CMMC Level 1 is mandatory for all DoD contracts as of November 2025 — here's how to get compliant
DoD Compliance · CMMC 2.0 · NIST 800-171

CMMC Level 1:
What It Requires
and How to Get There

If your company has a DoD contract, CMMC Level 1 compliance is now mandatory. This guide breaks down exactly what's required — and gives you the tools to get compliant fast.

Get the Free Checklist ↓
What Is CMMC Level 1

The Basics Every
DoD Contractor Needs to Know

CMMC Level 1 applies to any company that handles Federal Contract Information (FCI) under a DoD contract. That covers the vast majority of the Defense Industrial Base — the DoD estimates 63% of contractors fall under Level 1.

As of November 2025, compliance is no longer optional. Every covered contractor must complete an annual self-assessment, score themselves against 15 security practices, and submit that score to the SPRS database — the government's contractor performance tracking system.

01
Annual Self-Assessment
You assess your own security posture against 15 practices from FAR 52.204-21. No third-party assessor required at Level 1.
02
SPRS Score Submission
Your score must be submitted to the Supplier Performance Risk System (SPRS) before bidding on or renewing DoD contracts.
03
Documentation to Back It Up
Your score must be supported by documentation — policies, a System Security Plan, and evidence of your controls. Without it, your submission has no legal standing.
The 15 Practices

What You're Actually
Being Assessed Against

CMMC Level 1 is built on 15 practices drawn from FAR 52.204-21. They're organized into 6 domains. Here's what each domain requires:

🔐
Access Control (AC)
Limit system access to authorized users and devices. Control what each user can do and see. 4 practices.
🔍
Identification & Authentication (IA)
Verify the identity of users, processes, and devices before granting access. Manage passwords and credentials. 2 practices.
📱
Media Protection (MP)
Sanitize or destroy media containing Federal Contract Information before disposal or reuse. 1 practice.
🏢
Physical Protection (PE)
Limit physical access to systems and facilities to authorized individuals. 2 practices.
🛡️
System & Communications Protection (SC)
Monitor and control communications at the boundaries of your systems. 2 practices.
⚙️
System & Information Integrity (SI)
Identify and fix flaws in a timely manner. Protect against malware. Monitor systems for security alerts. 4 practices.
Required Documentation

The Documents Assessors
Look For First

A self-assessment score means nothing without documentation to back it up. These are the core documents every Level 1 contractor needs in place before submitting to SPRS:

📋
Required
System Security Plan (SSP)
Describes your system boundary, the people and assets in scope, and how you implement each of the 15 practices.
📌
Required
Plan of Action & Milestones (POA&M)
Documents any gaps in your implementation and your plan to address them with target dates.
📊
CMMC Level 1 Control Tracker
Scores each of the 15 practices, documents evidence, and calculates your SPRS score for submission.
🔐
Required
Access Control Policy
Defines how your organization controls who can access systems and what they can do.
🏢
Required
Physical Protection Policy
Documents physical access controls for any facility or system handling FCI.
🛡️
Required
System & Comms Protection Policy
Covers network segmentation, boundary protections, and communication monitoring controls.
⚙️
Required
System & Information Integrity Policy
Addresses malware protection, patch management, and security alerting procedures.
💾
Required
Media Protection Policy
Governs how media containing FCI is labeled, stored, transported, and destroyed.

Not sure how many of these you already have in place? That's exactly what the free checklist below is for.

Free Download

See Exactly Where
Your Gaps Are

The CMMC Level 1 Readiness Checklist walks you through all 15 practices and every required document — so you know exactly what you have and what you still need.

All 15 FAR 52.204-21 practices Gap analysis worksheet Documentation checklist 100% free

No spam · Unsubscribe anytime

Skip the checklist — show me the full kit →
The Full Documentation Kit

Everything You Need to
Pass Your Self-Assessment

A CMMC consultant charges $150–$250/hr. A full Level 1 engagement runs $4,000–$6,000. Our kit gives you the same documentation framework — built by a CISSP-certified GRC professional — for a fraction of the cost.

$4,000–$6,000 consultant route
$897
One-time payment · Instant download · No subscription
CMMC Level 1 Control Tracker (all 15 practices + SPRS scoring)
System Security Plan (SSP) with sample language
POA&M template with pre-filled examples
5 mandatory policy documents (AC, PE, SC, SI, MP)
4 bonus policies: Clear Desk, Telecommuting, AUP, Information Classification
All 12 files in editable Word (.docx) format
Built by a CISSP-certified DoD compliance professional
Download the Kit Now →

Questions? info@kyberstorm.com

What Clients Say

Trusted by Defense
Contractors Across the DMV

★★★★★

"We had no idea where to start with CMMC. This kit gave us a clear roadmap and all the documentation we needed to submit our SPRS score with confidence."

Cherry Bezdek
Alpha Technology Group
★★★★★

"From the moment we engaged KyberStorm's services, their expertise and professionalism were evident... Thanks to KyberStorm's guidance and support, we now have a robust cybersecurity framework in place that has significantly enhanced our defense against cyber threats. I wholeheartedly recommend KyberStorm to any organization seeking top-notch cybersecurity expertise, unparalleled dedication, and a partner who truly goes above and beyond."

Linda Rawson
DynaGrace Enterprises
★★★★★

"KyberStorm has proven to be an invaluable partner throughout our FedRAMP journey. Their team continues to provide much-needed clarity to the intricate process and demonstrates expertise in translating complex FedRAMP requirements into practical control language for system documentation. Their unwavering commitment to our success has significantly boosted our confidence in achieving our P-ATO goal."

Patrick Sullivan
Telos Corporation
About the Author

Built by a Compliance Professional.
Not a Template Factory.

🛡️
KyberStorm Compliance Team
CISSP Certified · GRC Professional · DoD Compliance Expert

This isn't a generic template downloaded from the internet — it's the documentation a compliance professional would produce for a paying client. Built by a CISSP-certified GRC professional with hands-on experience in CMMC, NIST 800-171, and DoD compliance frameworks. KyberStorm is a trusted cybersecurity advisory firm based in the Greater DMV area, serving federal government, state & local, and private sector clients.

FAQ

Common Questions

Is this updated for CMMC 2.0?
Yes. Fully aligned to CMMC 2.0 and the FAR 52.204-21 requirements finalized in the 32 CFR rule. The Control Tracker covers all 15 required practices.
Do I need a consultant to use these templates?
No. Each template includes guidance notes and pre-filled examples. Most organizations complete customization in a few hours. Need expert review? Email info@kyberstorm.com.
What format are the files?
All 12 documents are editable Word (.docx) files — compatible with Microsoft Word and Google Docs.
My company only handles FCI, not CUI. Do I still need this?
Yes. Level 1 applies to any organization handling FCI under a DoD contract. Annual self-assessment and SPRS submission is mandatory as of November 2025.
What's the difference between the free checklist and the paid kit?
The free checklist helps you identify your gaps — what you have and what you're missing. The paid kit gives you all 12 ready-to-use documents so you can fill those gaps immediately, without starting from scratch.
What if I need Level 2 templates or expert review?
We offer full CMMC advisory services. Contact us at info@kyberstorm.com or visit kyberstorm.com.
Is there a refund policy?
Due to the digital nature of this product, all sales are final. Any issues with your download? Email info@kyberstorm.com and we'll make it right.
Get Compliant Today

Start Free or Get
Everything You Need

Download the free checklist to see where you stand, or get the full documentation kit and submit your SPRS score this week.

Get the Free Checklist ↓ Get the Full Kit — $897

Questions? info@kyberstorm.com