← Custodia

The 8 CMMC Level 1 Policies You Need (Free Templates) — 2026

CMMC Level 1's 15 controls roll up into 8 one-page policies. Here is the full list, what each covers, and a link to the free, printable templates.

By David Fuentes· Compliance Officer, CustodiaMay 13, 20265 min read

Consultants love selling Information Security Manuals. We've seen $8,000 invoices for 40-page documents that nobody on the contractor's team ever reads. For CMMC Level 1, that's unnecessary. The 15 safeguarding requirements roll cleanly into eight one-page policies. Each one fits on a single sheet, gets signed by the affirming official, and lives in a folder you can produce on demand.

The 8 policies (and what each covers)

Policy 01
Access Control

Who gets access to what, how access is reviewed, how it's revoked.

Policy 02
Identification & Authentication

How users prove who they are. MFA. Password rules. Service accounts.

Policy 03
Media Protection & Disposal

How USBs, hard drives, and printed FCI are handled and destroyed.

Policy 04
Physical Protection

Visitor logs. Locked doors. Where FCI is physically stored.

Policy 05
Network & Boundary Protection

Firewall, guest Wi-Fi separation, what crosses the boundary.

Policy 06
System Integrity & Patching

Antivirus, patch cycles, monitoring for malicious activity.

Policy 07
Incident Response

What counts as an incident. Who to call. The 72-hour DoD reporting rule.

Policy 08
Acceptable Use

What employees may and may not do with company devices and FCI.

Rules for policies that actually work

  • One page each. If it's longer, it's not getting read.
  • Plain English. “Users must lock their screens when away” beats “Users shall ensure session termination upon physical departure from the workstation.”
  • Signed and dated. By the affirming official. Re-sign annually.
  • Reflects what you actually do. Don't write “quarterly penetration tests” if you don't do them.
  • Lives somewhere findable. A shared drive, a /compliance folder, a binder — just not someone's personal laptop.

Get the free pack

All 8 policies, printable, in the Rhetorich style. Sign once, file, done: Open the policy pack →

Full DIY path: The Free DIY CMMC Level 1 Handbook.

FAQ

Do I really need 8 policies?

You need enough policy coverage that every one of the 15 controls is governed by a written statement of intent. Eight one-page policies is the cleanest way to do that. You could combine them into 2 or 3 longer documents — but the eight one-pagers are easier to maintain, sign, and produce on demand.

Can I use ChatGPT to draft them?

You can — but the output will be generic and won't reflect what your company actually does. Our templates give you the structure; you fill in the specifics (your tools, your processes, your roles). A policy that doesn't reflect operational reality is worse than no policy.

How often do these need to be reviewed?

At minimum annually, before your SPRS affirmation. Also when scope changes, when you adopt a new tool, or when an incident reveals a gap.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)