CMMC LEVEL 1 COMPLIANCE 

CMMC Level 1 looks simple. Defending your
self-attestation
is where it gets complicated.

You’ve probably looked at the seventeen practices and felt reasonably confident. Some of them you’re already doing. Others aren’t far off. The gap feels manageable. 

That confidence is where the risk lives. Self-attestation means your organization is signing a legal compliance claim. When that claim gets examined (by a prime, a contracting officer, or a DoD audit) the question isn’t whether the practices felt familiar. It’s whether they’re documented, consistent, and defensible.

17

Foundational practices, all required, all documented

Annual

Self- Attestation cycle- your name is on it every year

FCA

False Claims Act exposure if the attestation doesn’t hold

L2 Ready

L1 foundation is required to pass any L2 assessment 

Self-Attestation Is a Legal Declaration. That’s Why We Treat It Like One.

When your organization submits a CMMC Level 1 self-attestation, it’s affirming to the federal government that the seventeen required practices are implemented and operating as described. That affirmation carries weight under the False Claims Act. An inaccurate attestation (even an unintentional one) creates exposure that extends beyond the compliance program itself. 

Prime contractors are also paying closer attention to subcontractor attestations. An attestation that can’t be supported puts contract standing at risk

Building Attestation That Holds Up Starts Here.

01

Scope comes first. 

Which systems handle Federal Contract Information, which users touch it, and where it moves — those boundaries must be decided and documented. Without defined scope, nothing that follows has a foundation. 

02

Controls get mapped against your business. 

Not what should be configured. 
Not what should be documented. 
What is.
The seventeen
requirements get reviewed against your real business practices. 
 

03

Gaps get closed through awareness, action, and attention to detail. 

Before you can close gap, you have to know where and what it is. Only then can they be addressed. When controls aren’t where they need to be, the fix can be technical, administrative, or operational.  

04

Documentation describes what’s real. 

That’s the only version that holds up when it’s examined. Policies, procedures, and evidence get structured to reflect what the environment does and how controls operate. 

05

Then the attestation gets pressure-tested. 

We review scope, configuration, and documentation against assessor standards before your organization signs anything. 

You Know Your Business. We Know What the Attestation Requires.

Self-attestation has a lot of moving parts. Scope, configuration, documentation (and a legal declaration at the end of it). That’s a lot to navigate without a compliance background. 

The strategy session is a straightforward conversation about where your organization is and what getting to a defensible attestation looks like for your specific situation. No compliance background required on your end. 

Start the Conversation

Tell us where you are and what you’re working toward. 

Frequently Asked Questions

What’s the difference between CMMC Level 1 and Level 2?

Level 1 covers seventeen foundational cyber hygiene practices designed to protect Federal Contract Information. It requires annual self-attestation. Level 2 covers 110 practices aligned to NIST SP 800-171 and is designed to protect Controlled Unclassified Information. It requires a third-party assessment by a certified C3PAO. Which level applies to your organization depends on your contracts and the type of information you handle. 

No. Level 1 is self-attested. Your organization affirms compliance directly to the federal government on an annual basis. There’s no C3PAO involved. What that means is the accuracy of the attestation is entirely your organization’s responsibility. 

Yes. Documentation isn’t a formality — it’s what supports the attestation. You don’t need a full System Security Plan, but policies, procedures, and evidence of consistent practice execution are what make the signature defensible if it gets examined. 

Your organization will need to demonstrate that the seventeen practices are implemented, operating consistently, and supported by evidence. If the documentation isn’t there, the attestation can’t be defended. That creates exposure under the False Claims Act and puts contract standing at risk. 

It depends on where your organization is starting from. Some organizations have most of the practices in place but lack the documentation structure to support them. The strategy session establishes where you are and what the timeline looks like for your specific situation. 

Possibly not. But having practices in place and having them documented, consistent, and defensible are different things. The strategy session is designed to surface that distinction quickly so you’re not paying for work that isn’t necessary. 

Agile IT handles scope definition, control review, secure configuration, documentation guidance, and attestation readiness. Your organization owns the attestation itself. That accountability is non-transferable — no partner can sign on your behalf. What Agile IT does is make sure what you’re signing is defensible before you sign it. 

If working together makes sense, you’ll have a clear picture of what the engagement looks like and what comes next. Either way, you leave the conversation with a clearer understanding of where your organization stands and what defensible Level 1 compliance requires for your specific situation. 

CMMC L1 contains the foundational security requirements across every CMMC compliance level. While some security requirements can be “NOT MET” within an assessment by a C3PAO for CMMC Level 2, the seventeen requirements found in CMMC Level 1 must be “MET” or the entire assessment is a fail. Creating a solid footing now with CMMC L1 puts you closer to being ready and prepared for CMMC L2should you require it in the future.  

SELF-ATTESTATION PUTS YOUR NAME ON IT. LET’S MAKE SURE IT HOLDS.

You’ve done the work to get your contracts. Getting the attestation right protects them.