What is CMMC Level 1 in plain English?

CMMC Level 1 is the baseline level focused on safeguarding Federal Contract Information (FCI). It emphasizes consistent security fundamentals and being able to show you actually do them in day-to-day operations.

Do we need Level 1 or Level 2?

It depends on whether you handle FCI only or also Controlled Unclassified Information (CUI). The right approach starts with scoping: where the data lives, who touches it, and how it moves.

What is the fastest way to make progress?

Start with scoping and a baseline review, then prioritize identity and access controls, device standards, patching, backups, and evidence collection. Avoid “random upgrades” that don’t reduce risk or improve documentation.

Is Level 1 mostly documentation?

Documentation matters, but Level 1 success is mostly about consistency: the controls are implemented, enforced, and verifiable. Documentation helps prove what is already true.

Can you manage this monthly?

Yes. Many teams benefit from monthly management to keep security baselines from drifting as devices, users, vendors, and processes change.

Do you provide certification?

No. Sun Life Tech provides readiness and support services only. Certification is handled through authorized assessment channels.

CMMC Level 1

CMMC Level 1 Readiness Support (FCI)

A practical, contractor-friendly path to consistent security basics: scope the data, implement the baseline, and keep evidence from drifting.

Request Free Risk Review Book Consultation

Fast response • Practical next steps • No fluff

Readiness and support only. We do not provide certification.

Summary

What Level 1 requires (without the confusion)

Who it’s for

Contractors and subcontractors who handle Federal Contract Information (FCI) and need a security baseline that is consistent, defendable, and maintainable.

What usually breaks

Unclear scope, shared accounts, unmanaged devices, inconsistent patching, and “tribal knowledge” documentation that disappears when one person is out.

What we deliver

A clear scope, a structured baseline, and evidence you can maintain—plus optional monthly management so security doesn’t drift.

Level 1

What ‘readiness’ actually means

A readiness program is not a pile of tools. It’s repeatable systems.

Most contractors think Level 1 readiness is a checklist you complete once. In reality, it is closer to a baseline you maintain. The goal is to show that you consistently safeguard FCI by using structured identity, device standards, secure configurations, and predictable routines.

The hard part for growing teams is not motivation—it's structure. When systems are built organically over years, security gets distributed across random settings, personal habits, and “we usually do it this way” workflows. That’s fine—until contracts, partners, or internal leaders need proof and consistency.

FCI scope: the part most teams skip

Level 1 projects go sideways when teams don’t define scope. "Scope" does not have to be complicated. It’s a plain-English map of where FCI is created, stored, shared, and processed—and which users and systems touch it.

Scoping prevents two expensive failure modes. The first is over-scoping: treating every workstation, app, and network as equally sensitive, which increases cost and slows work. The second is under-scoping: missing the real data paths, then discovering late that key systems were never brought into a baseline.

Practically, scoping looks like answering questions such as: Which mailbox or shared drive contains contract files? Who sends them outside the organization? Do vendors have access? Which devices are used offsite? Once you can answer those questions, the baseline becomes much easier to design.

Common early wins

Scope: identify where FCI is stored, shared, and processed
Identity: enforce MFA and remove shared logins
Devices: standardize endpoints and remove unmanaged machines
Patching: implement consistent update routines with reporting
Backups: define what matters and verify restores (not just “backup succeeded”)

What “evidence” should look like (without slowing your team)

Contractors often hear "evidence" and assume it means writing documents for the sake of writing documents. We treat evidence as a side effect of real operations. If your team has a defined onboarding process, device standards, patching routines, backup reporting, and ticketing, you naturally generate proof that controls exist.

The goal is not to produce a massive binder. The goal is to keep a small set of artifacts current: who has access, how devices are managed, what the baseline configuration is, and what happens when something breaks. That kind of evidence is easier to maintain because it aligns with how the business already operates.

Where Level 1 usually breaks in real life

Most Level 1 issues are predictable. Shared logins and shared mailboxes hide ownership. Vendor accounts accumulate and never get removed. Remote access gets set up “for convenience.” Devices drift because there is no standard build and no reporting. Backups exist, but nobody has performed a restore test in months.

The fix is not heroics. It’s a few structural decisions: identity policy, device standards, who owns patching, who owns vendor access, and a weekly/monthly rhythm for reviewing what changed.

Level 1 is also where good decisions compound: once identity and device visibility are clean, everything else becomes easier— audits, evidence gathering, and long-term maintenance.

Details

What a Level 1 engagement looks like

Week 1: scope + baseline

We start by collecting the minimum facts needed to avoid guessing: users, devices, email/identity provider, file storage, remote access methods, and any vendor connections. Then we map where FCI lives and how it moves.

The deliverable is clarity: what is in scope, what is high risk, and what the baseline should look like for your business. This also sets expectations internally so leadership understands what changes are required and why.

Weeks 2–4: implement + document

Next we implement the baseline controls that produce the biggest risk reduction: MFA, admin separation, device standards, patching routines, backup scope, and basic logging. We also put lightweight documentation in place so ownership is clear.

The most important constraint is not technical—it’s operational. The baseline must match how your team works, otherwise it will drift. We bias toward simple systems you will actually maintain.

Approach

A simple, defensible process

1) Scope + baseline review

We start with practical scoping. We look for where sensitive data lives, how users access it, and which systems are truly “in scope.” This prevents wasted spend and helps you focus on what matters.

Then we document the current baseline: identity, endpoints, email, backups, and the operational workflows that keep these controls consistent.

2) Prioritize + remediate

Next, we prioritize gaps that reduce risk quickly and improve evidence: access control, device standards, patching, monitoring, and documentation.

This is where contractors usually go wrong—buying tools without fixing fundamentals. Our bias is toward simple, repeatable systems that your team can keep running.

Checklist

Level 1 baseline checklist (practical)

If you want a fast self-check, use this as a practical baseline. You don’t need to be perfect to start. The point is to get out of “unknown” and into “controlled.” Each item below is valuable because it produces repeatable behavior and clear evidence.

Identity and access

MFA enforced for all users, especially admins and vendor accounts
Admin separation: day-to-day accounts are not admins
Vendor access documented with owners and expiration reviews

Devices and endpoints

Known inventory of laptops/desktops/servers and who owns each
Standard build so endpoints don’t drift
Disk encryption on laptops used offsite

Patching and configuration

Monthly patch rhythm with reporting and exceptions tracked
Critical patches accelerated when risk is active
Secure defaults for remote access (no “easy mode” shortcuts)

Backups and recovery

Backup scope defined (files, email, key SaaS, any servers)
Restore tests performed on a predictable schedule
Access controlled so backups cannot be silently deleted

When this baseline is in place, you get two benefits at once: fewer incidents and faster proof. Your team can show what is real without scrambling.

Start

Get a fast reality check

Not sure where you stand?

Start with a free risk review so you know what is in scope, what is high risk, and what to fix first.