Security. Compliance. Strategy. | Justin Johnson

CMMC Level 1 as a foundation for Level 2

Use CMMC Level 1 to Build Your Foundation for Level 2

The 48 CFR CMMC Acquisition Rule became effective on November 10, 2025. That date has come and gone. CMMC is no longer a “maybe” or a “future problem” for the Defense Industrial Base. It is here. For small businesses, looking at the 110 controls required for Level 2 can feel paralyzing. You might be tempted to rush straight at the big target.​

I advise against that.

I see many organizations fail not because they lack expensive tools, but because they lack discipline. This is where Level 1 becomes your secret weapon. It is not just a compliance hoop. It is a training ground. If you treat your Level 1 Self-Assessment as a “primer” for Level 2, you build the muscle memory required to pass the harder assessment later.

Why Level 1 is the Perfect Warm-Up

CMMC Level 1 consists of the 15 safeguarding requirements from FAR 52.204-21, often organized into 15 practices. These are basic cyber hygiene standards like using passwords, updating antivirus, and sanitizing media before disposal.​

Every single practice in Level 1 is also required in Level 2. They are the exact same requirements. If you cannot demonstrate these 15 practices with absolute confidence, you have zero chance of passing the 110 practices in Level 2.​

Mastering Level 1 first allows you to refine your scoping. You need to identify exactly where your Federal Contract Information (FCI) lives. If you can draw a tight circle around your FCI for Level 1, you are practicing the exact skill needed to draw a circle around your Controlled Unclassified Information (CUI) for Level 2. Poor scoping is the number one reason assessments fail. Fix your scoping process now when the stakes are lower.

What “Getting Ready” Actually Means

When I walk into or prep for any assessment, I do not just ask if you do something. I ask you to prove it.

Small businesses often treat the Level 1 Self-Assessment as a checkbox exercise. They read the requirement, say “yeah, we do that,” and mark it complete in the Supplier Performance Risk System (SPRS). That is a mistake.​

To use Level 1 as a true primer, you must treat it like a third-party audit.

  1. Gather Real Evidence For every Level 1 practice, generate a piece of evidence. If the requirement is to “limit information system access to authorized users,” do not just nod your head. Pull an active user list from your domain controller. Take a screenshot of your offboarding ticket for the last employee who left. Store these artifacts in a folder. This habit of “evidence curation” is what saves you during a Level 2 assessment.

  2. Involve Leadership Early CMMC requires a senior official to sign an affirmation of compliance. This puts personal liability on your leadership. Have your CEO or owner sit with you during the Level 1 review. Let them see the evidence. If they are nervous about signing the Level 1 affirmation, they will be terrified to sign for Level 2. Use this easier level to get them comfortable with the process and the reality of your cybersecurity posture.​

  3. Formalize Your “How” Level 1 technically does not require the heavy policy documentation of Level 2. However, writing down your procedures now is a massive benefit. Write a simple one-page document for how you handle visitors (a Level 1 requirement). When you move to Level 2, you simply expand that document rather than starting from a blank page.

The Bottom Line

The jump from 15 practices to 110 is steep (don’t forget the 320 Objectives that go with it!). It involves more complex controls like encryption, log auditing, and incident response. But the process of compliance remains the same. It is about saying what you do, doing what you say, and proving it.​

Use your Level 1 Self-Assessment to build that process. If you can run a tight, evidence-backed ship for the basics, you will find the advanced requirements much more manageable. Do not waste this opportunity to practice.