Skip to main content
CMMC Level 1 | Contractor-Friendly Requirements & Evidence Guide
Educational resource Operated by Federal Bid Partners LLC. Not affiliated with the U.S. Department of Defense.
CMMC Courses by Federal Bid Partners
CMMC Level 1 (Foundational)
Scope • Practices • Evidence

CMMC Level 1: simple requirements, strict proof.

Level 1 success usually comes down to two things: (1) clean scope and (2) evidence that matches reality. Most delays are not “we did nothing” — they’re “we did it partially” or “we can’t prove it consistently.”

Practice Level 1 Calculator → Get readiness support → Back to home
Informational only. Requirements vary by solicitation, clauses, flowdowns, and program updates. Follow official guidance and your contract requirements.

What Level 1 typically covers

Practical view for contractors

Goal

Demonstrate foundational safeguarding practices are implemented in the environment handling regulated work.

  • Define scope (systems, users, endpoints, cloud apps, vendors).
  • Implement required practices consistently.
  • Maintain proof (screenshots, exports, logs, SOPs, records).

Where teams get burned

Most failures are partial coverage or weak evidence mapping.

  • MFA enabled “some places” but not for admin actions or remote access.
  • Stale accounts / shared admins / unclear access rules.
  • Unmanaged devices touching regulated data.
  • Screenshots not attributable (no date, no system context, no policy link).

What “defensible evidence” looks like

Examples you can actually produce

Access & identity

MFA enforcement and permission discipline should be provable, not assumed.

  • MFA / conditional access policy screenshots or exports
  • Group/role assignments + access review records
  • Offboarding tickets + account disable logs

Devices & operations

Show that endpoints and processes are controlled and repeatable.

  • Asset inventory export + management policy screenshots
  • Encryption status + baseline configurations
  • Training completion records + SOPs that match reality
Fast win: create one “Evidence Library” folder with subfolders by requirement/control theme, and name items consistently (control + system + date). If evidence is scattered, you feel “behind” even when controls exist.

Next steps

Use the tool, then route to support if needed

Practice the right way

Use the core checklist to learn scoping + evidence thinking.

Open Practice Calculator → Read about Level 2 →

Get practitioner-led support

Guided scope + evidence mapping and a remediation plan under client direction.

CMMC Support → Contact →