CMMC Level 1 focuses on protecting Federal Contract Information (FCI) with a basic, consistent security baseline. The fastest path is to define scope, lock down identity and endpoints, document a few key policies, and collect simple evidence (screenshots, logs, tickets) that proves your controls are real and repeatable.
CMMC Level 1 Requirements Checklist (FCI): What Small Contractors Actually Need
CMMC Level 1 is the “baseline” level, but it still trips up small contractors because most environments are built for convenience, not repeatable control. If you’re handling Federal Contract Information (FCI), you want a checklist that answers two questions:
- What do we need to do?
- What do we need to be able to show?
If you want the service-page overview of our approach, start here: CMMC compliance. If you’re already sure you’re targeting Level 1, see CMMC Level 1 readiness.
We can quickly review your setup and show you what’s working and what needs improvement.
Use the IT Cost Savings Calculator to estimate annual waste from recurring support drag, outages, emergency work, and security cleanup before you decide what to prioritize.
Step 1: Define your Level 1 scope (don’t skip this)
Scope is your boundary: the people, devices, systems, and locations that touch FCI. Most “surprises” happen because FCI shows up in places you forgot—email attachments, shared drives, forwarded messages, or vendor portals.
- Where does FCI arrive? (email, portal, EDI, shared drive)
- Where is it stored? (SharePoint/OneDrive, file server, line-of-business app)
- Who can access it? (roles, subcontractors, admin accounts)
- Which devices touch it? (laptops, desktops, phones, shared kiosks)
Step 2: Identity and access control baseline
For small teams, your identity platform (usually Microsoft 365) is the control plane. Get it stable first.
- MFA for every account (especially admins)
- Separate admin accounts from daily user accounts
- Remove shared logins; use shared mailboxes instead
- Offboarding process: disable accounts, reset shared credentials, revoke tokens
If you need this implemented as a managed baseline, see MSP / MSSP cybersecurity.
Step 3: Endpoint baseline (the “boring” controls that prevent real incidents)
- Disk encryption on laptops
- Supported OS versions (no mystery Windows builds)
- Patch cadence with reporting
- Endpoint protection with alerts and response owners
- No local admin by default
Most teams operationalize this via IT Managed Support, because “set it and forget it” doesn’t stay set.
Step 4: Simple policies you should be able to point to
Level 1 is not a paperwork contest, but you still want a few clear policies that match how you actually work:
- Password + MFA requirements
- Acceptable use (devices, sharing, remote work)
- Incident reporting (who, how fast, what counts)
- Access approval (who can grant access to FCI systems)
Step 5: Evidence checklist (what to collect as you go)
Evidence doesn’t need to be fancy. It needs to be credible and repeatable.
- Screenshots of MFA enforcement and admin account separation
- Endpoint inventory export (device list with owners)
- Patch/compliance reports (monthly)
- Ticket examples showing access requests and approvals
- Backup status + a documented restore test
Next step
If you want a fast read on your current baseline, start with a readiness review and turn it into a prioritized plan.
Why Level 1 still feels hard (and how to make it predictable)
The hardest part is usually not the toolset—it’s ownership and consistency. If you’re comparing reactive help vs a real baseline, see why Sun Life Tech is different.
Final Thoughts
Level 1 is achievable for small teams when you treat it like operations: define scope, standardize identity and endpoints, document the essentials, and collect evidence as you implement.
Recommended next steps
👉 Download the CMMC readiness checklist
👉 CMMC compliance services overview
👉 Learn how we run readiness projects
Recommended resources
These pages map directly to the services and next-step resources behind this topic.
FAQ
Quick answers to common questions.
FCI (Federal Contract Information) is information provided by or generated for the government under a contract that is not intended for public release. It’s typically less sensitive than CUI but still requires protection.
MFA is critical, but Level 1 is a baseline across identity, endpoints, access control, and basic operational evidence.
Keep simple proof like policy docs, screenshots of settings, device inventory exports, patch reports, and tickets showing access approvals.
Get the PDF instantly. Use it to tighten your baseline and reduce avoidable incidents.
Related posts
Keep reading with the most relevant next articles.
Why Your SPRS Score Should Match Your Real Cybersecurity Posture
A practical look at why SPRS-related cybersecurity claims should reflect the real environment, real evidence, and real NIST SP 800-171 posture behind them.
Why Small Manufacturers Should Get a CMMC Readiness Review Before a Contract Requires It
Why small manufacturers, machine shops, fabricators, and defense subcontractors benefit from a readiness review before contract language or customer pressure forces the issue.
The Risk of Claiming CMMC Compliance Before You Are Ready
A professional, plain-English look at the business and contract risk that can come from claiming CMMC compliance before the environment, documentation, and evidence are ready.
