← Home
CMMC Level 1 · Kickoff
Confidential — Internal Use OnlyKickoffJune 26, 2026

Enterprise Security
Maturity Program

CMMC Level 1 Self-Certification · Microsoft 365 Hardening.
A phased path to SPRS submission in 8–10 weeks.

17 Practices 6 Domains Annual Self-Assessment SPRS Submission
Project Kickoff Meeting90 minutes

Why we're here

What CMMC Level 1 actually is

Level 1 protects Federal Contract Information (FCI) — basic business data shared under DoD contracts: schedules, invoices, logistics. It is not classified, and not CUI.

17

security practices — all must be MET

6

control domains · AC · IA · MP · PE · SC · SI

1/yr

self-assessment, submitted to SPRS

110

target SPRS score · 110 pts = 100% complete

The commitment: Your Senior Official (CEO/Owner) personally affirms to the DoD that all 17 practices are met — a legal attestation. False certification carries civil and criminal consequences. In this room, honesty beats optimism.

The scope

6 domains · 17 practices

ACAccess Control4
IAIdentification & Authentication2
MPMedia Protection1
PEPhysical Protection4
SCSystem & Comms Protection2
SISystem & Info Integrity4

Good news: most of these you're already doing — antivirus, MFA, locked doors. Today we find out which, honestly, and turn every gap into an owned task.

The plan

6-week implementation timeline

PHASE 1
Foundation — MFA, Conditional Access, admin hardening, audit logging~20–27 hrs · Wk 1–3
PHASE 2
Email & Data — Defender for Office, anti-phishing, DLP, SharePoint lockdown~14–21 hrs · Wk 3–4
PHASE 3
Endpoints & Intune — enrollment, compliance, Defender, BitLocker, patching~20–29 hrs · Wk 5–7
PHASE 4
Evidence & Attestation — screenshots, SSP, POA&M, SPRS submission~12–19 hrs · Wk 8–9
⏱  Total effort: ~66–96 hours, spread over 8–10 weeks for a small org (under 50 users) — buffered to set us up for success. Add ~15% per 25 additional users.

Prove it

Evidence repository

The DoD doesn't mandate a tool — but evidence must be secure, access-controlled, and retrievable for the annual affirmation. Recommended: a dedicated, private GCC SharePoint site.

🏆  Recommended — GCC SharePoint

M365 Business Premium minimum · role-based access · built-in audit logging · version history on every document · easy view-only auditor links.

📁  Folder structure

CMMC-L1-Evidence/
  00_Governance  SSP · scope · inventory
  01_Access-Control (AC)
  02_Identification-Auth (IA)
  03_Media-Protection (MP)
  04_Physical-Protection (PE)
  05_System-Comms (SC)
  06_System-Integrity (SI)
  07_Annual-Assessment-Records

Avoid consumer storage — personal Dropbox, non-GCC OneDrive, or a local shared drive fails access-control and audit-log requirements.

Today · 90 minutes

How we'll spend this meeting

0:00–0:10Welcome + contextWhat L1 is, confirm scope, clarify roles, the affirmation is legal
0:10–0:25Walk the 17 practices — high levelGut-check each domain: "are we doing this today?" Flag concerns early
0:25–0:50Assign owners + set status — live trackerMark each MET / NOT MET / UNKNOWN. Every NOT MET becomes a task
0:50–1:05Evidence repo + document rolesShow the SharePoint structure, assign who uploads what
1:05–1:20Project plan + timelineTarget SPRS date, weekly check-in cadence, remediation deadlines
1:20–1:30SPRS + affirmation — the end stateWalk the portal, set the annual reassessment date on the calendar

Who does what

Roles & the commitment

Senior Official · CEO/Owner

Personally affirms in SPRS. Owns the attestation. Reviews the evidence package before submission.

Program Lead

Drives the 6-week plan, runs weekly check-ins, owns the 17-practice tracker.

IT / M365 Admin

Implements the technical controls — Entra, Intune, Defender, SharePoint, logging.

Practice Owners

Each NOT MET item gets a named owner, a deadline, and uploaded evidence.

📅  Before we leave this room: every practice has an owner, a weekly check-in is on the calendar, and the annual reassessment date is booked.

The finish line

What "done" looks like

Let's get the first owners assigned.Next → open the live tracker
1 / 8
← → or Space · F for fullscreen