CMMC Level 1 self-assessment requires North Carolina defense contractors to demonstrate compliance with 17 cybersecurity practices derived from FAR 52.204-21, submitted annually through the DoD's Supplier Performance Risk System (SPRS). Unlike higher CMMC levels, Level 1 does not require third-party certification, making it achievable for small defense subcontractors with limited IT resources and budgets.
Key takeaway: According to the DoD CMMC Final Rule (32 CFR) published October 15, 2024, CMMC Level 1 compliance became effective December 16, 2024, and will be mandatory in all DoD contracts by October 31, 2026. The self-assessment approach reduces financial and administrative burden on small businesses while establishing basic safeguarding of Federal Contract Information (FCI).
Need CMMC Level 1 compliance help? Preferred Data Corporation provides CMMC compliance services for North Carolina defense contractors. BBB A+ rated with 37+ years of experience. Call (336) 886-3282 or schedule your assessment.
Understanding CMMC Level 1 Basics
Before walking through the 17 practices, understand what Level 1 protects and who needs it.
What Level 1 Protects
CMMC Level 1 safeguards Federal Contract Information (FCI), which is information not intended for public release and provided by or generated for the government under a contract. This is different from Controlled Unclassified Information (CUI), which requires Level 2 compliance.
Examples of FCI:
- Contract terms, pricing, and delivery schedules
- Performance requirements and specifications
- Government-provided technical data
- Internal communications about contract performance
- Procurement-related information
Who Needs Level 1
According to Coalfire Federal's CMMC preparation guide, CMMC Level 1 will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf (COTS) products. This includes:
- Small subcontractors in the defense supply chain
- Manufacturers providing non-COTS components
- Professional services firms supporting DoD contracts
- Construction companies working on military installations
- IT service providers supporting defense organizations
For North Carolina's defense industrial base, concentrated in the Research Triangle, Piedmont Triad, and Fayetteville areas, Level 1 compliance is the minimum entry requirement for continued DoD contract eligibility.
The Self-Assessment Process
How Self-Assessment Works
The CMMC Level 1 self-assessment requires:
- Your organization evaluates itself against all 17 practices
- Each practice receives a finding of MET or NOT APPLICABLE
- An Affirming Official (typically a senior executive) attests to the assessment results
- Results are submitted to SPRS annually
- All assessment records are retained internally (no documents uploaded to SPRS)
Assessment Methods
For each practice, use three assessment methods as defined in the CMMC Assessment Guide:
- Examine: Review documents, policies, and configurations
- Interview: Discuss practices with relevant personnel
- Test: Verify controls function as intended
The 17 CMMC Level 1 Practices Explained
The practices are organized into six domains. Here is each practice in plain language with evidence requirements.
Domain 1: Access Control (4 Practices)
Practice 1.001 - Limit system access to authorized users
What it means: Only people who should have access to your systems actually do.
Evidence needed:
- [ ] User account list showing only current, authorized employees
- [ ] Process for creating and approving new accounts
- [ ] Terminated employees have accounts disabled promptly
- [ ] Guest/visitor access is controlled and limited
Practice 1.002 - Limit access to authorized transactions and functions
What it means: Users can only do what their job requires, not everything.
Evidence needed:
- [ ] Role-based access controls are implemented
- [ ] Regular users do not have administrative privileges
- [ ] Access is based on job function (least privilege)
- [ ] Sensitive functions require specific authorization
Practice 1.003 - Verify and control connections to external systems
What it means: You control what external systems connect to your network.
Evidence needed:
- [ ] Firewall controls inbound and outbound connections
- [ ] Remote access requires authentication (VPN with credentials)
- [ ] Unauthorized devices cannot connect to your network
- [ ] Wi-Fi access is controlled (not open to the public)
Practice 1.004 - Control information posted on publicly accessible systems
What it means: FCI is not accidentally published on your website or public platforms.
Evidence needed:
- [ ] Review process before publishing content externally
- [ ] Employees trained not to post FCI on social media or public sites
- [ ] Website content does not contain FCI
- [ ] Public file shares or cloud storage do not expose FCI
Domain 2: Identification and Authentication (2 Practices)
Practice 2.001 - Identify system users, processes, and devices
What it means: Every user, automated process, and device on your network has a unique identity.
Evidence needed:
- [ ] Each user has a unique username (no shared accounts)
- [ ] Devices are inventoried and identifiable on the network
- [ ] Service accounts for automated processes are documented
- [ ] Guest accounts are individually tracked
Practice 2.002 - Authenticate users, processes, and devices
What it means: Identities are verified before granting access (passwords, MFA, certificates).
Evidence needed:
- [ ] Password policy enforces minimum complexity
- [ ] Passwords are changed when compromised
- [ ] Authentication is required for all system access
- [ ] Default passwords are changed on all devices
Domain 3: Media Protection (1 Practice)
Practice 3.001 - Sanitize or destroy media before disposal or reuse
What it means: When you get rid of hard drives, USB drives, or other media, FCI is completely removed.
Evidence needed:
- [ ] Process for wiping or destroying storage media
- [ ] Certificates of destruction for disposed equipment
- [ ] USB drives and portable media included in disposal procedures
- [ ] Paper documents with FCI are shredded
Domain 4: Physical Protection (4 Practices)
Practice 4.001 - Limit physical access to authorized individuals
What it means: Only authorized people can enter areas where FCI is processed or stored.
Evidence needed:
- [ ] Locked doors on server rooms and IT areas
- [ ] Badge access or key control for sensitive areas
- [ ] Visitor sign-in and escort procedures
- [ ] After-hours access is restricted and monitored
Practice 4.002 - Escort visitors and monitor visitor activity
What it means: Visitors cannot wander unaccompanied in areas with FCI.
Evidence needed:
- [ ] Visitor log maintained at entry points
- [ ] Visitors are escorted in sensitive areas
- [ ] Visitor badges clearly identify non-employees
- [ ] Visitor access is limited to necessary areas
Practice 4.003 - Maintain audit logs of physical access
What it means: You have records of who accessed sensitive areas and when.
Evidence needed:
- [ ] Badge access system logs (electronic or manual sign-in sheets)
- [ ] Logs retained for a reasonable period (90+ days recommended)
- [ ] Logs reviewed periodically for anomalies
- [ ] Server room access specifically tracked
Practice 4.004 - Control and manage physical access devices
What it means: Keys, badges, and access codes are tracked and controlled.
Evidence needed:
- [ ] Key/badge inventory maintained
- [ ] Lost badges/keys reported and deactivated immediately
- [ ] Access devices returned when employees leave
- [ ] Access codes changed when personnel change
Domain 5: System and Communications Protection (2 Practices)
Practice 5.001 - Monitor, control, and protect communications at system boundaries
What it means: Network traffic entering and leaving your organization is filtered and monitored.
Evidence needed:
- [ ] Firewall deployed at network perimeter
- [ ] Firewall rules reviewed and appropriate
- [ ] Outbound traffic filtered (not just inbound)
- [ ] Network traffic is logged
Practice 5.002 - Implement subnetworks for publicly accessible system components
What it means: Systems accessible from the internet (web servers, email) are separated from internal systems.
Evidence needed:
- [ ] DMZ or separate network segment for public-facing systems
- [ ] Internal systems not directly accessible from the internet
- [ ] Public-facing and internal systems on different subnets
- [ ] Traffic between zones is controlled by firewall rules
Ready to assess your CMMC readiness? PDC helps defense contractors in the Research Triangle, Greensboro, High Point, and across North Carolina achieve CMMC compliance. Call (336) 886-3282 or start your assessment.
Domain 6: System and Information Integrity (4 Practices)
Practice 6.001 - Identify, report, and correct system flaws in a timely manner
What it means: You patch and update your systems regularly when vulnerabilities are discovered.
Evidence needed:
- [ ] Patch management process documented
- [ ] Critical patches applied within 30 days
- [ ] All systems included in patching (servers, workstations, network devices)
- [ ] Patch status tracked and reported
Practice 6.002 - Provide protection from malicious code
What it means: Antivirus/anti-malware is installed and kept current on all systems.
Evidence needed:
- [ ] Endpoint protection on all workstations and servers
- [ ] Signatures/definitions updated automatically
- [ ] Real-time scanning enabled
- [ ] Periodic full-system scans conducted
Practice 6.003 - Update malicious code protection mechanisms
What it means: Your anti-malware tools receive regular updates to detect new threats.
Evidence needed:
- [ ] Automatic update mechanism confirmed active
- [ ] Update frequency documented (at least daily)
- [ ] Failed updates generate alerts
- [ ] All endpoints receiving current updates
Practice 6.004 - Perform periodic scans and real-time monitoring
What it means: Systems are scanned for threats on a schedule and monitored continuously.
Evidence needed:
- [ ] Scheduled weekly or monthly full-system scans
- [ ] Real-time file monitoring enabled
- [ ] Scan results reviewed and alerts addressed
- [ ] Email and web traffic scanned for malware
Scoring Your Self-Assessment
For CMMC Level 1, you need a finding of MET on all 17 practices (or NOT APPLICABLE with documented justification). Unlike Level 2, there is no point-based scoring system. Each practice is either met or not met.
Common "Not Applicable" Justifications
A practice may be NOT APPLICABLE if:
- Your organization does not have publicly accessible systems (Practice 5.002)
- You do not use removable media (Practice 3.001 partially)
- Specific scenarios the practice addresses do not exist in your environment
Document all NOT APPLICABLE determinations with clear rationale.
Submitting Your Assessment to SPRS
After completing your self-assessment:
- Log in to SPRS
- Navigate to the CMMC self-assessment submission
- Enter basic information attesting to your assessment completion
- Identify your Affirming Official (senior executive)
- Submit the attestation
Important: No documents, evidence, or reports are uploaded to SPRS. However, you must retain all assessment records internally for government review if requested.
Timeline and Preparation
According to CMMC compliance experts, on average it takes 12-18 months to prepare for CMMC, depending on organization size and current security posture. For Level 1 specifically, well-organized small businesses can achieve compliance in 3-6 months.
Recommended Preparation Timeline for NC Contractors
| Phase | Duration | Activities |
|---|---|---|
| Gap assessment | 2-4 weeks | Compare current state to 17 practices |
| Remediation planning | 2-4 weeks | Prioritize gaps, allocate budget |
| Implementation | 4-12 weeks | Deploy controls, create documentation |
| Evidence collection | 2-4 weeks | Gather proof of compliance |
| Self-assessment | 1-2 weeks | Formal evaluation and SPRS submission |
Common Gaps for Small NC Defense Contractors
Based on assessments of defense contractors in the Piedmont Triad and Research Triangle areas, the most common gaps include:
- No documented access control policies
- Shared user accounts on production systems
- Missing or outdated endpoint protection
- No patch management process
- Lack of visitor logs or physical access tracking
- Default passwords still in use on network devices
- No media sanitization procedures
Beyond Level 1: Planning Ahead
If your contracts involve CUI (Controlled Unclassified Information), you will need CMMC Level 2, which requires 110 NIST SP 800-171 controls and third-party certification. Starting with a solid Level 1 foundation makes the Level 2 journey significantly easier.
How PDC Supports CMMC Compliance
Preferred Data Corporation helps North Carolina defense contractors achieve and maintain CMMC compliance:
- Gap assessment: Comparing your current posture against CMMC requirements
- Remediation: Implementing controls to close identified gaps
- Documentation: Creating policies and procedures that satisfy evidence requirements
- Managed security: Ongoing compliance maintenance and monitoring
- Technology: Deploying network and endpoint solutions that meet CMMC standards
- Annual support: Assistance with annual self-assessment updates
Frequently Asked Questions
How long does the CMMC Level 1 self-assessment take to complete?
The actual self-assessment evaluation takes 1-2 weeks for a small organization (under 50 employees). However, preparation, including implementing missing controls and creating documentation, typically takes 3-6 months. The total elapsed time from starting to SPRS submission averages 4-8 months for small NC defense contractors.
Do I need to hire a consultant for CMMC Level 1?
Level 1 is designed to be achievable through self-assessment without mandatory third-party involvement. However, many small defense contractors in North Carolina engage a managed security provider to ensure they correctly interpret requirements, implement appropriate controls, and avoid common mistakes that could create compliance gaps.
What happens if I am not CMMC Level 1 compliant by the deadline?
Beginning November 10, 2025, DoD can include CMMC requirements in new contracts. By October 31, 2026, compliance will be mandatory in all DoD contracts. Non-compliant contractors will be ineligible for new contract awards and may face challenges with existing contract renewals.
Can CMMC Level 1 be achieved with just basic IT security?
Yes, that is the intent. Level 1 represents foundational cybersecurity hygiene: unique user accounts, passwords, antivirus, firewalls, patching, physical security, and media disposal. Most well-managed small businesses already meet many of the 17 practices. The gap is typically documentation and formal process rather than technology.
How often must I renew my CMMC Level 1 self-assessment?
CMMC Level 1 self-assessment must be submitted annually through SPRS. Your Affirming Official re-attests each year that your organization continues to meet all 17 practices. Maintain continuous compliance rather than achieving it once and letting controls lapse.
Related Resources
- CMMC 2.0 Compliance Guide for NC Defense Contractors
- Cybersecurity Services - CMMC compliance support
- Network Infrastructure - Compliant network architecture
- Managed IT Services - Ongoing compliance management
- Contact PDC - Start your CMMC journey
Meet your CMMC Level 1 obligations with confidence. Preferred Data Corporation has served North Carolina defense contractors and manufacturers since 1987. BBB A+ rated, headquartered in High Point, with expertise across the Research Triangle and Piedmont Triad. Call (336) 886-3282 or schedule your gap assessment today.