Implementing CMMC Level 1: Asking the Right Questions

With the Level 1 Cybersecurity Maturity Model Certification (CMMC) becoming required on Department of Defense (DoD) Contracts containing Federal Contract Information (FCI) sometime between late October 2025 and February 2026, it is important for those companies working with the DoD to establish their current cybersecurity maturity and standing against the new requirements. A simple and easy way for any company to figure this out is by asking a few simple questions. After reading this article, you too should be prepared to both scope and assess your environment to the new CMMC standards.

Deciding the Scope

One of the key elements of CMMC Level 1 Certification is to ensure you properly identify the users and devices that will be working with or accessing FCI (AC.L1-B.1.I, IA.L1-B.1.V). So, the first questions you should ask are:

• Who within the company will be working on DoD contracted work?

• What devices (computers, phones, tablets, network devices) will be used to work on DoD contracted work?

Depending on the size of your organization, and the number of DoD contracts that you handle in a year, the answers to these questions can vary from a couple of staff members and a few select computers to the entire enterprise. This is where scoping comes in, to learn more about scoping see our article on choosing between an enclave or an enterprise environment.

Once you have established the users and devices in your environment, you also need to think about the Cloud Service Providers (CSPs) that will be utilized in the process of performing DoD contracted work. Here are some example questions that would help you define the cloud software portion to meet the CMMC Level 1 requirements:

• Do you use any software that you access through a web-browser and stores or accesses FCI?

• Do you use Microsoft 365 or Google Workspace to store any of your Federal contracts?

These questions are vital for any platform that is owned by another company (such as Microsoft or Google) that you use to store, process, or transmit FCI. Unlike CMMC Level 2, requirements, Level 1 CSPs who store, process, or transmit FCI do NOT need to be compliant with the Federal Risk and Authorization Management Program (FedRAMP) standards. HOWEVER, neither Microsoft nor Google recommends you use their commercial versions for CMMC Level 1 compliance (See the Microsoft and Google articles here). Typically, big companies offer a FedRAMP compliant version alongside a commercial version. For example, Microsoft 365 Commercial is NOT FedRAMP compliant, but Microsoft 365 GCC and Microsoft 365 GCC High are FedRAMP compliant. To learn more about the difference between Microsoft 365 versions and their implications to CMMC, see our article on it here. On the Google side of the house, Google Workspace is NOT FedRAMP compliant, while Google Workspace for Government is FedRAMP compliant.

It may seem like a lot of information, but when it comes down to it, using FedRAMP authorized or equivalent Software-as-a-Service (SaaS) offerings whenever possible is HIGHLY recommended when it comes to any level of CMMC certification. If you are unsure if one of the products you use are FedRAMP compliant or not, the FedRAMP marketplace shows all currently in-progress, authorized, and equivalent FedRAMP products.

Thinking About Other Companies

While CMMC Certification mainly focuses on the organization seeking certification (OSC), some of the practices require companies to analyze and document the subcontractors or other external entities they may work with in the completion of these contracts (AC.L1-B.1.II, AC.L1-B.1.III, SC.L1-B.1.X). Here are some key questions to help you narrow this down:

• Do you plan on working with any subcontractors who would need to access the FCI in the DoD contract completion process?

• Do you currently have a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) who is maintaining or administering the devices that you plan on accessing FCI on?

One key thing to remember about subcontractors is that before you send them any information that contains FCI, they too must already have CMMC Level 1 compliance. If they do not have CMMC Level 1 compliance, they can only receive basic information such as simple transactional information. The same applies to any Information Technology (IT) company that may potentially have access to the systems that store, process, or transmit FCI.

Public Facing Information

Another area where FCI must specifically be protected is on publicly facing systems (AC.L1-B.1.IV, SC.L1-B.1.XI). Some companies may not have a ton of publicly facing systems such as online stores, but almost every company has a website and social media presence. Here are some important questions to ask when analyzing your presence on publicly facing systems:

• What publicly facing platforms do you post information on? (Social Media, Websites, Job Postings, Online Stores, etc.)

• Who are the employees that are allowed to post on these publicly facing platforms?

Once you define the places and people, you are set up for success in preventing accidental FCI spillage.

Physical Spaces & Storage

A very important portion of the CMMC Level 1 requirements focuses on physical security (PE.L1-B.1.VIII, PE.L1-B.1.IX). However, depending on the way you conduct business, these controls may or may not apply to your company. Here are a few vital questions to ask to truly understand if physical security requirements are applicable:

• Do you plan to use any removable or external media to store FCI? (USB Sticks, CDs, External Hard Drives, etc.)

• Do you plan on printing out or using any physical paper forms of FCI?

• Do you have a specific area (or room) where you plan on performing FCI work or have meetings where FCI is displayed?

If the answers to all the previous questions are no, it is highly probable you will not need to define a physical scope for your environment. However, when it comes to marking specific practices not applicable, it is highly recommended to consult with a Registered Practitioner Organization (RPO) to ensure there are no potential exceptions that would cause an organization to need physical security. Click here to learn more about Stratus’ RPO services.

Technical Security Implementation

Finally, while the CMMC Level 1 specifications for technical security are not as extensive as CMMC Level 2 or 3, there are a few implementations that can cover a majority of the technical requirements (IA.L1-B.1.VI, SI.L1-B.1.XIII, SI.L1-B.1.XIV, SI.L1-B.1.XV). Here are some key questions to get you started in the right direction:

• Do you currently have any shared accounts that multiple people log into under a single username?

• Do you currently use Antivirus (AV) or Endpoint Detection and Response (EDR) software?

CMMC Level 1 requires all users to have specific identifiers which almost entirely remove the ability to use shared accounts, so it is vital to identify these as early as possible in the compliance process to ensure they are removed. AV and EDR solutions help prevent “malicious code” from running on machines and potentially stealing FCI.

Next Steps

Once you have gone through and answered these questions, you are ready to officially define the scope of your assessment and start implementing the specific controls listed in the CMMC Level 1 Assessment Guide provided by the DoD. If you need any help with running through these questions, scoping your environment, or actually completing a CMMC assessment, feel free to reach out to Stratus for professional CMMC consulting here.

‍