TeamLogic IT
FAR 52.204-21, all 15 requirements

CMMC Level 1 readiness, without the six-figure engagement.

A guided, self-service self-assessment for small DoD and SBIR contractors that handle Federal Contract Information. Answer 15 plain-language questions, see exactly where you stand, and get a clear path to close every gap.

Mapped to Microsoft 365 controls. Built and supported by TeamLogic IT. You keep ownership of your attestation.

Level 1 Assessment

15 requirements

Limit access to authorized users

AC.L1-b.1.i

MET

Authenticate identities (MFA)

IA.L1-b.1.vi

MET

Identify and correct flaws (patching)

SI.L1-b.1.xii

NOT MET

Overall result

Not yet eligible: 1 requirement NOT MET

What CMMC Level 1 actually is

The rules are strict, but the bar is clear.

CMMC Level 1 is a self-assessment against 15 basic safeguarding requirements from FAR 52.204-21. The requirements are not vague. Once you know them, you can check each one honestly.

Level 1 protects FCI, not CUI

Level 1 covers Federal Contract Information only. The moment Controlled Unclassified Information is involved, you are a Level 2 case. We check this first, before anything else.

All 15, or none

There is no partial credit and no plan-of-action grace period. Every one of the 15 requirements must be met, or genuinely not applicable, by contract award. Fourteen of fifteen is a failing result.

Every year

Level 1 is an annual self-assessment plus an annual affirmation by your senior official in SPRS. A Level 1 status lasts one year, then you do it again.

How it works

Four steps from unsure to audit-ready.

Self-service where it makes sense, expert help where it matters. You drive the assessment; we close the gaps with you.

  1. 01

    Qualify and scope

    Confirm you handle FCI only, then define what is in scope. A tighter scope means a smaller, cheaper assessment. If CUI is involved, we route you to the right path instead.

  2. 02

    Self-assess the 15

    Answer each requirement in plain language. Every item carries help on how to check it and the evidence to keep. Status and recommended actions update as you go.

  3. 03

    Gap session and remediation

    Review the gaps with TeamLogic IT. We help you configure Microsoft 365, fix what is missing, and collect the evidence each requirement needs.

  4. 04

    You affirm in SPRS

    When all 15 are met or not applicable, your senior official affirms compliance in SPRS. You own that affirmation. We never sign or submit it for you.

The 15 controls

Six domains. Fifteen requirements. No surprises.

These are the exact requirements you will be assessed against, grouped by domain. Inside the assessment, each one comes with how to check it and why it is asked.

AC

Access Control

4
  • Limit system access to authorized users, processes, and devices only
  • Limit access to the transactions and functions each role is permitted to perform
  • Verify and control or limit connections to and use of external information systems
  • Control information posted or processed on publicly accessible systems

IA

Identification & Authentication

2
  • Identify system users, processes, and devices
  • Authenticate identities before granting access

MP

Media Protection

1
  • Sanitize or destroy media

PE

Physical Protection

2
  • Limit physical access to systems, equipment, and work areas to authorized individuals
  • Escort and monitor visitors; maintain physical access logs; control and manage keys and badges

SC

System & Communications Protection

2
  • Monitor, control, and protect communications at external and key internal network boundaries
  • Separate publicly accessible system components from internal networks

SI

System & Information Integrity

4
  • Identify, report, and correct system flaws in a timely manner
  • Provide protection from malicious code at appropriate locations
  • Update malicious-code protection mechanisms when new releases are available
  • Perform periodic system scans and real-time scans of files from external sources

Our approach

You own the attestation. We own the readiness.

CMMC Level 1 is a self-assessment by law. Your senior official affirms compliance in SPRS under penalty of the False Claims Act. We keep that line bright on purpose: honest gap output and real evidence on our side, the affirmation firmly on yours.

Why honesty is the whole point

The Department of Justice actively pursues false cybersecurity attestations. A clean report you cannot back up is a liability, not a win. This tool is built to surface real gaps so you can fix them before you affirm.

What you do

  • Answer the 15 requirements honestly
  • Apply the fixes for any gaps
  • Have your senior official affirm in SPRS
  • Renew the assessment each year

What TeamLogic IT does

  • Guide the self-assessment and scoping
  • Configure Microsoft 365 controls with you
  • Help collect and retain the evidence
  • Prepare you for the affirmation, never sign it

FAQ

Straight answers to the common questions.

Federal Contract Information is information provided by or generated for the government under a contract that is not intended for public release. Controlled Unclassified Information is more sensitive and carries specific safeguarding and marking rules. Level 1 covers FCI only. If you touch CUI, you need Level 2, which is a larger assessment.

Yes. There is no partial credit and no plan-of-action-and-milestones option at Level 1. All 15 requirements must be met, or genuinely not applicable, by the time of assessment and by contract award.

For FCI-only Level 1, commercial Microsoft 365 Business Premium is generally sufficient. GCC and GCC High are considerations for CUI and Level 2. We will not push you toward expensive licensing you do not need.

No. CMMC Level 1 is a self-assessment. Your own senior official affirms compliance in SPRS. We provide readiness, remediation, and evidence support only. Keeping that boundary protects you legally.

Level 1 is an annual self-assessment with an annual affirmation in SPRS. A Level 1 status is good for one year.

Both numbers describe the same thing. DoD consolidated the requirements into 15 aligned to FAR 52.204-21. Older guides describe 17 because one requirement maps to three in NIST SP 800-171. We use the canonical 15 and keep the practice IDs for traceability.

See where you stand on all 15, today.

Create an account and run the self-assessment in one sitting. No sales call required to find out where your gaps are.