Free CMMC Level 1 Self-Assessment Workbook
17 practices across 6 families, with assessment guidance, example evidence, and SPRS scoring reference.
What Is CMMC Level 1?
The Cybersecurity Maturity Model Certification (CMMC) Level 1 establishes basic cyber hygiene practices required for all defense contractors handling Federal Contract Information (FCI).
Basic Safeguarding of Federal Contract Information
CMMC Level 1 is based on the 15 safeguarding requirements in FAR 52.204-21, mapped to 17 practices across 6 security domains. It requires an annual self-assessment—no third-party audit needed.
Who Needs CMMC Level 1?
Any organization in the Defense Industrial Base that handles FCI must achieve Level 1 certification. This includes:
- Defense contractors with active DoD contracts
- Subcontractors providing services or products to prime contractors
- Suppliers handling Federal Contract Information in the DIB
- Companies bidding on new DoD contracts requiring CMMC

What's Inside — Practice Families
17 practices organized across 6 security families, each with assessment guidance and example evidence to streamline your self-assessment.
Access Control
4 practices
Limit system access to authorized users and control external connections
Identification & Authentication
2 practices
Identify and authenticate users, processes, and devices
Media Protection
1 practice
Sanitize or destroy media containing FCI before disposal
Physical Protection
4 practices
Limit physical access, escort visitors, and maintain access logs
System & Communications Protection
2 practices
Monitor boundaries and separate public-facing components
System & Information Integrity
4 practices
Patch flaws, deploy anti-malware, and scan systems regularly
What Security Leaders Say About Information Security
Building an ISMS isn't just about compliance—it's about creating a culture of security. Here's what industry leaders have to say.
“Security is a process, not a product.”
Bruce Schneier
Security Technologist and Author
Secrets & Lies: Digital Security in a Networked World
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
Stephane Nappo
Global CISO, Groupe SEB
Widely cited industry quote
“There are only two types of companies: those that have been hacked and those that will be.”
Robert Mueller
Former Director, FBI (2001–2013)
RSA Cyber Security Conference, 2012
“Cyber crime is the greatest threat to every profession, every industry, every company in the world.”
Ginni Rometty
Former Chairman & CEO, IBM
IBM Security Summit, 2015
“The question to ask when you look at security is not whether this makes us safer, but whether it’s worth the trade-off.”
Bruce Schneier
Security Technologist, Harvard Berkman Klein Center Fellow
Beyond Fear: Thinking Sensibly About Security in an Uncertain World (2003)
Ready to Start Your Self-Assessment?
Download the workbook, assess your 17 practices, and take the first step toward CMMC Level 1 compliance.
Frequently Asked Questions
Need Help with CMMC Compliance?
A workbook is a great start, but achieving and maintaining CMMC compliance requires expertise. Our CMMC specialists help you go from self-assessment to certification-ready.
Related Resources
Tools, templates, and articles for CMMC compliance

Cost Calculator
CMMC Cost Calculator
Estimate your CMMC certification costs based on target level, CUI scope, and organization size.

Regulatory Update
2026 Compliance Planning Guide
A comprehensive guide to planning your 2026 compliance initiatives.

Regulatory Update
Understanding CMMC Requirements
An overview of CMMC compliance for defense contractors.