CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Plain English Guide to CMMC Level 1: Basic Cybersecurity Without the Headache
Submit any questions you would like answered on the podcast!
CMMC Level 1 Self- Assessment Guide: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level1_V2.0_FinalDraft_20211210_508.pdf
In this episode of the CMMC Compliance Guide Podcast, Stacey and Austin from Justice IT Consulting break down CMMC Level 1 in clear, simple terms: what it is, who it applies to, and the exact steps small and mid-sized contractors must take to protect Federal Contract Information (FCI).
You’ll learn what the government expects from Level 1 contractors, how the 15 required practices actually work in real life, what documentation you must maintain for six years, and why the new annual self-assessment requirement matters more than ever.
Whether you’re a machine shop, fabricator, engineering firm, or small manufacturer supporting a prime contractor, this episode gives you the Level 1 foundation you must have in place.
Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacey.
SPEAKER_00:And I'm Austin.
SPEAKER_01:From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hard guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's episode is all about CMNC Level One. We're going to cover what it is, what the 15 required practices are, what documentation you need, and whether or not you have to be assessed by someone else. If you're a small shop handling federal contract information, FCI, and you've been told that you need to get CMNC ready, this is your starting line. Okay, Austin, let's start simple. Can you tell us what CMMC level one is?
SPEAKER_00:Yeah, so CMMC level one is from the government's perspective, I should say, the most basic cybersecurity hygiene or regiment uh that they want you to have in place to do business with them, basically. Um so uh if you're familiar with CMMC level two, um it's trying to protect what's called CUI, uh, which is controlled unclassified information. Um I like to describe it as kind of like the smaller puzzle piece of broader, bigger, more classified things. It's not always exactly true, but kind of conceptually gets the point across. CMSC level one is is protecting not CUI but FCI, federal contract information. Um, and what that is, um again, by no means a complete definition of what it is, um, but like the way I like to think of it um is uh information that's not publicly available that is related to that contract that you have with the government. A way to determine if it's publicly available and whether it's FCI or not is if it's not accessible on a public website that you don't have to log in for, even if you can register um for a login for free and then log into it, that doesn't count. Like unlogged in website that's just basically publicly advertised, that's not FCI. Everything else um is more on the FCI thing sort of thing. So basically, um if you have a contract with the government that is in the defense space, but maybe even other stuff as well, um, then you could be handling FCI. You need to protect it with the minimum safeguards that they tell you uh they want you to to keep your contract and keep doing business with them. So CMMC level one uh has 15 core practices. Um they all come from the FAR Federal Acquisition Regulation 52.204 hyphen 201 clause, um, which your most of your contracts probably already include. Um, of course, we always caution that people go actually look at their contracts and see what's included to see if you even have to follow these rules. Um, but chances are um if you're doing the business with the government or someone that does business with the government, it's probably in there. Um so it's not some new in in invention. Um but with CMC level one, it's just now that you you have to prove that you're doing it. Um and uh starting in 2025, actually, I think just a couple days ago, November 10th, um, you need to do a self-assessment every year um and upload your score into the SPRS A Spurs system. Um, and uh quick note on that, um, that if you actually go read the rules, um it says in there uh in in the far um that you need to retain the evidence as well. So whenever you self-attest, you need to aggregate or put all the evidence that you had to say that you were level one um in a file or folder or or otherwise keep it around so that way if the government comes knocking, um you can actually prove to them that you said that in good faith. Um and it says it's not something that you should do, um, just out of best practice. It actually says you have to um retain that for I think it's six years. Um don't uh take that to the bank, go read it yourself. I can't, I'm just that's just coming off the top of the head, but I think it's something like that.
SPEAKER_01:So Austin, can you walk us through the 15 practices in plain English?
SPEAKER_00:We'll go ahead and break them into the six categories of the R. Um, each category has uh multiple practices, or well, one or multiple practices. And the first one um is access control, um and what it's made up of. And uh we're we're gonna stay in broad strokes here um today to kind of get the concept across so you can understand what CMMC level one is and and and uh what generally you have to do. Um and so uh in access control, um, what you have to do is limit who can access systems with FCI. So a practical interpretation of that, um uh I'll bring up QuickBooks again. I like to talk about it a lot um because it's a good example of um like a lot of customers use a tool. Um like QuickBooks, it's very commonplace, right? So, for example, CMMC level two, um, you're probably not gonna be putting CUI um in your QuickBooks, but what you are putting in there for sure is FCI, federal contract information, things like invoices, part numbers, stuff like that, contract IDs or whatever. Um, that is all going in QuickBooks. And so uh QuickBooks, for example, you have to limit who has access to those systems, what they can do with it, and you have to document it. Um, and then of course, anything else that has FCI, but um that's a um a practical nugget you can take away as an example. Um, so another piece of access control is making sure that uh the people that do have access to FCI only have access to what they need to do to do their job or fulfill the role that they are in the company. Um they don't need just broad sweeping access to everything unless they don't need it. Uh another is you need to block outsiders from remote access unless it's secure. So um pretty simple thing there. Um, but for example, um if you use QuickBooks Online, then you would need to set up multi-factor authentication on your QuickBooks Online. Um and a lot of people don't have that set up, but for FCI, it's required. And anything else that has FCI on it. So your email, for sure, even if um you don't have CUI, which if you're level two, um, or you might be in the future, uh, if you're trying to be level one um then and you're using Microsoft commercial, then you need to have uh multi-factor authentication turned on your email because you most likely have uh FCI in your email. So this all needs to be documented um and set up in a similar way that uh level two is, just with less stringent controls and and a slightly less uh um heavy burden of documentation. And then you need to keep uh public data separate from from FCI. Uh the next category is identification and authentic authentication. Um, the goal here is to know uh who has access um to what, right? So a lot of companies uh tend to use shared logons, for example. Um so uh you may have three people that are in accounting that all use the accounting login for QuickBooks or this computer, that computer, this system, or that system. Um and uh that's not not okay for Siemens C level one. So they need the the best way to do it is to have named user accounts that is directly attributable to that person. Um but if you want to use accounting one, accounting two, accounting three, and you want to map it to um a specific person in your documentation and say Bobby Sue is accounting one, um, then that could be sufficient. Um it's just not preferred. Um and if we we like to very cleanly play by the rules, and so we don't typically suggest doing that, but um, it could be argued that it's perfectly fine as long as you do it correctly. So the the goal is to have a unique login for everyone. So whenever they're doing something, uh you can see what they've done and they only have access to certain things. So you don't have um potentially multiple people in the same account that uh could do things, and we can't attribute it to one individual or the other. That's the main goal with identity um and identification, um, and then authentication. Uh we want to make sure that um we're requiring passwords for everything, sufficient passwords, um, and logon methods that actually verify their identity. So um, you know, sorry to break it to you, but you can't have I know there's there's a surprising number of of companies out there that still um uh like to have, and I'm sorry I'm gonna call you out CEOs um and owners, but um it's typically y'all, and you want to have a user account that um doesn't have a password to log in, um, or uh and that's just not gonna fly anymore because you have compliance, and compliance says you can't do that. Um so uh the good times are gone. You can't do that anymore. So um you have to implement that. The the other is uh media protection. So um media um in terms of IT um is not like you know videos and popcorn and Netflix. Um, you know, uh media is uh the uh the thing that data is stored on, and it's called a medium. So um and uh uh examples of that would be uh thumb drives, computers, uh stuff like that. Those are all mediums in which you can store data um is kind of the the how the term is being used. And so uh when you get rid of rid of old computers or USB drives or thumb drives, um you need to wipe them clean and destroy them. Uh your documentation needs to say how you're gonna do it. You need to have the evidence that you did it and um and everything else. So uh that is that's the main thing with media protection, is just uh they don't want you uh to have a USB drive or a computer that you have old federal contract information on or invoices or part numbers and you sold it on eBay or gave it to your kid um to go do college work on or something. Um you need to scrub that data, destroy it. Um, or even if like your USB drive went bad and it's like, oh well it's it's fine, it doesn't work anymore, you can't get access to it. Not sufficient. You need to destroy it properly in a proved way that you can reasonably um you know say that the data is gone and can't be recovered, um and and then document it. So um, you know, before you give it your old computer to your kiddos, you gotta you gotta clean it up first. So uh so physical protection is protecting the physical spaces in which um your your f FCI information is stored. So easy way to think about this is you got a laptop or a computer or a server, um, and you have an office space, um, those laptops and computers and servers are in the office space. Um, and uh to protect that physical space uh and the and the computers inside of it, um, you need to lock your doors. Uh when you have visitors, you need to escort them. You have to have a visitor log. These are the uh kind of things you have to do in CMMC level one. Uh, and then you need to store those logs, um, protect those logs so that way you have integrity of um of the uh the logs so that way you can prove things later and show it to um the government if they came knocking. Uh then you also need to um if you have a uh physical office, you don't have to go out and spend a bunch of money and get a um some big uh$2,500 to$3,000 door access control fob system. Uh that's certainly a way to achieve it. Um and um it's that was that was what we got quoted uh a couple years ago. I'm sure it's more expensive now. Um uh but uh you don't have to do that. That is a way to solve it. Um you can simply just serialize the keys. Um if you have physical keys, uh get you a dremel. Um I'm kidding, there's actually serialized keys you you can sell and have a locksmith make for you. That's probably an easier way to do it. Um if you have a digital code um door um and it's got a set of digital codes, then you would just have like um uh an inventory of who has what codes, and you would decommission those codes, change them when people came or left, um, and who they're attributable to. Um, so those need to be able to be tied to a person as well. And then uh, you know, construction trailers, same thing, unfortunately. You guys are gonna have to, you know, serialize the keys or do a punch code and and and maintain an inventory of the construction trailer uh uh keys. I bring that one up because um it's uh it's a common one that we see that um is a bit of a burden for people. They have to do it, and if they're not doing it, then um you know they're not compliant. So it's a little easier for uh maybe a aerospace manufacturer machine shop. They're they're kind of used to doing the escorting of visitors and and the log, and everyone has a fob for to get in the doors or uh uh key code or a serialized key. Those would be the main areas um that you're needing to protect uh physical access. Um and it probably doesn't need to be said, but you know, your server room uh ideally would be done the same way uh as well. Um so if you have a dedicated space for your your servers and whatnot, you need to uh do all the same things I said uh in the same way. So um another category is system and communications protection. Uh the easiest way um that I can think of off the top of my head to describe this one, uh, an example is um like a uh website. So if you host your own website at your office on your own servers or something, um you you need to segment your networks to where that website server is not on the same uh network as where your FCI information is. So you the goal basically is to not mix and match public-facing systems with your private production systems where your FCI is stored. So you want to segment um those systems where they can't communicate to each other. So if you have a uh a public server, like a web server, website, um, or something like that, then you need to um separate that and and segment it appropriately. And the last category is system integrity. Um, and the main things here um are patching your software and your computers. You get updates for all computers and all your software. Um a lot of times people just go click later, ignore. Um, well, for CMC level one, you have to you have to do that stuff. Um, and you have to have um um the policies for saying how you handle it and everything else. And um the reason being is because um if a lot of the updates for your software um are not necessarily uh like features that you're getting from the software provider, they're actually patching security holes and exploits. Um, so it's keeping hackers and uh and security holes uh from being in your network. And so that's why they want to make sure that happens. Um the use of antivirus or endpoint detection or something like that. So um uh needs to be done properly. You need to make sure I've got on your all your computers and it's managed um uh appropriately, and you're updating it with the latest definitions, um, so that way it's not working on a year-old um expectation of what viruses are. It needs to be updated, uh, much like your um computers and your software is, um, and then you need to scan for threats regularly. So uh you can't just have antivirus on your systems and it be updated. You actually have to um prove and show that you're scanning for threats on a regular uh basis, and and that's all written in your policies as well. If you're using tools like Windows or Microsoft 365, which 90% something like of us of us are, um, many of these can be turned on um with a mild to moderate amount of headache. You're probably gonna need an IT guy um uh or lady at the end of the day um to implement these things unless you're just really savvy. Um uh but the the real key is making sure you have all the documentation um that it is set up correctly and how you're gonna set it up.
SPEAKER_01:Well, I think you and I and our listeners can agree it's not a CMMC compliance guide podcast episode without the documentation topic coming up.
SPEAKER_00:You're right.
SPEAKER_01:So let's step into that a little bit further. What kind of documentation is needed for level one?
SPEAKER_00:So the documentation um that is needed is uh policies, procedures, evidence. Um we like to write it in a similar way that your you know your SSP and supporting policies for CNN CL level two is, but um it very much can easily be just uh um a long set of policies and procedures um that say how you're satisfying all um six of these categories, 15 uh of these 15 practices, um that is completely sufficient. So um policies is uh you're writing down your rules, um, what you're doing, for example, your password policy, what it is, um uh and and how you're doing it. Um procedures is how you're applying those rules, um, how it's set up, your procedures for doing so um the good example of this is your your patching. Um you know, you have your patching policy, it's gonna be uh X day of the week and it's done this way, your is done done X day of the week, um, and your procedure way would be it's done this way, implemented this way. Um this is how we do it. Um and then your evidence would be uh screenshots, reports, logs, checklists, things like that. Um uh any otherwise evidence that you've you've done it um and it's been implemented. Uh and you want to make sure, again, like I said at the beginning, um, that you you actually have that evidence in some sort of repository. Um if it's a ticketing system, um, you know, file, folder, um, uh SIM or whatever, uh, I think it's uh go look it up, but I think it's six years um is what you have to retain it for um at the date of ad test station, um, I believe. Um so make sure you have your evidence. That's one that for CMC level one people just always miss. You have to have evidence. Um, and because the rule says you have to have evidence. So um you don't if you want to risk it, that's on you. You know, you do your thing. But um, if I'm attesting, uh I said I did something and the rule says I have to have the evidence and I have to retain it for six years, I don't want to get caught if the government comes knocking. Um, so you'd my recommendation would be to store all that evidence and make sure you have it every time that you attest.
SPEAKER_01:For CMMC level one, are they getting assessed or certified?
SPEAKER_00:Yeah, so they are assessing themselves. So um there's gonna be no third party assessor, you're not paying anyone to come in. I guess you could if you really wanted to. Um, you know, try and um put your best foot forward, um, but is not required, and I don't see anyone doing it. Um, so uh you to be clear, you do not need a third party assessor, um, but you are gonna do a self-assessment of your own company once a year and submit your score to um the Spurs system, the SPRS system. Um, and again, if I was as I've said several times, you have to make sure that you have the evidence for that self-attestment uh on files somewhere um to support that claim for a period of I think it's six years. Um so that is the other piece that people tend to leave out. You can do it yourself, certainly. Um it'd be good to hire a consultant that's very familiar with uh CMMC and the standards to make sure you're not missing something. Um because uh attesting is a testing that you are doing it. So even if you you weren't right, um not knowing that you weren't right is not okay. Um the the government says, Well, we don't really care if you you didn't know what you're attesting to, you attested, and so you're still on the hook for it. So um that's why we suggest hiring a professional to help you through your attestment um and through your CMMC program. They don't have to do everything, but you know, certainly at least a minimum level of guidance um would be suggested sugg suggested. Um, you know, uh if you if you want to write your own contract um that you have someone sign, uh that's cool, but have a lawyer look at it. You know, that's like another common thing. Like, so just uh you don't want you want to make sure you're not uh running astray of the rules or the laws or um you know getting yourself in trouble that you otherwise didn't know if you didn't hire someone that was more familiar with it. So um that's what we suggest. Uh again, not required, it is a self-attestment. And even if if the government doesn't come knocking, um your prime or your customer might. And they uh uh might want to see evidence. Uh I know um as of of late with the leak the recent changes in November 10th, um, we've had some uh a fair amount of of primes um come to our customers um asking for for evidence on certain items related to their um CMMC level one status. Um so it's not um unprecedented to uh have your your customer um looking at more than just your testament and your score and actually looking for uh some verification uh of it. Now we've not had them do a full audit, um, haven't seen that yet, but they've definitely uh picked out um some pieces they wanted to see uh hard evidence on.
SPEAKER_01:So for viewers and listeners at home, what would you suggest they get started on today?
SPEAKER_00:Yeah, so um if you're familiar with the podcast, um you know that we say uh all roads lead to scope or scoping um or your data flow diagram. Uh we honestly recommend a very similar uh you know situation for for CMSC level one, um, and and what scope and and data flow ultimately boils down to in its simplest term um is uh answering the question where does FCI, federal contact contract information, live in my environment? And you would start with where you get at get it from a customer, how it travels through your network, who it touches, who touches it, what systems, programs, cloud apps, quick books, whatever it it resides or uh in um or traverses. Um so figure that out. That's that's figuring out and answering the question where FCI lives in your environment. That's first. Second, um, is review all the 15 controls that we um talked about today, uh uh and make sure that you meet them. And I'll tell you what, in in the description, what we can do is um uh there's uh the government provided CMMC level one um uh guide. I think it's a self uh uh test assessment guide or something like that. Um we'll drop that in so that way it's easy to find. Um sometimes it's not always easy, uh, especially when you're punching CMMC in Google these days, you get a lot of uh different stuff. Um, and it's not always the government's. So um we'll drop that in. Uh so and you can use that um to uh look at um all 15 um practices or controls and make sure that you meet them. Um and then third is document your practices and then draft your documentation. So what are your policies, what are your procedures, how are you achieving these um these 15 requirements? Um write all that in. Um, and then once you do all that and you generate your evidence along with that, then you can fill out your SPRS score or do your self-attestment. There are some tools out there that can help you do this. Um it's a little easier to do CMMC level one without them. Um uh, but they're certainly out there you can search for them. Um, probably the easiest place to start um instead of going and getting some um fancy tool uh unless you just want to, um, uh is that document that we'll drop in the comment or description or wherever wherever we decide to put it.
SPEAKER_01:If you have questions about what we covered today, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
