Skip to content

CMMC Level 1 Audit

Cybersecurity Maturity Model Certification CMMC Audit

CMMC Level 1 Assessment Services

As the Department of War continues to implement the Cybersecurity Maturity Model Certification (CMMC) program, thousands of contractors and subcontractors must demonstrate they can adequately protect Federal Contract Information (FCI). For many businesses, CMMC Level 1 serves as the first step toward compliance and continued eligibility for Department of Defense contracts.

At Tanner Security, we understand the importance of achieving Cybersecurity Maturity Model Certification (CMMC) Level 1 audit compliance. Tanner Security is your trusted partner in navigating the complexities of CMMC Level 1, CMMC Level 2, and CMMC Level 3 requirements that all defense contractors and companies working with Department of Defense (DoD) contracts must meet to protect sensitive information.

CMMC Level 1 focuses on establishing basic information security controls to protect Federal Contract Information (FCI). This level requires adhering to 17 foundational practices from the Federal Acquisition Regulation (FAR) and NIST SP 800-171, which protect essential information.

The CMMC Level 1 audit assesses whether you have implemented these fundamental practices effectively. Documentation requirements are minimal, reflecting the basic nature of the controls. Organizations at this level are only concerned with securing Federal Contract Information (FCI) and typically do not handle Controlled Unclassified Information (CUI).

CMMC Level 1 Audit

CMMC Level 1, CMMC Level 2, CMMC Level 3

What Is CMMC Level 1?

While CMMC Level 1 is often viewed as the most straightforward level within the CMMC framework, many contractors underestimate the effort required to properly document, implement, and validate the required security practices. Businesses frequently discover that while basic security controls may exist, the supporting policies, procedures, evidence, and documentation needed to demonstrate compliance are incomplete. Community discussions among contractors consistently highlight that documenting controls and maintaining evidence are often more challenging than implementing the controls themselves.

Tanner Security’s CMMC Level 1 Audit and Assessment Services help defense contractors review their cybersecurity, find compliance gaps, prepare the right documentation, and complete the CMMC Level 1 self-assessment with confidence.

Whether you are preparing for your first CMMC assessment or checking compliance before a contract award, our consultants offer practical advice to help reduce risk and strengthen your cybersecurity program.

CMMC Level 1, also known as the Foundational level, is for contractors that handle or receive Federal Contract Information (FCI). Its main goal is to make sure businesses use basic cybersecurity measures to protect government information from unauthorized access or leaks. Level 1 is based on the requirements in FAR 52.204-21 and requires contractors to implement the basic security controls needed to protect FCI.

CMMC Level 1 is different from Level 2, which is based on NIST SP 800-171 and covers Controlled Unclassified Information (CUI). Level 1 focuses on protecting Federal Contract Information and typically uses annual self-assessments rather than third-party audits.

For many contractors, achieving Level 1 compliance is more than just meeting a contractual requirement. It’s also a chance to improve cybersecurity habits, strengthen access controls, see assets more clearly, and lower the risk of common cyber threats.

Take the CMMC Level 1 Step

Strengthen and enhance your organization’s cybersecurity resilience.

Who Needs a CMMC Level 1 Assessment?

CMMC Level 1 usually applies to contractors and subcontractors who handle Federal Contract Information but do not work with Controlled Unclassified Information.

Federal Contract Information includes information provided by or generated for the government under a contract that is not intended for public release. Examples may include contract documents, project schedules, procurement information, budgets, and other non-public contract-related data. Contractors that support the Department of Defense, even indirectly as subcontractors, may be subject to CMMC requirements depending on contract obligations.

Knowing whether your IT environment has FCI, CUI, or both is a key step in determining which compliance level you need.

What Is Included in a CMMC Level 1 Audit?

A CMMC Level 1 audit evaluates whether the systems, users, processes, and technologies that handle Federal Contract Information meet the required security safeguards.

Our consultants look at your technical controls, administrative safeguards, policies, procedures, and supporting evidence to see if your organization meets Level 1 requirements. We check access controls, authentication, device security, user awareness, physical protections, malware defenses, and other basic cybersecurity controls needed for compliance.

In addition to evaluating technology, we review documentation and evidence to demonstrate that controls are functioning as intended. Many businesses discover that their largest compliance gaps involve documentation rather than technical deficiencies. Evidence collection, policy development, and demonstrating ongoing compliance are common challenges encountered during assessments.

It is my pleasure to highly recommend Tanner Security Consultants.  As a company dealing with large-scale construction projects, ensuring the safety and integrity of our digital infrastructure is crucial to our operations. Tanner Security Consultants not only met but exceeded all of our expectations.

Jeff M. – Chief Information Officer

Our CMMC Level 1 Assessment Methodology

Every engagement begins with understanding your business, contractual obligations, technology environment, and the systems that process, store, or transmit Federal Contract Information.

Our consultants then evaluate the scope of your environment and identify assets that fall within the assessment boundary. Proper scoping is one of the most important aspects of CMMC compliance because only systems that handle FCI must be included within the Level 1 assessment scope.

After setting the scope, we check your controls, review documentation, validate evidence, and find any compliance gaps. When the assessment is done, we give you a detailed report with our findings, recommendations, documentation tips, and clear next steps for compliance.

For businesses preparing for an annual self-assessment, we can also conduct readiness reviews to identify deficiencies before compliance attestations are submitted.

We focus on your specific needs to provide cost-effective and efficient solutions. With a solid commitment to excellence and a proven track record, we help you improve your information security, reduce risks, and gain a competitive edge. Partner with Tanner Security Consultants for expert CMMC certification, auditing, and consulting services.

  1. Expert Guidance: Our team of seasoned professionals brings decades of experience and in-depth knowledge of IT control verification. We understand the complexities of the certification process and carefully guide you through every step.
  2. Tailored Solutions: We recognize that each organization is unique and offer customized CMMC consulting services. Whether you are a small business or a large enterprise, our solutions align with your specific needs and challenges.
  3. Comprehensive Assessments: We thoroughly assess your risk posture and identify gaps and issues with your IT environment. Our experts provide detailed insights into your readiness for CMMC compliance and develop a roadmap for improvement.
  4. Strategic Planning: Achieving CMMC compliance requires strategic planning. Our consultants work closely with your team to develop and implement controls, ensuring alignment with the CMMC level 1 framework.
  5. Documentation and Policy Development: We assist in developing policies and procedures that adhere to CMMC requirements. We focus on creating a comprehensive documentation framework supporting your business’s journey to certification.
  6. Training and Awareness: Empowering your team with the knowledge and skills necessary for CMMC compliance is crucial. We provide training sessions and awareness programs to ensure your staff is well-prepared for the evolving cybersecurity landscape.
  7. Continuous Support: Our commitment extends beyond achieving certification. We provide ongoing support, helping you navigate the evolving cybersecurity landscape and adapt to changes in CMMC requirements.

Common CMMC Level 1 Gaps We Identify

Many contractors think they are compliant because they use firewalls, endpoint protection, and modern cloud services. While these tools are important, compliance usually needs more than just having security technology.

Common issues include incomplete access management processes, inconsistent device inventories, inadequate policy documentation, insufficient evidence, weak password management practices, and a lack of documented procedures for maintaining controls.

Often, security controls are in place, but companies can’t demonstrate that they work as intended. This is especially important when preparing compliance documents and annual affirmations.

Your Trusted CMMC Level 1 Partner

At Tanner Security, we are the CMMC level 1 advisors who stand at the forefront of safeguarding your future. We are trusted by Department of Defense companies, dynamic SaaS enterprises, and cherished family-run businesses in the industry. With extensive expertise, new technology, and innovative strategies, we empower companies to fortify their security programs and protect their digital infrastructure.

We guide businesses through CMMC level 1 compliance, offering tailored solutions that meet their needs. With our innovation and expertise, we aim to be your strategic partner, delivering top-notch solutions to complex issues.

Proper cybersecurity is essential for business success. Our mission is to improve your IT security controls, helping you grow confidently with secure and protected systems.

Contact Us

At Tanner Security, we understand the critical importance of robust IT security and compliance in today’s digital landscape. Our IT security team offers tailored solutions for your challenges and regulatory needs. We can help you protect sensitive data, meet industry standards, and strengthen your IT systems against cyber threats. Contact us today to improve your security and support your business growth.

CMMC Level 1 Frequently Asked Questions

A CMMC Level 1 audit is an evaluation of an organization’s cybersecurity controls, policies, procedures, and supporting evidence to determine whether it meets the foundational cybersecurity requirements for protecting Federal Contract Information.

CMMC Level 1 applies to organizations that handle Federal Contract Information and focuses on foundational cybersecurity safeguards. CMMC Level 2 applies to organizations that handle Controlled Unclassified Information and aligns with the requirements of NIST SP 800-171. The following blog post outlines the main differences between NIST 800-171 and CMMC.

No. CMMC Level 1 generally requires an annual self-assessment and annual affirmation submitted through the appropriate government reporting process. Third-party certification assessments are typically associated with many Level 2 environments.

Federal Contract Information is information provided by or generated for the federal government under a contract that is not intended for public release. Examples may include schedules, contracts, project information, budgets, and procurement data.

Companies must conduct a Level 1 self-assessment annually and submit the required affirmation to maintain compliance.

The assessment scope includes systems, users, technologies, and assets that process, store, or transmit Federal Contract Information. Proper scoping is a critical component of compliance. Tanner Security will spend the majority of our time making sure the scope for this assessment is clearly outlined and well defined before any time is spent verifying controls.

Yes. Microsoft 365, Azure, AWS, Google Workspace, and other cloud services may be included in scope if they process, store, or transmit Federal Contract Information.

Evidence often includes policies, procedures, training records, system configurations, inventories, screenshots, audit logs, access control records, and other documentation demonstrating that required controls are implemented and operating effectively.

Many businesses struggle with documentation, evidence collection, scoping, policy development, and demonstrating that controls are consistently maintained over time. Community discussions frequently note that documentation is often more difficult than the technical controls themselves.

The timeline depends on the environment’s size and complexity. Small businesses may complete assessments within a few weeks, while larger environments often require additional time for remediation and documentation updates.

Costs vary based on environment size, number of users, systems in scope, existing documentation, and overall cybersecurity maturity. Companies with mature security programs generally require less remediation and preparation effort. The typical range for a CMMC Level 1 assessment is $25,000-$35,000.

Yes. In addition to assessments, Tanner Security can assist with remediation planning, policy development, documentation creation, security control implementation, evidence collection, and readiness reviews.

Companies submit their assessment results and required affirmation through the appropriate Department of War reporting mechanisms and maintain documentation supporting compliance. Annual reassessments are required to maintain compliance status.

Absolutely. Readiness assessments help identify gaps before formal submission, reducing risk and helping businesses establish stronger compliance documentation and evidence management processes.

Related Insights

View All