A practical, stage-by-stage roadmap for small businesses under 100 users to achieve CMMC Level 1 (Foundational) compliance — from initial GAP assessment through SPRS self-attestation.
CMMC Level 1 — officially called Foundational — is the entry-level tier of the Cybersecurity Maturity Model Certification framework. It applies to any DoD contractor or subcontractor that handles Federal Contract Information (FCI).
Level 1 covers 17 security practices across 6 domains — Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, and System & Information Integrity. These are the basic cyber hygiene practices every organization should already have in place.
Unlike Level 2, Level 1 does not require a third-party assessment. You self-assess annually and submit your score to the DoD's Supplier Performance Risk System (SPRS). But the self-assessment must be accurate — false attestation carries serious legal risk.
Every CMMC Level 1 engagement follows these six stages. Click each stage to see exactly what happens, what it costs, and how much of your team's time it requires.
The GAP assessment is your starting point. A qualified assessor evaluates your current security posture against all 17 CMMC Level 1 practices and produces a scored baseline showing exactly where you stand.
For a business under 100 users, this stage typically takes 1–2 weeks. Most of the time is scheduling interviews and reviewing existing documentation — not technical work. Expect 4–8 hours of your team's time.
These are the gaps Segler.Net finds most frequently when assessing small businesses for CMMC Level 1. If any of these sound familiar, you likely have work to do.
The single most common gap. Many small businesses still rely on passwords alone. MFA is required for all FCI system access.
IA.1.077Endpoint protection that isn't current, isn't deployed on all devices, or isn't actively monitored fails this practice.
SI.1.211Ad-hoc patching doesn't satisfy this requirement. You need a documented process with defined timelines and tracking.
SI.1.210Users with admin rights they don't need, shared accounts, or no formal access review process are common findings.
AC.1.001Old laptops, drives, and USB devices disposed of without formal sanitization or destruction documentation.
MP.1.118Server rooms without locks, no visitor log, or no formal process for revoking physical access when employees leave.
PE.1.131FCI inadvertently accessible on websites, shared drives, or cloud storage without proper access restrictions.
AC.1.004No network segmentation between FCI systems and general business systems or guest networks.
SC.1.176Every practice your business must satisfy for CMMC Level 1 self-attestation. Filter by domain to focus on specific areas.
Ensure only authorized individuals, processes, and devices can access your systems and data.
Control the types of transactions and functions authorized users are permitted to execute.
Establish rules governing connections to external systems and verify those connections are authorized.
Control information posted or processed on publicly accessible systems to prevent unauthorized disclosure of FCI.
Identify all users, processes acting on behalf of users, and devices accessing your systems.
Authenticate the identities of users, processes, and devices before allowing access to systems.
Sanitize or destroy information system media containing FCI before disposal or reuse.
Limit physical access to organizational systems to authorized individuals.
Escort visitors and monitor visitor activity in areas containing FCI.
Maintain audit logs of physical access to facilities where FCI is processed or stored.
Control and manage physical access devices such as keys, combinations, and access cards.
Monitor, control, and protect organizational communications at external boundaries and key internal boundaries.
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Identify, report, and correct information and information system flaws in a timely manner.
Provide protection from malicious code at appropriate locations within organizational information systems.
Update malicious code protection mechanisms when new releases are available.
Perform periodic scans of the information system and real-time scans of files from external sources.
Straight answers to what small business owners ask most about CMMC Level 1 compliance and self-attestation.
Have a question about your specific situation?
Our San Antonio compliance experts work with small DoD contractors daily — no obligation to ask.
If your DoD contracts involve Controlled Unclassified Information (CUI), you'll need CMMC Level 2 — which covers all 110 NIST SP 800-171 requirements and requires a third-party C3PAO assessment. Level 1 compliance is the foundation that makes Level 2 achievable.
FCI protection · Annual self-attestation · You are here
CUI protection · Triennial C3PAO assessment · NIST 800-171
High-value CUI · Government-led assessment · NIST 800-172
Get a free GAP assessment. We'll score your current posture against all 17 practices and give you a clear, stage-by-stage remediation plan.