BAE Networks: CMMC Certification Tips and Insights

A Practical Guide for Small Businesses

If your company works with the Department of Defense (“DoD”) – even as a subprime contractor – you’ve probably heard about CMMC (aka “Cybersecurity Maturity Model Certification”). But what exactly does Level 1 mean, and how does it affect your business?

In this article, we’ll break down CMMC Level 1 in simple terms, using guidance straight from the DoD’s official documents. Whether you’re a prime contractor or part of the supply chain, understanding Level 1 is critical for staying both compliant and competitive.

What is CMMC Level 1?

CMMC Level 1 is the entry-level cybersecurity requirement for companies that handle Federal Contract Information (“FCI”). FCI is information that’s not intended for public release and is provided by, or generated for, the government under a contract.

At this level, the focus is on protecting FCI through basic cybersecurity hygiene. 15 required practices align with familiar controls from NIST SP 800-171.

What is Required at Level 1?

The 15 practices are centered around these key areas:

• Access Control (4 requirements)

  • Limit system access to authorized users and devices.

• Identification and Authentication (2 requirements)

  • Ensure that users are uniquely identified and authenticated.

• Media Protection (1 requirement)

  • Control physical access to systems and protect removable media.

• Physical Protection (2 requirements)

  • Restrict access to facilities and hardware.

• System and Communications Protection (2 requirements)

  • Monitor and control communications at system boundaries.

• System and Information Integrity (4 requirements)

  • Identify and manage security flaws, including antivirus software and system updates.

Important Note: Level 1 focuses on practices, not process maturity. You don’t need formal policies or documentation – just evidence that you’re adhering to the DoD’s standards.

Who Needs to Comply with Level 1?

Any company that:

• Handles FCI, even indirectly,

• Participates in a DoD contract (as a prime or subcontractor), and

• Is not handling Controlled Unclassified (or Classified) Information (“CUI”).

TL;DR: If your contract involves general, non-sensitive DoD information, Level 1 is for you.

How are Level 1 Assessments Done?

Unlike Levels 2 and 3 (which require certified third-party assessors), CMMC Level 1 is self-assessed…for now.

Self-Assessment Requirements:

• Use the DoD’s CMMC Level 1 Assessment Guide.

• Conduct the assessment annually.

• Upload results to the SPRS Score System via the Supplier Performance Risk System (“SPRS”).

You’ll need to score yourself on whether each of the 15 practices is “Met” or “Not Met,” and maintain evidence (like screenshots, logs, or configurations) in case of audits.

Note: As of now, no third-party certification is required, but this could change in future DoD updates.

What Does “Scoping” Mean?

Before your assessment, you must define your assessment scope: the systems, assets, and environments that store or process FCI. The DoD provides a Scoping Guide to help identify in-scope:

• Contractor systems that store/process FCI

• Internal users and devices accessing FCI

• Relevant physical areas (like data closets or secure rooms)

Out-of-scope systems don’t need to meet CMMC Level 1, so properly scoping can limit your compliance burden while ensuring contract eligibility.

Why It Matters

Meeting CMMC Level 1 requirements shows both the DoD and your clients that you take cybersecurity seriously. It also protects your business from data breaches, strengthens your security posture, and keeps you eligible for future defense contracts.

Next Steps for Businesses

If you think CMMC Level 1 applies to you:

1. Review the 15 Practices in the Assessment Guide

2. Define Your Scope using the Scoping Guide

3. Conduct a Self-Assessment

4. Submit Your Score to the SPRS system

Need help? You're not alone. Many small and mid-size businesses lean on trusted IT partners like BAE Networks to ensure nothing gets missed.

CMMC Level 1 is designed to be accessible, even for companies without dedicated cybersecurity staff. It’s not about perfection; it’s about taking basic, consistent steps to protect sensitive government information.

If you work with DoD contracts, compliance isn’t optional – it’s a requirement, along with an opportunity to stand out as a secure and reliable partner.

RESOURCES:

1. CMMC 101 Overview (DoD)

2. CMMC Level 1 Scoping Guide (DoD)

3. CMMC Level 1 Assessment Guide (DoD)

4. FCI is any information “provided by or generated for the Government under a contract” that is “not intended for public release”, per FAR 52.204-21.

5. CUI is defined as information that “an entity creates or possesses for…the Government” that requires the entity to “handle using safeguarding or dissemination controls”, per 32 CFR § 2002.4(h).