CMMC Level 1 was written broadly enough to cover a machine shop, a construction trailer, a cloud-only software firm, or a three-person remote consultancy. Remote work is not the problem. Unclear scope is the problem.
The short answer
- Remote work is allowed at Level 1 if the systems that touch FCI meet the 15 safeguarding requirements.
- A remote employee's device is in scope when it reads, stores, syncs, prints, or sends FCI.
- A fully remote company may mark some facility-specific items NOT APPLICABLE, but only with a documented reason.
- The cleanest remote setup is company-managed laptop, company email, MFA, no local FCI storage unless needed, and no personal cloud storage.
What is in scope
The DoD CMMC Level 1 Scoping Guide says assets are in scope when they process, store, or transmit FCI. For remote work, translate that into five questions:
- Can this person open an FCI email?
- Can this device download or sync an FCI file?
- Can this application store contract schedules, drawings, or task orders?
- Can this printer or scanner handle paper FCI?
- Can this cloud service move FCI from one person to another?
Every yes belongs in the boundary. Every no can usually stay outside it.
Home-office controls
| Remote-work area | Level 1 expectation | Evidence to keep |
|---|---|---|
| Laptop or desktop | Named user, screen lock, patching, malware protection, and no shared account. | Device inventory, update screenshot, AV screenshot, user assignment. |
| Email and file storage | Company tenant, MFA, named users, no public links to FCI folders. | MFA screenshot, user export, folder permissions screenshot. |
| Home Wi-Fi | Modern encryption, non-default router password, work device separated from casual guest use. | Remote-work policy and employee attestation. |
| Printing | Avoid printing FCI when possible; if printed, store it securely and shred it. | Paper FCI rule, locked storage note, shredding log. |
| Remote access | No exposed RDP. Use VPN, secure cloud access, or managed remote access with MFA. | VPN/MFA screenshot or remote-access policy. |
Personal devices
Level 1 does not use the phrase "bring your own device," but the requirements still apply. If a personal laptop touches FCI, you need to show the same things you would show on a company laptop: identity, authentication, access control, patching, malware protection, scanning, and a way to remove FCI when access ends.
If you allow personal devices, write the rule down: which devices are approved, what settings are required, whether local downloads are allowed, and what happens when a person leaves the contract.
Visitor logs and physical access
A fully remote company may not have a company office, server room, or front desk. That does not mean the physical-protection requirements vanish. It means you document what is not applicable and still protect the physical things that do exist: laptops, phones, paper FCI, removable media, and printers.
- No office? Document that visitor logging for a company facility is NOT APPLICABLE.
- Paper FCI at home? Store it in a drawer or cabinet and shred it when no longer needed.
- Shared household? Require screen lock and do not leave FCI visible on a kitchen table or shared printer tray.
- Company laptop? Offboard it like an asset: recover, wipe, or remove access.
Remote-work evidence checklist
- Remote-work policy covering FCI, personal devices, printing, and home Wi-Fi.
- Device inventory with owner, operating system, and whether it touches FCI.
- MFA screenshot for the company tenant and remote-access tools.
- FCI folder permissions screenshot.
- Patch and antivirus status screenshot for each in-scope device type.
- Paper FCI and media disposal rule with a simple disposal log.
- NOT APPLICABLE note for any facility requirement that truly does not apply.
Primary sources
- DoD CMMC Scoping Guide - Level 1: in-scope assets process, store, or transmit FCI; scoping should consider people, technology, facilities, and external service providers.
- DoD CMMC Assessment Guide - Level 1: MET, NOT MET, and NOT APPLICABLE findings; evidence methods.
- FAR 52.204-21: the 15 safeguarding requirements.
FAQ
Can a remote company meet CMMC Level 1?
Yes. CMMC Level 1 does not require a traditional office. A remote company can meet Level 1 by scoping the systems that process, store, or transmit FCI and implementing the 15 FAR 52.204-21 requirements for those systems, people, devices, and any relevant home-office processes.
Are home laptops in CMMC Level 1 scope?
A home laptop is in scope if it processes, stores, or transmits FCI. If the laptop can read FCI email, download FCI files, sync a folder containing FCI, or print FCI, it should be treated as an in-scope asset and protected accordingly.
Can employees use personal devices for CMMC Level 1 work?
Personal devices are risky but not automatically forbidden by Level 1. If a personal device touches FCI, the company still needs to control access, identify the device, authenticate users, protect against malware, patch it, and manage disposal or data removal. Many small contractors choose company-managed devices because the evidence is cleaner.
How do visitor logs work for a fully remote company?
If there is no company facility where FCI systems or paper FCI are stored, visitor logging for that facility may be NOT APPLICABLE with a documented reason. Home offices still need sensible physical protection for company laptops and paper FCI, such as screen locks and locked storage.
Does home Wi-Fi need to be in the CMMC Level 1 scope?
Home Wi-Fi is part of the environment used to transmit FCI when employees work remotely. For Level 1, use practical controls: WPA2 or WPA3, a non-default router password, no shared guest access to work devices, and VPN or secure cloud access where appropriate.