Arkadian Cybersecurity
page-banner-shape-1
page-banner-shape-2
CMMC-Level-1-DoD-Federal-Government-Contracts-Regulations-Requirements-Self-Assessment-Arkadian-Cybersecurity

You need CMMC Level 1 when you’re a prime or subcontractor on a government contract that includes the CMMC/DFARS clause and involves FCI (and/or CUI).

If a federal contract includes FAR 52.204-21 (which many do, whenever FCI is present), you’re expected to implement those 15 controls—whether or not anybody says “CMMC.” 
If you’re a small business that does – or wants to do – work with the U.S. government, you’re going to see CMMC language in contracts, RFIs, and emails from prime contractors.

And a lot of it sounds like:

“Please confirm your compliance with CMMC Level 1…”

If your first thought is “We have antivirus and a firewall, is that enough?” — this article is for you.

Arkadian Cybersecurity works with small and mid-sized businesses that:

  • Are already in the defense supply chain and getting pressure from primes, or
  • Want to break in and don’t want CMMC to be the reason they lose an opportunity.

This post explains CMMC Level 1 in plain English, using the current DoD guidance (15 safeguarding requirements) — and shows how Arkadian can help you get there and prove it.

What Is CMMC Level 1 in One Sentence?

CMMC Level 1 is a set of 15 basic cybersecurity safeguards your organization must implement to protect Federal Contract Information (FCI) — non-public government information you receive, create, or handle as part of government contracts.

Think of it as:

“Don’t leave the front door unlocked, don’t hand out keys to everyone, and don’t store sensitive documents in a cardboard box on the sidewalk.”

It’s not about classified data. It’s about basic, reasonable protection of contract-related information.

Why Do Some People Talk About “17 Controls”?

You’ll still see lots of blogs and vendors say CMMC Level 1 has “17 controls” or “17 practices.” That comes from the way those 15 safeguarding requirements map to 17 requirements in NIST SP 800-171.

For your purposes as a small business:

  • The official CMMC Level 1 standard is built on 15 basic safeguarding requirements from FAR 52.204-21.
  • Those 15 map cleanly into the CMMC framework and the current Level 1 Assessment Guide.

In this article, we’ll stick with the 15-requirement view and translate them into practical actions.

Who Actually Needs CMMC Level 1?

You should care about CMMC Level 1 if:

  • You are a prime contractor or subcontractor on a government contract and handle FCI.
  • You want to bid on government work and see CMMC language in RFIs, RFPs, or from primes.
  • Your prime contractor is asking you for:
    • A self-assessment score,
    • Evidence of safeguards, or
    • Attestations about your cybersecurity posture.

Even if you’re “just a small shop,” if you store, process, or transmit FCI, you’re in the CMMC Level 1 universe.

If you’re unsure whether what you handle counts as FCI, that’s one of the first questions Arkadian helps SMBs answer.

What Does CMMC Level 1 Actually Require?

Instead of quoting all 15 requirements verbatim, it’s more helpful to think of them in five practical buckets:

  1. Control who gets in
  2. Use strong authentication and basic session protections
  3. Protect and maintain your systems and data
  4. Monitor for issues and respond when things go wrong
  5. Be able to prove what you’re doing
  1. Control Who Gets In (Access Control)

At Level 1, you need to show that:

  • Only authorized users can access systems that handle FCI.
  • Users only get the access they actually need to do their jobs.
  • There are no anonymous or shared “catch-all” accounts where it really matters.

In practice, this usually means:

  • Everyone has a unique username and password.
  • You’ve defined basic roles (admins vs standard users).
  • Default, guest, or vendor accounts are disabled or tightly controlled.

Arkadian often starts by reviewing who can access what and aligning access with your real-world roles.

  1. Use Strong Authentication & Session Controls

CMMC Level 1 expects that you manage identity and sessions sensibly:

  • Passwords: You enforce reasonable password quality (length/complexity) and don’t let users pick “Password123” for critical systems.
  • Session timeouts: Devices that handle FCI lock themselves after a period of inactivity.
  • Logon behavior: Users log off, and sessions don’t just stay open forever on unattended machines.

You don’t have to deploy every possible multi-factor option at Level 1, but using MFA where possible (e.g., Microsoft 365, VPN access) strongly supports the spirit of the requirements.

Arkadian helps SMBs:

  • Standardize these controls through directory services (e.g., Azure AD, local AD), and
  • Make sure the “paper” (policies) matches the actual configurations.
  1. Protect and Maintain Your Systems and Data

This is the core of Level 1: don’t be obviously vulnerable.

You should be able to show that:

  • Systems are regularly updated and patched, especially those used for FCI.
  • You use antivirus / endpoint protection on all in-scope devices.
  • You have network protections, like firewalls, configured in a sane way.
  • Where practical, FCI is protected by encryption (for example, full-disk encryption on laptops and secure protocols like HTTPS and VPN).

Red flags that will hurt you in a CMMC conversation:

  • Unsupported or end-of-life operating systems in daily use.
  • No consistent endpoint protection.
  • Everyone running as a local administrator, all the time.
  • Open remote access (like raw RDP) from the public internet.

Arkadian helps small businesses build a baseline security configuration that fits Level 1 expectations and your actual environment.

  1. Monitor for Issues and Respond When Things Go Wrong

Even for Level 1, CMMC expects that you:

  • Notice when something suspicious happens, and
  • Do something about it, not just shrug and reboot.

This typically includes:

  • Users being trained to recognize and report suspicious emails, logins, or behavior.
  • Having a simple incident response process:
    • Who gets called?
    • How do you isolate an affected system?
    • How do you preserve basic evidence?
  • Using the logging and alerting capabilities you already have (on firewalls, endpoint tools, cloud services) so you’re not completely blind.

Arkadian can take this further into managed detection and response, but for Level 1 we focus first on practical, right-sized monitoring and response that your team can sustain.

  1. Be Able to Prove It (Policies, Evidence & Self-Assessment)

CMMC isn’t only about doing the right things — it’s also about showing that you do them.

You’ll need:

  • A basic information security policy that reflects how you actually operate.
  • Short, clear procedures for key topics:
    • How you grant and remove access
    • How you manage backups
    • How you keep systems updated
    • What you do in a suspected incident
  • Evidence:
    • Screenshots of relevant settings
    • Configuration exports
    • System inventories
    • Records of training, reviews, or tests

Primes, auditors, or government reviewers won’t just ask:

“Are you secure?”

They’ll ask:

“Show me how you enforce this requirement.”

Arkadian specializes in turning your environment into an organized, audit-ready package instead of a scramble of emails and ad-hoc screenshots.

Common Myths About CMMC Level 1

Myth 1: “We’re too small; no one is going to check us.”

Reality:
If you’re in the DoD supply chain and handle FCI, size doesn’t matter. CMMC Level 1 is designed specifically with small contractors in mind.

Myth 2: “Our IT company handles everything, so we’re automatically compliant.”

Reality:
Most MSPs focus on keeping things running, not on formal compliance:

  • They may manage your endpoints and backups,
  • But they usually don’t own your policies, training, evidence collection, or self-assessment.

CMMC is about your organization as a whole, not just the tools your MSP uses.

Arkadian often works alongside IT providers, focusing specifically on security, documentation, and compliance alignment.

Myth 3: “We’ll worry about CMMC once we win a contract.”

Reality:
More and more, primes and contracting officers are asking about CMMC posture before they award anything significant. Waiting until after you win a contract is often too late.

Being able to say:

“We’ve completed a Level 1 self-assessment, here’s our documentation, and here’s how we meet the requirements”

gives you a competitive advantage instead of a fire drill.

A Practical 30-Day Starting Checklist for SMBs

If you want to make real progress toward CMMC Level 1 in the next month, here’s a realistic starting plan:

  1. Identify FCI
    List where FCI lives: email accounts, file shares, cloud platforms, devices, and applications.
  2. Scope your systems
    Decide which systems and users are in scope because they touch FCI.
  3. Check OS versions and patch status
    Make sure in-scope systems are supported and receiving updates.
  4. Standardize endpoint protection
    Confirm all in-scope endpoints have centrally managed antivirus/EDR enabled and reporting.
  5. Lock down access
    • Eliminate shared accounts where possible.
    • Confirm admins are limited and properly managed.
  6. Enable basic password and lock-screen policies
    Enforce reasonable password rules and automatic screen locking for in-scope devices.
  7. Review remote access
    Make sure remote access to FCI is done through secure methods (VPN + strong authentication, not exposed RDP).
  8. Harden and test backups
    Ensure systems that handle FCI are backed up, that backups are protected, and that you’ve tested a restore.
  9. Write a simple incident response playbook
    One or two pages that spell out who does what if something suspicious happens.
  10. Start your Level 1 self-assessment
    For each requirement:
    • Note whether you fully meet it, partially meet it, or don’t meet it yet.
    • Capture existing evidence and list what’s missing.

If you have limited time or staff, Arkadian can step into this process and turn it into a guided, structured engagement, rather than a nights-and-weekends project.

How Arkadian Cybersecurity Helps SMBs Get to CMMC Level 1

Arkadian Cybersecurity is built to support small and mid-sized businesses that need real security plus credible, audit-ready documentation – not just a checkbox.

Here’s how we typically help:

  1. Scope & Gap Analysis
  • Clarify which contracts, systems, users, and vendors are in scope.
  • Compare your current posture against the 15 CMMC Level 1 safeguarding requirements.
  • Identify gaps in both technical controls and documentation.
  1. Remediation Roadmap
  • Turn findings into a prioritized action plan:
    • What must be fixed immediately
    • What can be staged over time
    • What can be addressed with configuration vs process changes
  • Align the plan with your budget, staffing, and timelines.
  1. Implementation Support

We help you implement or tune:

  • Access controls and account management
  • Endpoint protection, patching, and vulnerability basics
  • Backup configuration and basic disaster readiness
  • Remote access policies and secure connectivity
  • Monitoring and alerting for key systems
  1. Policies, Procedures & Evidence

We create or refine:

  • An Information Security Policy that fits your organization and CMMC Level 1.
  • Supporting procedures: access, backups, updates, incident handling, acceptable use, etc.
  • A structured evidence library (screenshots, exports, inventories, logs) aligned to each requirement.

So when someone asks, “How do you meet this requirement?” you have a clear, organized answer.

  1. Ongoing Readiness

CMMC is not a one-time project. As your business changes, we help you:

  • Review and adjust your controls and documentation.
  • Maintain your self-assessment and evidence.
  • Prepare to respond to questions from primes, auditors, or government reviewers.

In other words: Arkadian doesn’t just help you check the box — we help you stay ready.

Ready to Talk About CMMC Level 1 for Your Business?

If you:

  • Are starting to see CMMC language in contracts or emails,
  • Plan to expand into government contracting and want to be ready before opportunities arrive, or
  • Simply want confidence that your basic protections and documentation will stand up to scrutiny,

Arkadian Cybersecurity can help you get from “no idea where to start” to a clear, defensible CMMC Level 1 posture.

You don’t need an internal security department.
You need a partner who understands both small business realities and current CMMC requirements.

When you’re ready, we’re here to help you get there.

CMMC Resources & Documentation directly from DoD:
CIO – CMMC Resources & Documentation

Leave a Reply

Your email address will not be published. Required fields are marked *