The federal compliance industrial complex would prefer you didn't know any of this. CMMC Level 1 has been treated for years as a thing only consultants can navigate, and a thing only $20k engagements can deliver. Neither is true. The rule is published. The 15 requirements are short. The assessment is yours to run. This guide walks you through the complete free DIY path — the same path our platform automates for you for $249/mo (Self Service) when you decide you'd rather not maintain it manually.
TL;DR — the path in 60 seconds
- Decide it applies. If your DoD contracts reference
FAR 52.204-21, Level 1 applies. If they mention CUI orDFARS 252.204-7012, you owe Level 2 instead. - Scope the boundary. List the people, devices, and cloud apps that touch federal contract information. Sketch the diagram.
- Inventory the assets. Users, devices, keys, cloud accounts.
- Write eight one-page policies. Adapt our templates. Sign and date them.
- Implement the 15 controls. Most are configuration changes in tools you already own.
- Write your SSP. One document, 15 short paragraphs.
- Self-assess, attest, post to SPRS. Calendar the annual renewal.
Each step links to a free, printable template. Full handbook is here: The Free DIY CMMC Level 1 Handbook.
Who this works for
The DIY path is genuinely realistic for the contractor who:
- Handles FCI only, not CUI (Level 1 territory, not Level 2)
- Has a modern IT stack — M365 Business or Google Workspace, modern operating systems, a router or firewall less than 5 years old
- Can carve out 4 focused hours over the next week or two
- Has someone on staff who can navigate cloud admin consoles (or a friendly IT person who can sit with you for an afternoon)
It is not the right path if:
- You handle CUI — see our CUI vs FCI guide — that's a different game.
- Your prime is asking for evidence on a recurring basis, with audit-style rigor.
- Your “IT system” is a 2015 desktop, a USB key, and a printer.
The seven steps
Step 1 — Decide if you actually need it
Open your last three federal contracts or subcontracts. Search the text for the strings FAR 52.204-21 and CUI.
| What you find | What that means |
|---|---|
| FAR 52.204-21 only | Level 1. Continue this guide. |
| CUI mentioned, or DFARS 252.204-7012 | Level 2. Stop — see DFARS 7012 vs CMMC. |
| Neither | CMMC may not apply yet. Save this guide. |
Step 2 — Scope your boundary
This is the single most expensive decision in the whole process. Scope means drawing a line around the people, devices, cloud apps, and rooms that touch FCI. Anything inside has to meet the 15 controls. Anything outside doesn't.
Use the free Scoping Worksheet. List in-scope people, devices, cloud apps, network, physical area, then draw the boundary diagram. Total time: about 20 minutes for a small shop.
Step 3 — Inventory your assets
If you completed the scoping worksheet, the asset inventory is done — it's the same tables. Keep it current. Update it when someone joins, someone leaves, or you adopt a new cloud app.
Step 4 — Write your eight policies
Level 1 maps cleanly to eight one-page policies, one per control family plus incident response and acceptable use. The free Policy Pack has all eight. Adapt the language to your company, have the affirming official sign and date each one, and file them.
The eight policies:
- Access Control
- Identification & Authentication
- Media Protection & Disposal
- Physical Protection
- Network & Boundary Protection
- System Integrity & Patching
- Incident Response
- Acceptable Use
Step 5 — Implement the 15 controls
The actual technical work. For most small contractors, 90% of this is configuration changes in tools you already own. The full breakdown of each requirement is in our 15 requirements explained post. The highest-leverage moves:
- Turn on MFA across every cloud app, especially email and remote access
- Verify Defender / endpoint antivirus is on every in-scope device
- Document who has admin rights and prune the list
- Start a visitor log — a clipboard at the front desk is fine
- Set up a separate guest Wi-Fi isolated from the work network
- Configure auto-update on operating systems and apps
- Document a wipe / shred procedure for old laptops and drives, and start a disposal log
Step 6 — Write your SSP
The System Security Plan is the one document a prime will actually ask for. It says, in plain English, how you implement each of the 15 controls. Two to four sentences per control, total of about three printable pages.
Use the free SSP Template. Fill in the blanks. Sign and date. Save the PDF where you can find it on demand.
Step 7 — Self-assess, attest, post to SPRS
Walk through the printable checklist and honestly score each of the 15 controls as MET or NOT MET. At Level 1 there is no partial credit and no plan-of-action substitute — you either meet all 15 or you fix the gaps and reassess.
Once every control is MET, post the affirmation in SPRS using the SPRS walkthrough. Take a screenshot of the confirmation. Save it with your SSP. Set a calendar reminder for 11 months from today — the annual affirmation is what keeps your bid-ready status alive.
Every template you'll need
All free. All printable. All built from primary sources (FAR 52.204-21, 32 CFR Part 170). No email gate.
- Scoping worksheet — 20 minutes, defines the boundary
- SSP template — 60 minutes, fill-in-the-blank for all 15 controls
- 8 policy templates — 45 minutes, one page each
- Self-assessment checklist — 30 minutes, plain English
- SPRS walkthrough — step-by-step posting
- Annual affirmation guide — 15 minutes/year, keep it alive
Real time and real cost
| Step | Time | Out-of-pocket cost |
|---|---|---|
| Scope your boundary | 20 min | $0 |
| Inventory assets | Included in scoping | $0 |
| Write 8 policies | 45 min | $0 |
| Implement 15 controls | 1–3 days | $0–500 (a new firewall, if needed) |
| Write the SSP | 60 min | $0 |
| Self-assess + checklist | 30 min | $0 |
| Post to SPRS | 30 min (longer if no PIEE) | $0 |
| Total | ~4 hours of focused work | $0–500 |
Five mistakes that derail DIY contractors
- Scoping too wide. Treating every laptop in the company as in-scope doubles or triples your work for no compliance benefit.
- Copying policies you don't actually follow.A policy that says “we encrypt all USB drives” when you don't is worse than no policy.
- Submitting before fixing gaps.Attesting MET when you're NOT MET is the False Claims Act exposure. Fix it; then attest.
- Forgetting the annual renewal. A stale SPRS posting is treated as no posting. Calendar the renewal twice.
- Not saving evidence. When a prime asks for your SSP, you need to find it in 60 seconds, not 60 minutes.
When to give up DIY and pay someone
Three honest cases:
- You handle CUI.That's Level 2, not Level 1. The DIY path stops working — you need a C3PAO assessment and a different document set.
- Your prime requires recurring evidence. Quarterly logs, monthly screenshots, change records on demand. Manual cycles fail under this load. A platform (ours or someone else's) is genuinely worth it.
- The annual renewal is what keeps slipping. The most common failure mode of DIY isn't doing the work the first time — it's doing it the second and third year. That's exactly what platforms exist to solve.
For Level 1 specifically, our platform is $249/mo Self Service (or $2,496/yr on annual — two months free), or $397/mo if you want a credentialed Custodia Compliance Officer assigned to your account. It replaces the manual cycle. The 7-day free trial does the first SSP, scope, and policies for you using the same templates we've linked throughout this guide.
Frequently asked questions
Can I really do CMMC Level 1 by myself?
Yes. CMMC Level 1 is explicitly designed for self-assessment — there is no third-party assessor required, no government auditor, no certification body. Every Level 1 contractor self-attests in SPRS annually. The DoD's own rule (32 CFR 170.15) names self-assessment as the default and only mode for Level 1.
How long does the DIY path take?
About 4 hours of focused work spread across a week, if you start from a reasonably modern IT setup (Microsoft 365 Business or Google Workspace, modern operating systems, a firewall). Add 1–3 days if you need to install MFA across cloud apps, configure antivirus, or set up a separate guest Wi-Fi.
What do consultants charge for CMMC Level 1, and what do they actually do?
Level 1 engagements typically run $5k–$40k. The deliverables are: a scoping conversation, an SSP, eight or so policies, a gap assessment, and remediation guidance. Every one of those artifacts is something a small contractor can produce themselves with the templates we publish for free. The legitimate work a consultant adds is project management and accountability — not unique knowledge.
What's the risk of doing it wrong?
Honest mistakes during self-assessment are not the legal exposure. Knowingly false attestations are. Since 2022, the DOJ's Civil Cyber-Fraud Initiative has pursued contractors who claimed compliance they didn't have under the False Claims Act, with settlements in the millions. The protective move is: implement what you can, document what you've done, sign your attestation only when it's truly accurate. If you have a gap, fix it before you submit.
When should I use a platform like Custodia instead?
Three cases. (1) You're targeting Level 2 — that requires a C3PAO and is genuinely a different process. (2) Your prime requires recurring evidence collection (quarterly logs, change records, screen-shots), and the manual cycle eats more than $249/mo of your time. (3) The annual renewal is what keeps slipping. The free DIY path produces the same artifacts; the platform produces them without you having to think about it.
What do I actually post to SPRS at Level 1?
An affirmation — your statement that your company meets all 15 safeguarding requirements of FAR 52.204-21. There is no numerical score (that's Level 2's NIST 800-171 score on a -203 to +110 scale). At Level 1 it is binary: MET or NOT MET. Posting is done in PIEE → SPRS → Cyber Reports by an authorized affirming official (owner, CEO, or delegated CIO).