What CMMC Level 1 Actually Requires: A Plain-English Guide for Small DoD Suppliers

CMMC Isn’t Optional Anymore

If your company handles Controlled Unclassified Information (CUI) or works anywhere in the Department of Defense supply chain, CMMC compliance isn’t a nice-to-have – it’s a requirement to keep your contracts. The problem is, most small DoD suppliers don’t have a dedicated IT team to figure out what Level 1 actually requires.

We’ve helped Defense Industrial Base (DIB) suppliers implement CMMC Level 1 controls from scratch. Here’s what it actually involves – no jargon, no fluff.

What CMMC Level 1 Covers

Level 1 is focused on basic cyber hygiene – the foundational practices every business should have in place. There are 17 practices across 6 domains:

Access Control

  • Limit system access to authorized users
  • Limit system access to the types of transactions and functions that authorized users are permitted to execute
  • Verify and control connections to external systems
  • Control information posted on publicly accessible systems

Identification & Authentication

  • Identify system users and processes acting on behalf of users
  • Authenticate identities before allowing access

Media Protection

  • Sanitize or destroy media containing Federal Contract Information before disposal or reuse

Physical Protection

  • Limit physical access to systems and equipment
  • Escort visitors and monitor visitor activity
  • Maintain audit logs of physical access
  • Control and manage physical access devices (keys, badges, etc.)

System & Communications Protection

  • Monitor, control, and protect communications at system boundaries
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System & Information Integrity

  • Identify, report, and correct system flaws in a timely manner
  • Provide protection from malicious code at appropriate locations
  • Update malicious code protection mechanisms when new releases are available
  • Perform periodic scans and real-time scans of files from external sources

What This Looks Like in Practice

For a small supplier – say 10 to 30 employees – implementing Level 1 typically means:

  • Endpoint management – Every device that touches company data needs to be managed, patched, and monitored. We deploy JumpCloud for device management and Malwarebytes for endpoint protection.
  • Access controls – Proper user accounts, role-based access, MFA enabled everywhere. No shared passwords, no admin access for everyone.
  • Network segmentation – Guest WiFi separated from production. Public-facing systems isolated from internal resources.
  • Patch management – Automated updates for operating systems and applications. No more “we’ll get to it next week.”
  • Physical security – Visitor logs, locked server rooms, badge access where appropriate.
  • Documentation – This is where most small companies fall short. You need written policies, procedures, and evidence that you’re actually following them.

The Documentation Problem

Here’s what catches most small businesses off guard: CMMC isn’t just about having the right technology in place. You need to prove it. That means:

  • System Security Plans (SSPs)
  • Written policies and procedures for each practice
  • Evidence of implementation (screenshots, logs, configurations)
  • Training records showing employees understand their responsibilities

At Seashore IT, we handle the full compliance lifecycle – not just deploying the technical controls, but writing the documentation, coordinating with stakeholders for reviews, and conducting the training. We work with your team to make sure everything holds up when an assessor looks at it.

How Long Does It Take?

For a small company starting from a reasonable baseline (you have computers, you have email, you have some basic security), Level 1 implementation typically takes 4 to 8 weeks. Companies starting from zero – shared passwords, no endpoint management, no documentation – may need 8 to 12 weeks.

The timeline depends on how quickly your team can review and approve policies, complete training, and implement any physical security changes that are needed.

What It Costs to NOT Be Compliant

Beyond losing your DoD contracts entirely, non-compliance exposes you to:

  • False Claims Act liability if you self-attested compliance you don’t have
  • Loss of future contract opportunities as primes require flow-down compliance
  • Reputational damage in a tight-knit defense supplier community
  • Actual security breaches that could have been prevented with basic hygiene

Getting Started

If you’re a small DoD supplier and you’re not sure where you stand on CMMC, the first step is a gap assessment – understanding what you have in place today versus what Level 1 requires. From there, we build a remediation plan with clear timelines and costs.

Seashore IT is CyberAB registered and has hands-on experience implementing CMMC controls for DIB suppliers. If you need help getting compliant – or just want to understand what’s required – reach out for a straightforward conversation.

case studies

See More Case Studies

Contact us

Partner with Us for Comprehensive IT

We’re delighted to address any questions you have and assist you in finding the services that best suit your needs.
Your benefits:
  • Client-oriented
  • Independent
  • Competent
  • Results-driven
  • Problem-solving
  • Transparent
What happens next?
1

We Schedule a call at your convenience 

2

We do a discovery and consulting meting 

3

We prepare a proposal 

Schedule a Free Consultation
Please enable JavaScript in your browser to complete this form.