Skip to main content
Free Template

Free CMMC Level 1 Self-Assessment Workbook

17 practices across 6 families, with assessment guidance, example evidence, and SPRS scoring reference.

What Is CMMC Level 1?

The Cybersecurity Maturity Model Certification (CMMC) Level 1 establishes basic cyber hygiene practices required for all defense contractors handling Federal Contract Information (FCI).

Basic Safeguarding of Federal Contract Information

CMMC Level 1 is based on the 15 safeguarding requirements in FAR 52.204-21, mapped to 17 practices across 6 security domains. It requires an annual self-assessment—no third-party audit needed.

Who Needs CMMC Level 1?

Any organization in the Defense Industrial Base that handles FCI must achieve Level 1 certification. This includes:

  • Defense contractors with active DoD contracts
  • Subcontractors providing services or products to prime contractors
  • Suppliers handling Federal Contract Information in the DIB
  • Companies bidding on new DoD contracts requiring CMMC
CMMC Level 1 Self-Assessment Overview

What's Inside — Practice Families

17 practices organized across 6 security families, each with assessment guidance and example evidence to streamline your self-assessment.

AC

Access Control

4 practices

Limit system access to authorized users and control external connections

IA

Identification & Authentication

2 practices

Identify and authenticate users, processes, and devices

MP

Media Protection

1 practice

Sanitize or destroy media containing FCI before disposal

PE

Physical Protection

4 practices

Limit physical access, escort visitors, and maintain access logs

SC

System & Communications Protection

2 practices

Monitor boundaries and separate public-facing components

SI

System & Information Integrity

4 practices

Patch flaws, deploy anti-malware, and scan systems regularly

Industry Perspectives

What Security Leaders Say About Information Security

Building an ISMS isn't just about compliance—it's about creating a culture of security. Here's what industry leaders have to say.

5 verified quotes
From published sources

Security is a process, not a product.

Bruce Schneier

Security Technologist and Author

Secrets & Lies: Digital Security in a Networked World

It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.

Stephane Nappo

Global CISO, Groupe SEB

Widely cited industry quote

There are only two types of companies: those that have been hacked and those that will be.

Robert Mueller

Former Director, FBI (2001–2013)

RSA Cyber Security Conference, 2012

Cyber crime is the greatest threat to every profession, every industry, every company in the world.

Ginni Rometty

Former Chairman & CEO, IBM

IBM Security Summit, 2015

The question to ask when you look at security is not whether this makes us safer, but whether it’s worth the trade-off.

Bruce Schneier

Security Technologist, Harvard Berkman Klein Center Fellow

Beyond Fear: Thinking Sensibly About Security in an Uncertain World (2003)

Ready to Start Your Self-Assessment?

Download the workbook, assess your 17 practices, and take the first step toward CMMC Level 1 compliance.

Frequently Asked Questions

Need Help with CMMC Compliance?

A workbook is a great start, but achieving and maintaining CMMC compliance requires expertise. Our CMMC specialists help you go from self-assessment to certification-ready.