Take the Readiness Assessment
CMMC Level 1

CMMC Level 1 Compliance in 30 Days

For manufacturers handling Federal Contract Information (FCI) that need foundational safeguarding fast.
Take the Readiness Assessment

Top Company

4.8

Clients Ratings

What Level 1 Requires

Level 1 focuses on basic safeguarding of FCI and is based on the 15 foundational safeguards in FAR 52.204-21. Level 1 generally involves annual self-assessment and annual affirmation of compliance.

Manufacturing Examples of FCI

  • Contract docs and requirements that are not designated as CUI
  • Purchase orders, delivery schedules, and contract execution communications
  • Non-controlled technical instructions tied to a federal program
  • Emails and file shares that coordinate contract performance

Cyber9 Level 1 Deliverables

  • In-scope boundary defined (which systems/users touch FCI)
  • User/account cleanup: least privilege + removal of stale accounts
  • Secure remote access: eliminate risky access paths, enforce MFA where appropriate
  • Endpoint baseline: EDR/AV + patching cadence + device configuration hardening
  • Network baseline: firewall rules review + segmentation for guest/vendor access
  • Backups: verify coverage + test a restore + document recovery steps
  • Evidence packet: configurations, screenshots, and checklists used for annual self-assessment
Week-by-Week

30-Day Plan

A focused 30-day plan to achieve CMMC Level 1 compliance. Over four weeks, we’ll secure your systems, implement key controls, and prepare documentation for self-assessment, ensuring minimal disruption and a solid foundation for cybersecurity.

  • Identify where FCI lives (email, SharePoint/OneDrive, ERP/MRP, file shares)
  • Inventory users/devices and vendor access paths
  • Quick wins: lock down shared logins, remove old accounts, validate admin access
  • Define scope boundary (what must be protected for Level 1)
  • Access control cleanup and admin separation where needed
  • Endpoint baseline: EDR/AV + patching process + encryption where feasible
  • Remote access hardening: MFA + VPN/RDP controls + remove exposed services
  • Firewall baseline + segmentation for guest/vendor access
  • Backup validation: coverage and restore test
  • Short security awareness training for office staff (minimal disruption)
  • Compile evidence (configs/logs/screenshots) aligned to Level 1 safeguards
  • Validation review: confirm safeguards are operating
  • Finalize evidence packet + self-assessment checklist
  • Leadership briefing: what to maintain monthly/quarterly
  • Identify if CUI exists and whether Level 2 is required
  • Will this disrupt production? Minimal - changes are staged and scheduled.
  • Do we need a third-party audit? Typically no for Level 1; it’s self-assessed annually.
  • What if we discover CUI? We pivot to Level 2 scoping (common in manufacturing).
Scroll to Top