Who verifies my Level 1 attestation?

Level 1 relies on self-assessment rather than a C3PAO audit. However, the DoD or a prime can request evidence at any time, and your leadership’s attestation is subject to False Claims Act liability if it isn’t accurate. Keep a dated evidence binder.

How long does Level 1 preparation take?

Most small defense suppliers can get Level 1 ready in 2–4 weeks of focused work. The fastest path is to scope where Federal Contract Information lives, implement the 17 safeguards, and file proof (screenshots/exports/logs) as you go.

What evidence should we keep for Level 1?

Screenshots of settings (e.g., account lists, device encryption), exports of user/device inventories, patch/compliance reports, AV/EDR status, and simple physical-access logs. Keep everything dated in a SharePoint Evidence Register with a short description.

What if we handle Controlled Unclassified Information (CUI)?

If you store or process CUI, you’ll likely need CMMC Level 2 with many more practices and, in many cases, a third-party assessment. Start scoping CUI now and plan your NIST SP 800-171 gap assessment and remediation.

CMMC Level 1 in 2025: The Complete Checklist (What’s Actually Required)

Q: Do I need written policies at Level 1?

Strictly speaking, written policies aren’t required for Level 1. That said, keeping short procedures (one page per topic) makes your team consistent and makes collecting screenshots and evidence much easier if asked to substantiate your self-attestation.

by PRAETORSEC | Aug 17, 2025 | CMMC Level 1 Readiness | 0 comments

-CMMC Level 1 requires implementation of 17 basic cyber hygiene practices.

-In 2025, self-attestation remains the path, but penalties for false claims are real.

-“Implemented” means you can prove controls work, not just write policies.

-Evidence examples: MFA enabled, BitLocker on laptops, annual cyber training.

-PRAETORSEC provides a free downloadable checklist with all 17 practices and evidence examples.

Download the Free CMMC Level 1 Checklist PDF.

Why CMMC Level 1 Matters in 2025

The Cybersecurity Maturity Model Certification (CMMC) was developed by the U.S. Department of Defense (DoD) to protect sensitive information in the defense industrial base.

In 2025, the rollout continues to mature, and small businesses remain squarely in scope. Even if you only handle Federal Contract Information (FCI) and not Controlled Unclassified Information (CUI), CMMC Level 1 applies.

Level 1 is about demonstrating ‘basic cyber hygiene.’ While it does not require third-party certification, you must still attest annually in the Supplier Performance Risk System (SPRS).

False attestation carries legal risk under the False Claims Act. For small suppliers, the real challenge is not the size of the requirement but knowing what counts as acceptable evidence and how to keep it consistent year after year.

What CMMC Level 1 Covers

Level 1 is derived directly from the 17 practices in FAR 52.204-21, which map to a subset of NIST SP 800-171.

These practices fall across a handful of security domains:

– Access Control (AC)

– Identification and Authentication (IA)

– Media Protection (MP)

– Physical Protection (PE)

– System and Communications Protection (SC)

– System and Information Integrity (SI)

The key idea: You must be able to show that only the right people have access, that devices are secured, that data is protected in transit and at rest, and that basic monitoring is in place.

Sample Practices (from the Full Checklist)

ID	Practice	Plain English	Evidence Example
AC.L1-3.1.1	Limit access to authorized users	Only employees/partners who need access can log in	M365 user list export
IA.L1-3.5.3	Use multifactor authentication	Require MFA for email and remote access	Screenshot of MFA policy in M365
SI.L1-3.14.1	Update systems and apply patches	Keep systems up-to-date with latest security updates	WSUS/Intune update compliance report

This post provides highlights. The full downloadable PDF contains all 17 practices with detailed explanations and evidence examples.

What “Implemented” Really Looks Like

In CMMC terms, ‘implemented’ means more than writing a policy. It means you can show, at any time, that the practice is functioning as intended. Examples:

– Access control is not just a policy; it’s a current user list, showing only employees who need access.

– Device security is not just ‘we use encryption’; it’s BitLocker keys escrowed in Intune.

– Training is not just ’employees trained’; it’s a dated roster or certificate.

When in doubt, ask: Could I show this to an assessor tomorrow and have them accept it?

Building a Level 1 Evidence Binder

Organizing evidence is often more challenging than the practices themselves. PRAETORSEC recommends a simple evidence binder structure that mirrors the practices.

A SharePoint library or secure folder works well for this purpose.

Suggested steps:
1. Create a root folder called ‘CMMC L1 Evidence’.

2. Subdivide by domain (AC, IA, MP, etc.).

3. For each practice, store a dated screenshot, export, or document.

4. Maintain a register (spreadsheet) that maps each practice to its evidence.

5. Update annually (or sooner if controls change).

The goal: You should be able to open the binder, walk through each practice, and show proof in minutes.

Common Pitfalls and Misconceptions

– Assuming policies alone are enough. Written policies without evidence of implementation will not satisfy requirements.

– Overcomplicating evidence. You don’t need enterprise tools; a screenshot or export is often sufficient.

– Ignoring subcontractors. If you share FCI with a subcontractor, they must also meet Level 1.

– Treating self-attestation as optional. SPRS attestation is contractually required; skipping it risks non-compliance.

– One-and-done thinking. Controls must be maintained and re-verified each year.

FAQ

Q: Do I need written policies at Level 1?
A: Strictly speaking, no. But short, simple procedures help ensure consistency and make evidence collection easier.

Q: Who verifies my attestation?
A: For Level 1, there is no C3PAO audit. However, the DoD reserves the right to request evidence, and False Claims Act liability applies if your attestation is untrue.

Q: How long does it take to prepare?
A: Most small businesses can complete a Level 1 readiness in 2–4 weeks with dedicated effort.

Q: What if I handle Controlled Unclassified Information (CUI)?
A: Then Level 2 applies, which requires significantly more practices and a third-party assessment.

Next Steps

CMMC Level 1 is achievable for any small defense supplier, if you focus on evidence over paperwork. This post gave you the highlights, but the real value is in having a clear, mapped checklist.

Download the Free CMMC Level 1 Checklist PDF

Includes all 17 practices, plain-English explanations, and sample evidence artifacts.

Need confidence in your self-attestation? PRAETORSEC helps you structure evidence, close gaps, and prepare with an assessor’s mindset.

Book a consultation today to make compliance clear and manageable.

basic cyber hygiene | CMMC Level 1 checklist | Level 1 evidence | self-attestation | SPRS

Written By PRAETORSEC

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

CMMC Level 1 in 2025: The Complete Checklist (What’s Actually Required)

Why CMMC Level 1 Matters in 2025

What CMMC Level 1 Covers

Sample Practices (from the Full Checklist)

What “Implemented” Really Looks Like

Building a Level 1 Evidence Binder

Common Pitfalls and Misconceptions

FAQ

Next Steps

Written By PRAETORSEC

Related Posts

No Results Found

0 Comments

Submit a Comment Cancel reply

Resources

Contact Us

Legal