurity Maturity Model Certification. It's a framework created by the Department of Defense to ensure that defense contractors protect sensitive federal information.

Level 1 is the entry-level tier - it covers 15 fundamental cybersecurity practices that every business handling Federal Contract Information (FCI) should already have in place. These are basic safeguards, not enterprise-level IT requirements.

The 15 practices come directly from FAR clause 52.204-21, which has been a standard contract requirement for years. What changed is that contractors must now formally self-assess against these controls and report their score to the government.

Federal Contract Information is any information provided by or generated for the government under a contract to develop or deliver a product or service to the government - that is not intended for public release.

In practical terms, if you have a DoD contract and you receive or work with any of these, you have FCI:

• Government drawings, blueprints, or engineering specifications
• Contract technical requirements or statements of work
• Part numbers or specs marked "For Official Use Only"
• Any information from the government that's not publicly available

Note: If your contract involves CUI (Controlled Unclassified Information), you may need CMMC Level 2 - which has 110 controls and requires a third-party assessment. Level 1 is for FCI only.

The 15 controls are organized into 6 domains:

Access Control (4 controls):

• Limit system access to authorized users and devices
• Limit access to only necessary transactions and functions
• Verify and control external system connections
• Control information posted on public-facing systems

Identification & Authentication (2 controls):

• Identify all users, processes, and devices
• Authenticate users before granting access

Media Protection (1 control):

• Sanitize or destroy media before disposal/reuse

Physical Protection (4 controls):

• Limit physical access to systems and equipment
• Escort visitors and monitor their activity
• Maintain audit logs of physical access
• Control and manage physical access devices

System & Communications Protection (2 controls):

• Monitor and protect communications at network boundaries
• Separate public-facing systems from internal networks

System and Information Integrity (2 controls):

• Identify and fix system flaws in a timely manner
• Provide protection from malicious code (antivirus)

Take our free assessment to check yourself against all 15 in plain English.

SPRS stands for Supplier Performance Risk System. It's a DoD database that contracting officers use to check a supplier's past performance and compliance status before awarding contracts.

For CMMC, you calculate your score using the NIST SP 800-171 methodology and enter it directly into the SPRS system at sprs.csd.disa.mil. The score represents how many of the controls you have fully implemented.

Scoring works like this:

• Start at 110 points (perfect score)
• Each missing or partially missing control subtracts points (different controls have different weights)
• A score of -203 means zero controls in place
• Most compliant small businesses score 88-110

There is no published minimum score required to bid or maintain DoD contracts - but that's somewhat misleading. Here's the reality:

You must submit a score, and that score must be honest. A knowingly false or inflated score is a False Claims Act violation with severe penalties. The expectation is that you are actively working toward a score of 110 (fully compliant).

If your score is below 110, you must also submit a Plan of Action & Milestones (POAM) documenting how and when you'll address each gap. Contracting officers and prime contractors will review your score and POAM before awarding work.

Practically speaking: a score of 110 with documentation is your target. Any lower requires a credible remediation plan.

CMMC Level 1 self-assessments must be updated at least every 12 months. You must also re-assess after significant changes to your systems or practices.

You can update your SPRS entry at any time. Most small businesses do an annual review and update their score accordingly.

For most small manufacturers, it breaks down into three phases:

Phase 1 - Assess (1-2 hours): Go through all 15 controls honestly. Document which ones you have in place and which you don't. Our quiz automates most of this.

Phase 2 - Remediate (1 day to 2 weeks): Fix the gaps. This usually involves things like:

• Creating unique logins for each employee (if using shared accounts)
• Implementing a firewall if you don't have one
• Installing/configuring antivirus
• Creating a visitor log
• Setting up a process to wipe old hard drives

Phase 3 - Document and Submit (2-4 hours): Create a System Security Plan (SSP) documenting how you meet each control. Calculate your score using the official methodology. Submit to SPRS.

Our $3,500 package covers all three phases with you.

You can - and many do. The issue is that most IT companies aren't specialized in CMMC compliance. They'll bill you for hours, implement things you don't need, and may not know how to properly score and submit your SPRS entry.

Large cybersecurity firms that specialize in defense compliance typically charge $15,000-$50,000 for a Level 1 engagement - designed for mid-size companies with complex environments. A 10-person machine shop paying $40,000 for what amounts to 15 basic security controls is a significant mismatch.

We built this service specifically for small subcontractors. Flat fee, focused scope, no upselling.

• Full gap analysis based on your quiz answers
• 1-hour live compliance walkthrough with an advisor (phone or video)
• Specific remediation guidance for every gap (not generic advice - actual steps for your situation)
• System Security Plan (SSP) template pre-filled based on your responses
• Official SPRS score calculation using the NIST SP 800-171 weighting
• SPRS portal submission handled by us (requires your DoD login or we guide you through getting access)
• POAM (Plan of Action & Milestones) template if any gaps remain at submission time
• 30-day support for any follow-up questions

Yes - if you handle Federal Contract Information, the requirements flow down the supply chain. Your prime is required to include CMMC requirements in their subcontracts, and their primes require it of them.

If you're a tier-2 or tier-3 who receives government drawings, specs, or technical data as part of your work, you need to comply. The fact that you don't have a direct contract with the government doesn't exempt you.

If you have any active DoD contract that involves FCI, you're required to comply - regardless of how small that contract is relative to your overall business. The requirement isn't based on the dollar value; it's based on whether the contract exists and involves FCI.

Some businesses decide it's not worth the compliance cost and simply don't pursue or renew DoD work. That's a legitimate business decision. If you want to keep the work, you need to comply.

Generally, using standard commercial cloud services doesn't create a compliance problem for Level 1 - as long as you're controlling who has access to your accounts. The controls around external connections (AC.1.003) do apply, but having employees use Office 365 for email is not a violation.

Where it gets more complex is if you're storing CUI (Controlled Unclassified Information) in cloud systems - that's a Level 2 requirement with additional rules. For Level 1 with FCI only, standard commercial cloud use is generally acceptable.

Yes. Being compliant is not the same as having a SPRS entry. The requirement has two parts: (1) actually implement the controls, and (2) self-assess, score, and submit. Many businesses that are practically compliant still don't have a SPRS submission on file.

Without a SPRS entry, you have no documented compliance - which means contracting officers can't verify your status. Many prime contractors now require seeing a SPRS score as a condition of awarding subcontracts.