← Home CMMC L1 Kickoff Guide

Confidential — Internal Use Only

CMMC Level 1 Self-Certification

Customer Kickoff Guide + Evidence Repo Strategy

Phase 1 Active (Nov 2025–Nov 2026) 17 Practices Annual Self-Assessment SPRS Submission Required

Domains

6

Practice families

Practices

17

All must be MET

Cadence

Annual

Self-assessment cycle

Submission

SPRS

+ Senior Official Affirmation

1 Evidence Repository — Where to Store It

The DoD doesn't mandate a specific tool — but they DO require evidence to be secure, controlled-access, and retrievable for the annual affirmation cycle. Here's the tiered approach by maturity:

🏆 Recommended — GCC High SharePoint / OneDrive

Microsoft 365 GCC High or GCC (M365 Business Premium minimum)

Best Fit
  • ITAR/FCI-appropriate environment — GCC meets the bar for Level 1
  • Role-based access controls, audit logging built-in
  • Version history on every document (critical for annual reviews)
  • Administrative access for managing permissions and structure
  • Easy to share view-only links for C3PAO review if ever needed

Folder structure below ↓

Strong Alternative — Google Workspace (Gov edition) or AWS GovCloud S3

If customer is already on Google or AWS ecosystem

  • Google Workspace for Government — FedRAMP authorized
  • Strict folder-level sharing, audit logs in Admin Console
  • S3 with bucket policies + CloudTrail audit logging works well for tech-forward shops

Dedicated GRC Platform — Vanta, Drata, or Scrut.io

Best if customer plans to grow to Level 2 or has multiple frameworks (SOC 2, HIPAA)

  • Built-in CMMC control mapping — evidence attaches to each practice
  • Automated evidence collection (screenshots from M365, Intune, etc.)
  • Audit trail and assertion workflows out of the box
  • More cost — worth it if Level 2 is the roadmap

Avoid — Personal Dropbox, non-GCC OneDrive, or local shared drive

Consumer-grade storage is not appropriate for FCI evidence. Fails the access control and audit log requirements.

Recommended Folder Structure (SharePoint / GCC)

📁 CMMC-L1-Evidence/

📁 00_Governance/

→ System Security Plan (SSP), Scope Statement, Asset Inventory

📁 01_Access-Control (AC)/

→ AD/Entra screenshots, MFA policy, user account list

📁 02_Identification-Authentication (IA)/

→ Password policy, MFA enrollment proof

📁 03_Media-Protection (MP)/

→ Sanitization policy, disposal records

📁 04_Physical-Protection (PE)/

→ Access logs, facility control documentation

📁 05_System-Comms-Protection (SC)/

→ Firewall rules, network diagram, encryption configs

📁 06_System-Info-Integrity (SI)/

→ AV/EDR proof, patch management records, update logs

📁 07_Annual-Assessment-Records/

→ Signed checklist, SPRS submission screenshot, affirmation record

2 The 17 Practices — At a Glance

Access Control (AC) — 4 practices

  • AC.1.001 — Limit system access to authorized users
  • AC.1.002 — Limit access to authorized transaction types
  • AC.1.003 — Control external system connections
  • AC.1.004 — Control CUI/FCI on publicly accessible systems

Identification & Authentication (IA) — 2 practices

  • IA.1.076 — Identify all system users and processes
  • IA.1.077 — Authenticate users before allowing access

Media Protection (MP) — 1 practice

  • MP.1.118 — Sanitize or destroy media before disposal/reuse

Physical Protection (PE) — 4 practices

  • PE.1.131 — Limit physical access to authorized individuals
  • PE.1.132 — Escort visitors and monitor activity
  • PE.1.133 — Maintain audit logs of physical access
  • PE.1.134 — Control and manage physical access devices

System & Comms Protection (SC) — 2 practices

  • SC.1.175 — Monitor, control, and protect comms at boundaries
  • SC.1.176 — Implement subnetworks for publicly accessible systems

System & Info Integrity (SI) — 4 practices

  • SI.1.210 — Identify, report, and correct system flaws
  • SI.1.211 — Provide malicious code protection (AV/EDR)
  • SI.1.212 — Perform periodic scans and real-time monitoring
  • SI.1.213 — Update malicious-code protection mechanisms

3 Kickoff Meeting Runbook

Pre-Meeting Preparation

Meeting Agenda (90 min suggested)

0:00–0:10

Welcome + Context Setting

  • Explain what CMMC Level 1 actually is — protect FCI, not CUI
  • Confirm scope: which systems, people, and locations handle FCI?
  • Clarify roles and responsibilities for this initiative
  • Remind them: the Senior Official personally affirms to the DoD — this is a legal attestation
0:10–0:25

Walk the 17 Practices — High Level

  • Walk through each of the 6 domains briefly — don't get into the weeds yet
  • Ask for a show of hands / gut check: "Do we think we're doing this today?"
  • Note obvious wins (they likely already have AV, MFA, locked doors)
  • Flag areas of concern immediately — physical access logs are often the surprise
0:25–0:50

Assign Owners + Set Status (Live Tracker Walk)

  • Open the 17-row tracker on screen — fill in owner and initial status together
  • For each practice: who owns it? What evidence exists? What's missing?
  • Mark each as MET / NOT MET / UNKNOWN — honesty is critical here
  • This is your gap analysis done live — every NOT MET becomes a task
0:50–1:05

Evidence Repo Setup + Document Roles

  • Introduce the SharePoint/GCC folder structure — show the live setup
  • Assign who uploads evidence for each domain
  • Set expectations: "Document and organize evidence systematically for each practice."
  • Walk through what acceptable evidence looks like for 2-3 sample practices
1:05–1:20

Project Plan + Timeline

  • Set a realistic target date for SPRS submission (most small orgs: 4–8 weeks)
  • Establish weekly check-in cadence — 30-min standing call works well
  • Assign remediation tasks with deadlines from the NOT MET list
  • Define what "done" looks like: all 17 MET + evidence uploaded + SSP signed + SPRS submitted
1:20–1:30

SPRS + Affirmation — Explain the End State

  • Walk through the SPRS portal (suppliers.gov) — show them what they'll submit
  • Explain the Senior Official affirmation — they must do this personally (not you)
  • Remind them: SPRS scores are visible to contracting officers
  • Annual reassessment date should go on the calendar before you leave this call

Based on CMMC 2.0 Final Rule · DoD Assessment Guide Level 1 v2.0 · Phase 1 enforcement Nov 10 2025