CMMC LEVEL 1 COMPLIANCE
You’ve probably looked at the seventeen practices and felt reasonably confident. Some of them you’re already doing. Others aren’t far off. The gap feels manageable.
That confidence is where the risk lives. Self-attestation means your organization is signing a legal compliance claim. When that claim gets examined (by a prime, a contracting officer, or a DoD audit) the question isn’t whether the practices felt familiar. It’s whether they’re documented, consistent, and defensible.
17
Foundational practices, all required, all documented
Annual
Self- Attestation cycle- your name is on it every year
FCA
False Claims Act exposure if the attestation doesn’t hold
L2 Ready
L1 foundation is required to pass any L2 assessment
When your organization submits a CMMC Level 1 self-attestation, it’s affirming to the federal government that the seventeen required practices are implemented and operating as described. That affirmation carries weight under the False Claims Act. An inaccurate attestation (even an unintentional one) creates exposure that extends beyond the compliance program itself.
Prime contractors are also paying closer attention to subcontractor attestations. An attestation that can’t be supported puts contract standing at risk
01
Scope comes first.
Which systems handle Federal Contract Information, which users touch it, and where it moves — those boundaries must be decided and documented. Without defined scope, nothing that follows has a foundation.
02
Controls get mapped against your business.
Not what should be configured.
Not what should be documented.
What is.
The seventeen requirements get reviewed against your real business practices.
03
Gaps get closed through awareness, action, and attention to detail.
Before you can close a gap, you have to know where and what it is. Only then can they be addressed. When controls aren’t where they need to be, the fix can be technical, administrative, or operational.
04
Documentation describes what’s real.
That’s the only version that holds up when it’s examined. Policies, procedures, and evidence get structured to reflect what the environment does and how controls operate.
05
Then the attestation gets pressure-tested.
We review scope, configuration, and documentation against assessor standards before your organization signs anything.
Self-attestation has a lot of moving parts. Scope, configuration, documentation (and a legal declaration at the end of it). That’s a lot to navigate without a compliance background.
The strategy session is a straightforward conversation about where your organization is and what getting to a defensible attestation looks like for your specific situation. No compliance background required on your end.
Tell us where you are and what you’re working toward.
Level 1 covers seventeen foundational cyber hygiene practices designed to protect Federal Contract Information. It requires annual self-attestation. Level 2 covers 110 practices aligned to NIST SP 800-171 and is designed to protect Controlled Unclassified Information. It requires a third-party assessment by a certified C3PAO. Which level applies to your organization depends on your contracts and the type of information you handle.
No. Level 1 is self-attested. Your organization affirms compliance directly to the federal government on an annual basis. There’s no C3PAO involved. What that means is the accuracy of the attestation is entirely your organization’s responsibility.
Yes. Documentation isn’t a formality — it’s what supports the attestation. You don’t need a full System Security Plan, but policies, procedures, and evidence of consistent practice execution are what make the signature defensible if it gets examined.
Your organization will need to demonstrate that the seventeen practices are implemented, operating consistently, and supported by evidence. If the documentation isn’t there, the attestation can’t be defended. That creates exposure under the False Claims Act and puts contract standing at risk.
It depends on where your organization is starting from. Some organizations have most of the practices in place but lack the documentation structure to support them. The strategy session establishes where you are and what the timeline looks like for your specific situation.
Possibly not. But having practices in place and having them documented, consistent, and defensible are different things. The strategy session is designed to surface that distinction quickly so you’re not paying for work that isn’t necessary.
Agile IT handles scope definition, control review, secure configuration, documentation guidance, and attestation readiness. Your organization owns the attestation itself. That accountability is non-transferable — no partner can sign on your behalf. What Agile IT does is make sure what you’re signing is defensible before you sign it.
If working together makes sense, you’ll have a clear picture of what the engagement looks like and what comes next. Either way, you leave the conversation with a clearer understanding of where your organization stands and what defensible Level 1 compliance requires for your specific situation.
CMMC L1 contains the foundational security requirements across every CMMC compliance level. While some security requirements can be “NOT MET” within an assessment by a C3PAO for CMMC Level 2, the seventeen requirements found in CMMC Level 1 must be “MET” or the entire assessment is a fail. Creating a solid footing now with CMMC L1 puts you closer to being ready and prepared for CMMC L2, should you require it in the future.
You’ve done the work to get your contracts. Getting the attestation right protects them.