CMMC Level 1 readiness, without the six-figure engagement.
A guided, self-service self-assessment for small DoD and SBIR contractors that handle Federal Contract Information. Answer 15 plain-language questions, see exactly where you stand, and get a clear path to close every gap.
Mapped to Microsoft 365 controls. Built and supported by TeamLogic IT. You keep ownership of your attestation.
Level 1 Assessment
15 requirementsLimit access to authorized users
AC.L1-b.1.i
Authenticate identities (MFA)
IA.L1-b.1.vi
Identify and correct flaws (patching)
SI.L1-b.1.xii
Overall result
Not yet eligible: 1 requirement NOT MET
What CMMC Level 1 actually is
The rules are strict, but the bar is clear.
CMMC Level 1 is a self-assessment against 15 basic safeguarding requirements from FAR 52.204-21. The requirements are not vague. Once you know them, you can check each one honestly.
Level 1 protects FCI, not CUI
Level 1 covers Federal Contract Information only. The moment Controlled Unclassified Information is involved, you are a Level 2 case. We check this first, before anything else.
All 15, or none
There is no partial credit and no plan-of-action grace period. Every one of the 15 requirements must be met, or genuinely not applicable, by contract award. Fourteen of fifteen is a failing result.
Every year
Level 1 is an annual self-assessment plus an annual affirmation by your senior official in SPRS. A Level 1 status lasts one year, then you do it again.
How it works
Four steps from unsure to audit-ready.
Self-service where it makes sense, expert help where it matters. You drive the assessment; we close the gaps with you.
- 01
Qualify and scope
Confirm you handle FCI only, then define what is in scope. A tighter scope means a smaller, cheaper assessment. If CUI is involved, we route you to the right path instead.
- 02
Self-assess the 15
Answer each requirement in plain language. Every item carries help on how to check it and the evidence to keep. Status and recommended actions update as you go.
- 03
Gap session and remediation
Review the gaps with TeamLogic IT. We help you configure Microsoft 365, fix what is missing, and collect the evidence each requirement needs.
- 04
You affirm in SPRS
When all 15 are met or not applicable, your senior official affirms compliance in SPRS. You own that affirmation. We never sign or submit it for you.
The 15 controls
Six domains. Fifteen requirements. No surprises.
These are the exact requirements you will be assessed against, grouped by domain. Inside the assessment, each one comes with how to check it and why it is asked.
AC
Access Control
- Limit system access to authorized users, processes, and devices only
- Limit access to the transactions and functions each role is permitted to perform
- Verify and control or limit connections to and use of external information systems
- Control information posted or processed on publicly accessible systems
IA
Identification & Authentication
- Identify system users, processes, and devices
- Authenticate identities before granting access
MP
Media Protection
- Sanitize or destroy media
PE
Physical Protection
- Limit physical access to systems, equipment, and work areas to authorized individuals
- Escort and monitor visitors; maintain physical access logs; control and manage keys and badges
SC
System & Communications Protection
- Monitor, control, and protect communications at external and key internal network boundaries
- Separate publicly accessible system components from internal networks
SI
System & Information Integrity
- Identify, report, and correct system flaws in a timely manner
- Provide protection from malicious code at appropriate locations
- Update malicious-code protection mechanisms when new releases are available
- Perform periodic system scans and real-time scans of files from external sources
Our approach
You own the attestation. We own the readiness.
CMMC Level 1 is a self-assessment by law. Your senior official affirms compliance in SPRS under penalty of the False Claims Act. We keep that line bright on purpose: honest gap output and real evidence on our side, the affirmation firmly on yours.
Why honesty is the whole point
The Department of Justice actively pursues false cybersecurity attestations. A clean report you cannot back up is a liability, not a win. This tool is built to surface real gaps so you can fix them before you affirm.
What you do
- Answer the 15 requirements honestly
- Apply the fixes for any gaps
- Have your senior official affirm in SPRS
- Renew the assessment each year
What TeamLogic IT does
- Guide the self-assessment and scoping
- Configure Microsoft 365 controls with you
- Help collect and retain the evidence
- Prepare you for the affirmation, never sign it
FAQ
Straight answers to the common questions.
Federal Contract Information is information provided by or generated for the government under a contract that is not intended for public release. Controlled Unclassified Information is more sensitive and carries specific safeguarding and marking rules. Level 1 covers FCI only. If you touch CUI, you need Level 2, which is a larger assessment.
Yes. There is no partial credit and no plan-of-action-and-milestones option at Level 1. All 15 requirements must be met, or genuinely not applicable, by the time of assessment and by contract award.
For FCI-only Level 1, commercial Microsoft 365 Business Premium is generally sufficient. GCC and GCC High are considerations for CUI and Level 2. We will not push you toward expensive licensing you do not need.
No. CMMC Level 1 is a self-assessment. Your own senior official affirms compliance in SPRS. We provide readiness, remediation, and evidence support only. Keeping that boundary protects you legally.
Level 1 is an annual self-assessment with an annual affirmation in SPRS. A Level 1 status is good for one year.
Both numbers describe the same thing. DoD consolidated the requirements into 15 aligned to FAR 52.204-21. Older guides describe 17 because one requirement maps to three in NIST SP 800-171. We use the canonical 15 and keep the practice IDs for traceability.
See where you stand on all 15, today.
Create an account and run the self-assessment in one sitting. No sales call required to find out where your gaps are.
