CMMC Level 1 focuses on protecting Federal Contract Information (FCI) with a basic, consistent security baseline. The fastest path is to define scope, lock down identity and endpoints, document a few key policies, and collect simple evidence (screenshots, logs, tickets) that proves your controls are real and repeatable.
CMMC Level 1 Requirements Checklist (FCI): What Small Contractors Actually Need
CMMC Level 1 is the “baseline” level, but it still trips up small contractors because most environments are built for convenience, not repeatable control. If you’re handling Federal Contract Information (FCI), you want a checklist that answers two questions:
- What do we need to do?
- What do we need to be able to show?
If you want the service-page overview of our approach, start here: CMMC compliance. If you’re already sure you’re targeting Level 1, see CMMC Level 1 readiness.
We can quickly review your setup and show you what’s working and what needs improvement.
Use the IT Cost Savings Calculator to estimate annual waste from recurring support drag, outages, emergency work, and security cleanup before you pitch the fix internally.
Step 1: Define your Level 1 scope (don’t skip this)
Scope is your boundary: the people, devices, systems, and locations that touch FCI. Most “surprises” happen because FCI shows up in places you forgot—email attachments, shared drives, forwarded messages, or vendor portals.
- Where does FCI arrive? (email, portal, EDI, shared drive)
- Where is it stored? (SharePoint/OneDrive, file server, line-of-business app)
- Who can access it? (roles, subcontractors, admin accounts)
- Which devices touch it? (laptops, desktops, phones, shared kiosks)
Step 2: Identity and access control baseline
For small teams, your identity platform (usually Microsoft 365) is the control plane. Get it stable first.
- MFA for every account (especially admins)
- Separate admin accounts from daily user accounts
- Remove shared logins; use shared mailboxes instead
- Offboarding process: disable accounts, reset shared credentials, revoke tokens
If you need this implemented as a managed baseline, see MSP / MSSP cybersecurity.
Step 3: Endpoint baseline (the “boring” controls that prevent real incidents)
- Disk encryption on laptops
- Supported OS versions (no mystery Windows builds)
- Patch cadence with reporting
- Endpoint protection with alerts and response owners
- No local admin by default
Most teams operationalize this via IT Managed Support, because “set it and forget it” doesn’t stay set.
Step 4: Simple policies you should be able to point to
Level 1 is not a paperwork contest, but you still want a few clear policies that match how you actually work:
- Password + MFA requirements
- Acceptable use (devices, sharing, remote work)
- Incident reporting (who, how fast, what counts)
- Access approval (who can grant access to FCI systems)
Step 5: Evidence checklist (what to collect as you go)
Evidence doesn’t need to be fancy. It needs to be credible and repeatable.
- Screenshots of MFA enforcement and admin account separation
- Endpoint inventory export (device list with owners)
- Patch/compliance reports (monthly)
- Ticket examples showing access requests and approvals
- Backup status + a documented restore test
CTA (MID)
If you want a fast read on your current baseline, start with a readiness review and turn it into a prioritized plan.
Why Level 1 still feels hard (and how to make it predictable)
The hardest part is usually not the toolset—it’s ownership and consistency. If you’re comparing reactive help vs a real baseline, see why Sun Life Tech is different.
Final Thoughts
Level 1 is achievable for small teams when you treat it like operations: define scope, standardize identity and endpoints, document the essentials, and collect evidence as you implement.
CTA (END)
👉 Download the CMMC readiness checklist
👉 CMMC compliance services overview
👉 Learn how we run readiness projects
Recommended resources
These pages map directly to the services and next-step resources behind this topic.
FAQ
Quick answers to common questions.
FCI (Federal Contract Information) is information provided by or generated for the government under a contract that is not intended for public release. It’s typically less sensitive than CUI but still requires protection.
MFA is critical, but Level 1 is a baseline across identity, endpoints, access control, and basic operational evidence.
Keep simple proof like policy docs, screenshots of settings, device inventory exports, patch reports, and tickets showing access approvals.
Get the PDF instantly. Use it to tighten your baseline and reduce avoidable incidents.
Related posts
Keep reading with the most relevant next articles.
Cybersecurity Risk Assessment for Non-Technical Owners (Plain-English Framework)
A simple risk assessment framework: assets, threats, controls, and priorities—so owners can fund the right security improvements.
Backup and Recovery Plan for Small Business (Simple, Testable)
Backups that actually work: what to include, how often to run, how to test restores, and how to recover from ransomware quickly.
Endpoint Protection for Small Business (Practical Checklist)
Choose endpoint protection that reduces real risk: coverage, response, visibility, patching, and recovery—not just “next-gen” buzzwords.