Level 1 is self-assessed, but self-assessed does not mean evidence-free. The senior official should be able to open a folder and see why the company believes every requirement is MET. That folder does not need to be beautiful. It needs to be true, final, and understandable.
The short answer
- Keep evidence only for the assets that process, store, or transmit FCI. Start with scope.
- Use final documents: policies, procedures, rosters, diagrams, logs, screenshots, configuration exports, and test notes.
- Pair each artifact with a short explanation. Do not assume a future reader knows why a screenshot matters.
- Store the evidence internally. Level 1 does not require you to upload the packet to SPRS.
What evidence means at Level 1
The DoD CMMC Level 1 Assessment Guide says evidence can come from examine, interview, and test methods. Plain English: you can review a policy, talk to the person who follows it, and test whether the system actually does what the policy says.
For example, AC.L1-b.1.i asks whether access is limited to authorized users. Good evidence is not just a sentence saying "only authorized users have access." Good evidence is a user roster, an M365 or Google Workspace user export, a permissions screenshot for the FCI folder, and an offboarding checklist that proves users are removed when they leave.
Evidence examples for all 15 requirements
| Requirement | Good Level 1 evidence | Weak substitute |
|---|---|---|
| AC.1 - authorized users | Named user roster, FCI folder permissions screenshot, M365/Workspace user export, offboarding checklist. | "We know who has access." |
| AC.2 - authorized functions | Role matrix, admin-role export, read/write permission screenshot, least-privilege policy. | "Everyone is trusted." |
| AC.3 - external systems | Approved device list, remote-access rule, blocked forwarding screenshot, external SaaS inventory. | "People can use whatever device is convenient." |
| AC.4 - public posting | Public-posting approval rule, website/social review checklist, examples of redacted contract info. | "Marketing knows not to post contract stuff." |
| IA.1 - identify users/devices | User list, device inventory, service-account list, guest-user review. | Shared accounts with no owner. |
| IA.2 - authenticate | MFA status screenshot, password policy, screen-lock policy, remote-access MFA screenshot. | Passwords written on paper or shared in chat. |
| MP.1 - media disposal | Media disposal log, shred vendor receipt, laptop reset checklist, copier drive wipe record. | "We throw old drives away." |
| PE.1 - physical access | Keyholder roster, locked cabinet photo, office access rule, server closet key list. | Unlocked file cabinet with contract paperwork. |
| PE.2 - visitors and keys | Visitor log, escort rule, badge/key inventory, offboarding key return checklist. | No log because visitors are rare. |
| SC.1 - boundary protection | Firewall screenshot, network diagram, no public RDP/SSH evidence, VPN or secure remote-access rule. | Consumer router with default admin password. |
| SC.2 - public system separation | Website hosted off-network, guest Wi-Fi VLAN screenshot, note that no public services run on the office LAN. | Company website hosted on the same office server as FCI files. |
| SI.1 - flaw remediation | Patch policy, Windows/macOS update screenshots, firewall firmware log, monthly patch review. | Updates paused indefinitely. |
| SI.2 - malicious code protection | Antivirus/EDR status screenshot, asset list showing coverage, email malware filtering status. | An expired AV product still installed. |
| SI.3 - update protection | Signature update screenshot, AV console showing recent check-in, auto-update enabled. | AV installed but signatures stale. |
| SI.4 - scans | Real-time scanning enabled, scheduled scan setting, email attachment scanning status, scan history. | Real-time scanning disabled to make a tool faster. |
What not to rely on
- Draft policies. The Assessment Guide says documents used as evidence need to be final. Drafts are a promise, not evidence.
- One giant policy nobody follows. A policy is useful only when the real environment matches it.
- Vendor marketing pages. A Microsoft or Google product page does not prove your tenant is configured properly.
- Screenshots with no context. Save the image, the date, the system, and what requirement it supports.
- Evidence outside your FCI scope. A perfectly configured system that never touches FCI does not prove the in-scope system is protected.
Build a small evidence packet
The most useful format is boring: one folder per requirement, numbered 01 through 15, plus a simple index. In each folder, include the artifact and a one-sentence explanation.
That is the level of clarity you want. A prime or senior official can understand it without becoming a CMMC assessor.
Primary sources
- DoD CMMC Assessment Guide - Level 1, v2.13: assessment methods, final-form evidence, and MET / NOT MET / NOT APPLICABLE findings.
- DoD CMMC Scoping Guide - Level 1, v2.13: assets that process, store, or transmit FCI are in scope.
- FAR 52.204-21: the 15 basic safeguarding requirements.
FAQ
What counts as evidence for CMMC Level 1?
CMMC Level 1 evidence can include final policies, procedures, rosters, screenshots, configuration exports, diagrams, logs, and demonstrations that show each FAR 52.204-21 safeguarding requirement is implemented for the systems that process, store, or transmit FCI. Draft policies and unofficial working papers should not be used as evidence.
Do I need screenshots for every CMMC Level 1 requirement?
No. Screenshots are useful for many technical requirements, but CMMC Level 1 evidence can also be a signed policy, a visitor log, a media disposal log, a network diagram, a user roster, a device inventory, an interview note, or a simple test result. The point is to have enough final evidence to support a MET finding.
How much evidence should a small contractor keep for Level 1?
Keep one or two strong artifacts per requirement, plus a short narrative explaining how the control works in your environment. For most small contractors, that means a compact evidence folder with 15 subfolders, not a giant audit binder.
Can draft policies be CMMC Level 1 evidence?
No. The CMMC Level 1 Assessment Guide says documents used as evidence need to be in final form. Draft policies, working papers, and unofficial or unapproved procedures should be finalized before you rely on them for a MET finding.
Does Level 1 evidence have to be uploaded to SPRS?
No. For Level 1, SPRS stores the self-assessment result and affirmation information. You keep the supporting evidence in your own records so your senior official, a prime, or a future reviewer can understand why the affirmation was truthful.