CMMC Level 1 Self-Assessment Checklist

Complete guide for defense contractors to assess their cybersecurity posture

Get CMMC Help

About This Checklist

This comprehensive checklist covers all 17 practices required for CMMC Level 1 compliance. Use this tool to assess your current cybersecurity posture and identify gaps that need to be addressed.

How to Use This Checklist

  • Review each practice and assess your current implementation
  • Mark "Implemented" for practices you have in place
  • Mark "Partial" for practices that need improvement
  • Mark "Not Implemented" for missing practices
  • Focus on addressing "Not Implemented" and "Partial" items first

Practice 1: Access Control (AC.L1-3.1.1)

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Assessment Questions:

Implemented
Partial
Not Implemented

Implementation Guidance:

  • Implement user authentication (passwords, multi-factor authentication)
  • Create user accounts only for authorized personnel
  • Remove access for terminated employees immediately
  • Use strong password policies

Practice 2: Access Control (AC.L1-3.1.2)

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Assessment Questions:

Implemented
Partial
Not Implemented

Implementation Guidance:

  • Implement role-based access control (RBAC)
  • Grant users only the minimum access necessary
  • Separate administrative and user accounts
  • Regularly review and update user permissions

Practice 3: Access Control (AC.L1-3.1.3)

Control information posted or processed on publicly accessible information systems.

Assessment Questions:

Implemented
Partial
Not Implemented

Implementation Guidance:

  • Implement content filtering and approval processes
  • Monitor and control information posted to public systems
  • Train employees on what information can be posted publicly
  • Regularly review and audit public-facing content

Practice 4: Access Control (AC.L1-3.1.4)

Verify and manage/limit connections to and use of external information systems.

Assessment Questions:

Implemented
Partial
Not Implemented

Implementation Guidance:

  • Implement firewall rules and network segmentation
  • Monitor and control external connections
  • Use VPN for remote access
  • Regularly review and update connection policies

Assessment Summary

After completing this checklist, you should have a clear picture of your CMMC Level 1 compliance status.

Next Steps

  • • Address "Not Implemented" items first
  • • Improve "Partial" implementations
  • • Document all implemented controls
  • • Consider professional assessment

Documentation

  • • Create policies and procedures
  • • Document control implementations
  • • Maintain evidence of compliance
  • • Regular review and updates

Support

  • • Schedule consultation
  • • Get expert guidance
  • • Implementation support
  • • Ongoing compliance help

Need Help with CMMC Level 1 Implementation?

Get expert guidance on implementing the practices identified in this checklist.

Schedule Free Consultation