CMMC Level 1: What Small DoD Contractors Need to Know Right Now

If you’re a small business looking to win or keep Department of Defense contracts, the new Cybersecurity Maturity Model Certification (CMMC) Level 1 rules are no longer just a future requirement, they’re here. As of November 10, 2025, the final DFARS rule is in effect, and that means even the simplest contracts involving Federal Contract Information (FCI) now require compliance.

Let’s break down what’s happening, what it means for your government contracting business, and how to get compliant without the overwhelm.

The Basics: What Is CMMC Level 1 and Who Needs It

CMMC Level 1 is the baseline cybersecurity requirement for contractors and subcontractors that handle FCI, which is pretty much any non-public information the government gives you during a contract. This level includes 15 fundamental safeguards pulled directly from FAR 52.204-21, things like:

• Restricting access to authorized users

• Sanitizing media before disposal

• Using antivirus tools

• Securing physical access

Unlike Levels 2 and 3, which deal with Controlled Unclassified Information (CUI) and require third-party audits, Level 1 is based on self-assessment, but don’t let that fool you. This is not a casual checklist. It’s a documented, annually affirmed internal audit submitted to the Supplier Performance Risk System (SPRS).

If your contract includes FAR 52.204-21 or DFARS 252.204-7021, you’re in scope. That applies to prime contractors and subcontractors who even might have access to FCI.

Why This Matters for Small Government Contractors

The DoD is no longer accepting “we’ll get around to it” as an answer. Without a current self-assessment score in SPRS and a signed executive affirmation, you’re noncompliant, full stop. That can cost you awards, cause issues with subcontracting relationships, and potentially trigger False Claims Act penalties if you certify falsely.

More importantly, CMMC compliance is now a go/no-go gate. You don’t meet it, you don’t bid. Simple as that.

For small businesses pursuing 8a contracts services, disabled veteran government contracts, women owned small business certification opportunities, or working through the SBA 8a certification process, CMMC Level 1 is now part of your certification hygiene. You don’t want to lose out on a set-aside opportunity because you didn’t run a password policy audit.

How to Get Compliant: A Step-by-Step Starter Plan

Here’s a simplified, actionable guide to getting CMMC Level 1–ready, without spinning your wheels:

1. Scope the Systems
Start by identifying every system, device, person, and location that processes or stores FCI. That includes remote laptops, contractor email, cloud platforms, and yes, home offices. Use the official Scoping Guide.

2. Build the Basics
You need documented policies and procedures for all 15 practices. Even simple rules like “unique user accounts only” and “media gets shredded” need to be written down. Use templates from NIST SP 800‑171 or ask your 8a certification assistance provider if they offer help with policy development.

3. Self-Assess Thoroughly
Use the official Level 1 Assessment Guide (v2.13, released September 2024). For each practice, you must provide evidence: screenshots, logs, policies, access lists, physical protections. No “work in progress” allowed. Plans of Action & Milestones (POA&Ms) are not accepted.

4. Submit to SPRS
Upload your score to the Supplier Performance Risk System and retain your report. You’ll get a unique assessment ID. This is the official record the government checks when evaluating your bids.

5. Senior Official Attestation
Someone high up (CEO, CFO, etc.) must log into SPRS and formally affirm that your systems meet the requirements. That’s an annual obligation, and you’ll need to keep all documentation for 6 years.

6. Reassess Annually
Every year, recheck your scope, rerun your controls, update your documentation, and renew your SPRS score and affirmation. If your network, contractor NAICS code, or contracts evolve, adjust your compliance program.

Watch Out for These Common Pitfalls

• Underscoping: Leaving out devices like phones, backup laptops, or subcontractor systems that touch FCI.

• Lack of Evidence: No screenshots, no logs, no access records = NOT MET.

• No Flow-Down Language: Subcontractors that touch FCI need to be under DFARS 252.204-7021. If they’re not, that’s your compliance failure.

• SPRS Neglect: If you don’t hit “Submit” and “Affirm,” the system doesn’t recognize your assessment. That’s a deal-breaker.

So What Should You Do Now?

If you’re a small business in the government contracting space, especially pursuing set-asides under the SBA 8a certification, women business certification, or disabled veteran small business certification programs, here’s your checklist:

• Review all active contracts for FAR 52.204-21 or DFARS 252.204-7021 clauses.

• Confirm if you handle or generate FCI.

• Complete a CMMC Level 1 self-assessment before your next bid or option period begins.

• Train your leadership team on annual SPRS requirements.

• Consider outsourcing this task if you don’t have the in-house technical capacity. Many firms that offer Government Contract Proposal Writing also provide compliance readiness.

Bottom Line

CMMC Level 1 isn’t just an IT concern, it’s a contract access issue. If you’re not compliant, you’re not competitive. And if you're banking on growth through federal contracting certifications like 8a, WOSB, or SDVOSB, CMMC Level 1 just became another key item in your proposal-readiness playbook.

The good news? You don’t need an expensive audit. But you do need structure, evidence, and discipline, starting now.

Want more help navigating federal contracting certifications and compliance pitfalls? Read our latest post on 889 Compliance Just Got Real: What Small GovCons Need to Do Now for more actionable guidance.

If you aren't a Squared Compass partner, what are you waiting for? From getting your business set up with specific government set-aside programs at both the State and Federal level, to being empowered by a Fractional Capture team to win government contracts, to receiving tailored government contract opportunities Squared Compass delivers immense value which helps propel our partners to success. Schedule a chat with our team today.