CMMC Level 1 self-assessments: A practical walkthrough

CMMC Level 1 is often described as “basic cyber hygiene,” but in practice it requires organizations to demonstrate consistent, intentional protection of Federal Contract Information (FCI). In addition to having the right tools, you need to show that your people, processes, technology, and physical safeguards work together to protect sensitive data in real day-to-day operations.

This guide brings the core CMMC Level 1 practice areas into one cohesive walkthrough. It’s built to help you think like an assessor by focusing not only on what controls exist, but how they’re implemented, maintained, and verified.

Access Control & Identification

When you think about cybersecurity, the first question should be: Who has access?

Access Control (AC) and Identification & Authentication (IA) form the foundation of CMMC Level 1. These practices ensure that only the right people, processes, and devices can interact with your systems and the FCI they contain.

Imagine leaving your office unlocked overnight. Anyone could walk in and access sensitive files. Digitally, weak access controls create the same risk. Strong access control practices prevent unauthorized access, reduce the likelihood of accidental exposure, and establish clear accountability for who can access what and why.

Authorized access control

Maintain a list of authorized users and devices, and review it regularly. Disable accounts promptly for employees who leave the organization. This is basic housekeeping, but it’s a common gap identified during assessments.

Clear documentation of who is authorized, and proof that access is removed when it’s no longer needed, helps demonstrate intentional control over your environment.

Transaction & function control

Not every user needs access to every system. Transaction and function controls limit what authorized users are allowed to do once they’re logged in.

For example, a receptionist shouldn’t have access to financial systems. Role-based access is your friend here. By aligning access permissions with job responsibilities, you reduce the risk of accidental exposure and make access reviews far easier to manage.

External connection control

Connections to external systems must be tightly controlled using firewalls, VPNs, and allow/deny lists. In some cases, a company may choose to carve out an alcove within their network specifically for handling FCI. This approach can help restrict the number of devices and services that fall within scope.

However, during the process of carving out this space, organizations may inadvertently cause parts of their internal network to be treated as external connections to the FCI network.

For example, if a company chooses not to bring their email server into the scope, but still receives FCI documents via email, that email system would be considered an external connection and would likely be flagged by an auditor.

Ensuring the scope of what you intend to protect is clearly defined, and aligned with how FCI actually flows through your environment, is critical, depending on how you’ve set up your FCI network.

Public information control

FCI should never be posted on public websites. To prevent accidental exposure, organizations must implement a formal review process before publishing any content externally.

When dealing with FCI, it’s important to assign responsibility for uploading information to public-facing resources to a specific individual or a small, designated team. Those individuals should be trained in the proper handling of FCI to ensure that nothing is uploaded that shouldn’t be.

In addition, procedures must be in place for situations where FCI is inadvertently uploaded to a public-facing resource. These procedures should clearly document what was uploaded, how it was uploaded, why it was uploaded, and who needs to be notified of the potential exposure.

Strong incident management and data-handling procedures address these scenarios and ensure that staff are trained and fully aware of what can and, more importantly, cannot be uploaded to public-facing resources.

Device control

When moving into the NIST world of compliance, the days of bring-your-own-device (BYOD) are over. Devices that access systems handling FCI must be owned and managed by the company, and you need a clear way to demonstrate control over each device.

This includes being able to show how user accounts and privilege levels are managed on endpoints, such as ensuring users do not have local administrator access. It also means demonstrating your ability to push policies and updates to endpoint devices from a centrally managed location, as well as report on those devices and their current security status.

Devices are often overlooked during access control planning and excluded from policy creation. This creates gaps that are frequently identified during an audit. Ensuring access controls are planned for devices in the same way they are for user accounts will significantly increase your chances of a positive audit experience.

Identification & authentication

Before granting access to systems or data, identity must be verified. Assign unique identifiers, enforce strong password policies, and change default credentials immediately. Think of this as checking someone’s ID before letting them into a secure building.

Practical tips include:

• Using unique usernames for all users

• Enforcing strong password policies (minimum length, complexity)
• Implement multi-factor authentication where possible

Regarding unique naming, while it’s important that each individual user have their own unique login name for the network, it’s also important that, wherever possible, system accounts are unique as well.

For example, if a system account is used to automate the creation of reports, it should be unique from the system account used to distribute those reports. Using the global admin account for every process simply because it has “the required permissions” is not best practice. The proper approach is to identify the specific privileges required and create a dedicated account with only the access necessary to complete the task.

In addition to accounts, devices on the network should also have unique identifiers. If every server is named “Server-01,” it can be difficult to determine what service a host is responsible for during an audit or incident. By assigning clear, unique identifiers to all endpoints, you can often confirm the purpose of a device by name alone, such as SQL-Server-01 or DC-Switch-02.

How to assess your access & identification controls

• Examine: Review access control policies, user lists, and device inventories. Confirm they are current, accurate, and reflect how access is actually managed.
• Interview: Ask administrators how accounts are provisioned, modified, and disabled. Verify that access is removed promptly when users leave or change roles.
• Test: Attempt to access systems or data using unauthorized credentials to confirm restrictions are enforced as expected.

Media & physical protection

Cybersecurity isn’t just about firewalls and passwords. Physical security and media protection are equally critical to protecting FCI. If someone can walk off with your server, an old hard drive, or even a box of paper files, all your digital safeguards become irrelevant.

This section focuses on keeping your data safe in the real world by addressing how physical access is controlled and how media containing FCI is properly handled, sanitized, and disposed of.

Media protection: Don’t let data linger

Old hard drives, CDs, USB devices, and even paper files can contain FCI. Before media is reused or disposed of, it must be properly sanitized or destroyed.

Quick wins for media protection include shredding paper documents that contain FCI, using NIST SP 800-88 guidelines for wiping or destroying electronic media, and maintaining records of media sanitization activities for compliance and audit purposes.

Example: Found an old CD containing DoD project data? Don’t toss it in the trash, shred it. If it’s a hard drive, use cryptographic erase or physical destruction. These steps help ensure data cannot be recovered by unauthorized parties.

Physical protection: Lock it down

Physical protection starts with controlling who can enter your facility and where they are allowed to go. Areas that store or process Federal Contract Information (FCI) should never be accessible to just anyone.

Quick wins for improving physical protection include limiting access to authorized personnel, escorting visitors at all times, maintaining logs of who enters and exits the facility, and carefully managing physical keys and access badges.

Pro tip: Install badge readers and review access logs regularly. If a key or badge is lost, change the lock or deactivate the credential immediately. Physical security breaches often begin with something simple, like a misplaced badge or an unescorted visitor.

How to assess your media & physical controls

• Examine: Review visitor logs, access lists, and physical access records. Confirm they are complete, accurate, and consistently maintained.

• Interview: Ask staff about visitor escort procedures and physical access rules. Verify that they understand and follow the established process.

• Test: Attempt to access restricted areas without proper credentials. If access is possible, address the gap immediately.

System and Communications Protection and System and Information Integrity

Your network is like a fortress. The CMMC Level 1 requirements for System and Communications Protection (SC) and System and Information Integrity (SI) are designed to keep the walls strong and the gates secure.

These practices focus on defining network boundaries, controlling how systems communicate, and ensuring threats and vulnerabilities are detected and addressed in a timely manner.

Boundary protection

Firewalls, proxies, and demilitarized zones (DMZs) are used to separate trusted internal systems from the public internet. Clearly defining network boundaries and actively monitoring traffic across those boundaries is essential to meeting CMMC Level 1 requirements.

In practice, this may include configuring firewalls to block known malicious sites, setting up alerts for suspicious or unusual activity, and reviewing security logs on a daily basis.

Public access separation

Public-facing systems should never reside on the same network as systems that store or process sensitive internal data, including FCI.

To reduce risk, use network segmentation techniques such as virtual LANs (VLANs) or DMZs to isolate public-facing resources.

System integrity

System flaws and malware are inevitable. The goal of system integrity controls is to detect and remediate issues as quickly as possible.

Essential steps include patching systems on a regular basis, deploying anti-malware tools at key points in the environment, scanning files in real time, and scheduling periodic scans to identify dormant threats.

In practice, this may look like enabling daily antivirus scans, configuring email filters to quarantine suspicious attachments, and training staff to report unusual system behavior or anomalies.

How to assess your SC and SI controls

• Examine: Review firewall configurations, system logs, and patch management records to confirm controls are properly configured and maintained.

• Interview: Ask administrators about update schedules, patching procedures, and how malware alerts are handled.

• Test: Simulate malware detection or alerting scenarios and verify that alerts are generated and response procedures are followed.