CustodiaCustodia.
Custodia · Free Playbook · 2026 edition

The CMMC Level 1 in 7 days playbook.

A day-by-day plan to take a small DoD contractor from zero to a signed SPRS affirmation in seven calendar days. All 15 FAR 52.204-21 safeguarding requirements, plain English, no consultant required. Work the plan, file the affirmation, stay bid-eligible.

7 days
From start to signed
15
FAR safeguards
1
Annual SPRS filing
How to use this playbook
  1. 1. Block 60–120 minutes on each of the next 7 days. Owner, IT person, and an admin in the room.
  2. 2.Work the day's tasks in order. Save every screenshot, log, and doc into one folder — that's your evidence pack.
  3. 3.If you can't complete a task that day, don't skip it. Carry it to the next morning and catch up. CMMC Level 1 does notallow POA&Ms.
  4. 4. On Day 7, the senior official reviews, signs, and files. Bid-eligible. Done.
1
Day 1 · Monday · 60–90 min

Inventory & identification

Done when: You have one list of every person and every device that can touch federal contract information.

AC.L1-3.1.1AC.L1-3.1.2IA.L1-3.5.1
  1. 01

    List every user account — one row per real human.

    Employees, contractors, vendors with portal access, the receptionist who handles invoices. Email column, name column, role column. If you can't tie a login to a real person, that's an audit finding.

  2. 02

    List every device — one row per laptop, phone, server, switch, or NAS.

    Personal phones used for work email count. The router in the closet counts. The owner's iPad counts. Make/model, owner, last-patched date.

  3. 03

    Mark which systems hold federal contract information (FCI).

    Highlight the rows. FCI is any non-public info from a federal contract or related to its performance — proposals, drawings, schedules, BOMs, contact emails. Be honest. Over-marking is fine.

Today's output

User & Asset Inventory spreadsheet (Google Sheet or Excel).

2
Day 2 · Tuesday · 90–120 min

Access control & authentication

Done when: MFA is on for every account that touches FCI, and there's a written 1-page rule for approved apps and public posting.

AC.L1-3.1.20AC.L1-3.1.22IA.L1-3.5.2
  1. 01

    Turn on MFA for every admin account.

    Microsoft 365, Google Workspace, AWS, Okta, GitHub, QuickBooks — any system where a single account could expose or destroy FCI. Authenticator app, not SMS, where possible.

  2. 02

    Turn on MFA for every named user on FCI-touching cloud apps.

    Not just admins. The bookkeeper signing into the bank. The PM signing into the proposal-collab portal. Every named human, MFA on.

  3. 03

    Write the Approved Cloud Apps list. One page.

    Three columns: vendor + use case + approved-by. If it's not on the list, it's not used for FCI. Dropbox personal accounts, personal Gmail, generic AI tools — flag and decide.

  4. 04

    Write the Public Posting Approval rule. Three lines.

    Before any contract-related info goes on the website, LinkedIn, a conference slide, a press release — who has to say yes. Name the person. The end.

Today's output

MFA screenshots (M365/Google/AWS/Okta), Approved Cloud Apps list, Public Posting Approval rule.

3
Day 3 · Wednesday · 60 min

Boundary & public surface

Done when: A firewall stands between the open internet and your work network, and guest Wi-Fi is on a separate subnet.

SC.L1-3.13.1SC.L1-3.13.5
  1. 01

    Verify a firewall is in place.

    Router-level (most small offices), cloud-level (AWS Security Group, GCP VPC firewall), or both. Default rule: deny inbound. If you can't show that, you have an open boundary.

  2. 02

    Screenshot the firewall config.

    The default-deny inbound rule must be visible. Save the screenshot in the same folder as your inventory.

  3. 03

    Separate guest Wi-Fi from work Wi-Fi.

    Different SSID, different VLAN or subnet. If your router doesn't support VLANs, get a $60 unifi that does or use a separate guest router.

  4. 04

    Draw the network diagram. Five boxes max.

    Internet → Firewall → Work LAN → Cloud → FCI Systems. One page. Hand-drawn is fine. This is the diagram an assessor will ask for.

Today's output

Firewall config screenshot, network diagram (single page).

4
Day 4 · Thursday · 60–90 min

Media & physical protection

Done when: Old drives get wiped before disposal, the FCI work area locks, and there's a visitor log on the front desk.

MP.L1-3.8.3PE.L1-3.10.1PE.L1-3.10.3PE.L1-3.10.4PE.L1-3.10.5
  1. 01

    Write the Media Sanitization SOP. One page.

    How drives, USBs, phones, and paper get destroyed. Who does it. Who logs it. Include a sample log template. NIST 800-88 'clear' is the floor; 'purge' or 'destroy' is safer.

  2. 02

    Confirm the FCI work area has locking doors. Photograph them.

    If contract info lives on laptops on desks, the room those desks are in must lock. Two photos: the door from outside, the lock close-up.

  3. 03

    Set up the visitor log.

    A clipboard at the front desk counts. Columns: name, organization, escorted-by, time in, time out. Vendors, family, delivery drivers, prospects — all sign in.

  4. 04

    Build the Key/Badge/Code registry.

    Every physical key, every badge, every fob, every alarm code. Owner per row. Reclaim process: when an employee leaves, the manager owns getting it back same-day.

Today's output

Media Sanitization SOP (1 page), visitor log template, key/badge/code registry, door photos.

5
Day 5 · Friday · 45–60 min

System integrity

Done when: Every laptop and server auto-installs patches, runs active antivirus, and runs a weekly full scan.

SI.L1-3.14.1SI.L1-3.14.2SI.L1-3.14.4SI.L1-3.14.5
  1. 01

    Turn on auto-install for OS and app updates on every endpoint.

    Windows Update on each Windows machine. Software Update + automatic on each Mac. Unattended-upgrades on Linux servers. Mobile devices on auto-update too.

  2. 02

    Confirm active antivirus on every endpoint.

    Windows Defender counts. XProtect on macOS counts. A paid EDR is better but not required at L1. Screenshot each one showing 'active' status.

  3. 03

    Verify AV signatures are auto-updating.

    Open the AV settings on a representative machine. Confirm the last update was within the last 7 days. Screenshot.

  4. 04

    Schedule the recurring full-system scan.

    Weekly is fine for most small shops. Schedule it for off-hours so it doesn't slow the user. Real-time scanning stays on always.

Today's output

Patch policy doc (4 lines), AV screenshots, scan schedule confirmation.

6
Day 6 · Saturday · 90–120 min

Documentation

Done when: You have a draft System Security Plan covering all 15 safeguards and a senior-official affirmation memo ready to sign.

SSPAffirmation memo
  1. 01

    Open the SSP template. Fill in the boundary section.

    Org name. The FCI boundary in 1–2 paragraphs (what's in scope, what's out). The list of systems from Day 1. The network diagram from Day 3. Reuse, don't rewrite.

  2. 02

    Write the 15 control responses. One short paragraph each.

    For each of the 15 FAR 52.204-21 safeguards: what the practice is, what your business does to satisfy it, where the evidence lives (filename or system). Plain English. Three to five sentences each. This is the bulk of the SSP.

  3. 03

    Open the affirmation memo. Fill in senior-official name + title + date.

    The affirming official must be a person who can bind the company — owner, CEO, COO, CFO, or equivalent. Their statement is the legal attestation. Do not fill in someone who didn't read the SSP.

  4. 04

    Write the POA&M note: not permitted at L1.

    Plan-of-action-and-milestones items are not allowed at CMMC Level 1 (per 32 CFR §170.15). If you can't currently meet a safeguard, you are not ready to affirm. Go back and fix it before signing.

Today's output

SSP draft (~10 pages), affirmation memo ready for signature.

7
Day 7 · Sunday · 45 min

Sign & submit

Done when: Your annual SPRS affirmation is filed, the score is 110, and a calendar reminder is set for the next re-affirmation in 12 months.

SPRS submission12-month cadence
  1. 01

    Senior official reviews the SSP end to end.

    Reads every section. Asks questions where the answer isn't obvious. The affirmation that follows is a federal attestation — 18 USC 1001 / False Claims Act exposure if it's wrong. This step is non-negotiable.

  2. 02

    Senior official signs the affirmation memo. Today's date.

    Wet signature or e-signature both fine. Save the signed copy with the SSP.

  3. 03

    Log in to PIEE (piee.eb.mil) and open the SPRS module.

    If you don't have a PIEE account, today is the day. The roles you need: SPRS Cyber Vendor User and SPRS Cyber Vendor Reviewer.

  4. 04

    Submit the CMMC Level 1 annual affirmation. Score: 110.

    All 15 controls implemented = full score. Anything less means you went back to Day 1, not Day 7.

  5. 05

    Calendar the next re-affirmation. 12 months from today.

    Set the reminder for 60 days before the due date so you can refresh evidence without scrambling. This is annual, every year, for the life of any FCI-touching contract.

Today's output

SPRS submission confirmation. Calendar reminder set for re-affirmation in 12 months.

What you have at the end of Day 7

A defensible CMMC Level 1 posture, a signed SSP, a senior official's annual affirmation filed in SPRS, and a folder of evidence any prime or contracting officer can flip through without flinching. You are bid-eligible on contracts that flow down FAR 52.204-21.

Senior official sign-off
Name & title
Signature & date
After you file
  • Save the SPRS confirmation page as PDF.
  • Add the affirmation date and renewal date to the company calendar.
  • Refresh evidence quarterly so next year's re-affirmation is not a fire drill.
  • File the SPRS confirmation in any RFP response.
Custodia.

Guided CMMC Level 1 compliance · bidfedcmmc.com

This playbook is a plain-English implementation guide for FAR 52.204-21(b)(1) and 32 CFR 170.14 (CMMC Level 1 practices). It is not legal advice. The authoritative requirements are the regulations themselves. The senior official's affirmation is a federal attestation; 18 USC 1001 and the False Claims Act apply to false statements.