Do CMMC Level 1
yourself. For free.
Every consultant in the defense industrial base will tell you CMMC requires their help. For Level 1, they're wrong. Here is the complete, honest path — seven steps, eight printable templates, plain English. Built by the engineers at Custodia.
- 7
- Steps end-to-end
- 8
- Printable templates
- $0
- Cost to follow
We sell a platform. We're still going to tell you how to do this without us.
Here's why: CMMC Level 1 is genuinely doable without a consultant. We've seen 6-person shops finish in a week. The consultants charging $15–40k for a Level 1 engagement are quietly extracting rent on the fact that nobody published the full path in plain English.
We did. If you finish this handbook and never pay us a dollar, you got what you came for. If somewhere around the annual affirmation, evidence collection, or the next contract's renewal you decide you'd rather not think about this every year — that's when you'll come back. The platform is $249/mo and we run the whole thing for you.
- You have ~4 focused hours over a week
- You're comfortable with M365 / Google Workspace settings
- You're willing to maintain the annual cycle yourself
- You haven't run a self-assessment in 18+ months
- Your SSP and policies are 'somewhere in a drawer'
- You're targeting Level 2 (different ball game)
- Your prime requires evidence quarterly
- You handle CUI (that's Level 2, not 1)
- You'd rather sleep through the renewal
Seven steps. Roughly 4 hours of work.
Each step gives you a specific deliverable and a template. Do them in order. Don't skip Step 2.
- 015 minutes
Decide if you actually need it (don't skip)
If your contracts only have FCI (no CUI), you need CMMC Level 1. If they have CUI, you need Level 2 — different rules, different costs.
DeliverableA definitive yes / no, written downTemplateCUI vs FCI breakdown→ReadingDecision tree→- Pull your last 3 federal contracts. Search for the strings 'FAR 52.204-21' and 'CUI'.
- If FAR 52.204-21 appears anywhere → Level 1 applies.
- If 'CUI' or 'DFARS 252.204-7012' appears → you're at Level 2, not Level 1. Stop and reassess.
- If neither appears in any contract → CMMC may not apply to you yet. Save this guide for when it does.
- 0220 minutes
Scope your boundary (the 90% lever)
Decide which laptops, people, cloud apps, and rooms touch federal contract info. Anything inside the boundary has to meet the 15 controls. Anything outside doesn't.
DeliverableA signed scoping worksheet + boundary diagramTemplateScoping worksheet template→- Don't treat the whole company as in-scope by default. A 6-person shop usually has 3 laptops, 2 cloud apps, and a firewall in scope — not everything.
- List the people who touch FCI. The receptionist who only stamps envelopes is probably out of scope.
- List the devices, then the cloud apps, then the network and physical work area.
- Draw the boundary. A pencil sketch is acceptable evidence at Level 1.
- Sign and date the worksheet. This becomes the foundation of your SSP.
- 0330 minutes
Inventory your assets
Write down every in-scope device, every in-scope cloud account, every authorized user, every key/badge. This is the asset list your SSP and self-assessment reference.
DeliverableA current asset inventory (people, devices, apps)- The scoping worksheet (Step 2) doubles as your asset inventory. If you completed it, you're done with this step.
- If you want a standalone asset register, the templates folder in our repo has CSV starters (access-device-register, role-matrix, network-boundary-inventory).
- Update the inventory whenever someone joins or leaves, or you add a new app.
- 0445 minutes
Write your policies (eight of them)
Eight one-page policies that cover all 15 controls. Adapt the templates, fill in your company name, sign, date, file.
DeliverableEight signed, dated policies on fileTemplate8 free policy templates→- Access Control · Identification & Authentication · Media Protection · Physical Protection · Network/Boundary · System Integrity · Incident Response · Acceptable Use.
- These are not novels. Each is one page. A 6-person company doesn't need a 40-page Information Security Manual.
- Have the affirming official (owner, CEO, or formally delegated CIO) sign and date each one.
- Re-sign annually as part of the affirmation cycle (Step 7).
- 051–3 days, sometimes longer
Implement the 15 controls
The actual technical work. Most of it is configuration of tools you already have (MFA on email, antivirus on, firewall configured, visitor log started).
DeliverableEach of the 15 controls is genuinely operationalTemplateThe 15 requirements explained→- If you already have Microsoft 365 Business + Windows Defender + a router with a firewall, most controls are configuration, not procurement.
- Highest-leverage moves: turn on MFA across every cloud app, verify Defender is on every laptop, document who has admin, start a visitor log, set up a guest Wi-Fi separate from work Wi-Fi.
- Things people buy unnecessarily: enterprise EDR, a SIEM, a $20k MSP retainer. None of these are required for Level 1.
- Document what you implemented and where in your SSP (Step 6).
- 0660 minutes
Write your System Security Plan (SSP)
One document that describes how you implement each of the 15 controls. The single artifact that proves you took this seriously when a prime asks.
DeliverableA signed SSP referencing your scope, assets, and policies- For each of the 15 controls, write 2–4 sentences: what you do, who is responsible, where the evidence lives.
- Reference your policies (Step 4) and inventory (Steps 2–3). Don't repeat them — link.
- Have the affirming official sign and date. Schedule annual review.
- Save the PDF where you can find it on demand. This is the document primes will ask for.
- 0760 minutes (longer if PIEE isn't set up yet)
Self-assess + post to SPRS (the action that makes it real)
Run the 15-question checklist. Sign the attestation. Post the affirmation in SPRS. You are now bid-ready.
DeliverableA live SPRS posting with your affirmation dateTemplateSelf-assessment checklist→ReadingSPRS walkthrough→- Run the checklist. Honestly. If you can't mark MET on all 15, fix the gap before submitting.
- Have the affirming official sign the attestation.
- Post the affirmation in SPRS using our step-by-step walkthrough.
- Take a screenshot of the SPRS confirmation. Save it with your SSP.
- Set a calendar reminder for 11 months from now: time for the annual affirmation.
Every template, in one place.
All free. All printable. All built from primary sources (FAR 52.204-21, 32 CFR Part 170). No email gate, no PDF wall, no upsells in the middle.
Scoping worksheet
20 minDefine your FCI boundary, list assets, draw the diagram.
SSP template
60 minFill-in-the-blank System Security Plan covering all 15 controls.
8 policy templates
45 minOne page each. Covers every L1 control family.
Self-assessment checklist
30 minAll 15 requirements in plain English. Score yourself.
SPRS posting walkthrough
30 minStep-by-step for submitting your affirmation in SPRS.
Annual affirmation guide
15 min/yrCalendar template + 10-point review for the annual renewal.
Honest answers.
Is doing CMMC Level 1 yourself actually allowed?
Yes. Level 1 is explicitly self-assessed. No third-party assessor, no government auditor — just you, the 15 requirements, and an annual affirmation in SPRS. (Level 2 is different: it requires a C3PAO assessment.)
What does the consultant charge for that I'm not paying?
For Level 1, consultants typically charge for: a scoping conversation, drafting your SSP, drafting your policies, a gap assessment, and 'remediation guidance.' Everything in that list is something we hand you a template for — free. The legitimate work a consultant adds is project management and accountability, not unique knowledge.
What if I do something wrong?
Honest mistakes during self-assessment are not the False Claims Act risk. Knowingly false attestations are. The protective move is: implement what you can, document what you've done, sign your attestation only when it's truly accurate. If you have a gap, fix it before you submit.
How long does this actually take?
About 4 hours of focused work spread over a week, if you start from a reasonably modern setup (M365 Business or Google Workspace + a recent firewall). Add 1–3 days if you need to install MFA, configure antivirus, or set up a separate guest Wi-Fi.
What does your platform actually do that this handbook doesn't?
The platform fills the templates in for you using a guided interview, collects evidence on a schedule, sends the annual renewal reminders, generates your SPRS-ready score and submission packet, and gives you a single dashboard a prime can be shown. (SPRS posting itself still requires your CAGE-linked PIEE login — we walk you through it.) The handbook gives you the same artifacts at the cost of doing the work manually each year.
When should I just pay someone?
(a) When you handle CUI — that's Level 2, not Level 1, and is a different process. (b) When your prime requires evidence collection on a recurring basis and the manual cycle would eat more than $249/mo of your time. (c) When the annual renewal is what keeps slipping — that's exactly the failure mode the platform is built to prevent.
Two paths. Pick one.
The free DIY path will get you to bid-ready in about a week. The platform will get you there in seven days and keep you there every year after.