CustodiaCustodia.
Custodia · Free policy pack · 2026 edition

The CMMC Level 1 policy pack — 8 policies.

Eight one-page policies that cover every CMMC Level 1 control family. Fill in your company name, sign, and file. Annually review.

8
Policies, one page each
~45 min
To complete
100%
FAR 52.204-21 coverage

How to use this pack

  1. 1.Read each policy, edit anything that genuinely doesn't fit your business.
  2. 2.Fill in the “approved by” line. The person approving should have authority to bind the company.
  3. 3. Date it. Schedule annual review.
  4. 4.Keep the signed copies with your SSP and self-assessment. They're evidence.
Policy 01 · Access Control

Access Control Policy

Covers
AC.L1-3.1.1 · AC.L1-3.1.2 · AC.L1-3.1.20 · AC.L1-3.1.22
Purpose
Define who can access company systems and information, and under what conditions.

Policy

  1. Every user who accesses company systems must have a unique, named account. Shared accounts are prohibited.
  2. User accounts are created only after written approval by the system owner or their designee, and are tied to a specific person and role.
  3. Permissions follow the principle of least privilege: each user receives only the access required for their assigned duties. Administrative privileges are restricted to designated administrators.
  4. External system connections (third-party cloud services, vendor portals, contractor laptops) are approved in writing by the system owner before use. A list of approved external services is maintained.
  5. Federal contract information is not posted to public-facing channels (website, social media, marketing materials, conference talks) without written approval from the system owner.
  6. User accounts are disabled within one business day of role change or separation.

Responsibilities

  • System owner: approves new accounts and access changes
  • All employees: follow this policy and do not share accounts
  • IT contact: implements approvals, disables accounts on separation
Approved by (name & title)
Date · Next review (12 months)
Policy 02 · Identification & Authentication

Identification & Authentication Policy

Covers
IA.L1-3.5.1 · IA.L1-3.5.2
Purpose
Verify the identity of users and devices before granting access.

Policy

  1. Every user is identified by a unique username tied to their legal name.
  2. All company-owned devices are inventoried, named, and associated with an assigned user.
  3. Passwords must be at least 12 characters, contain a mix of letters and numbers, and may not be reused from another service.
  4. Multi-factor authentication is required on email, all cloud applications used for company work, and any remote access (VPN, RDP, SSH).
  5. Default passwords on any new system or device must be changed before that system is used for company work.
  6. Authentication credentials are never stored in plain text or shared via email, chat, or paper.

Responsibilities

  • IT contact: enforces password and MFA configuration
  • All employees: enroll in MFA, do not share credentials
  • System owner: reviews compliance quarterly
Approved by (name & title)
Date · Next review (12 months)
Policy 03 · Media Protection

Media Protection & Disposal Policy

Covers
MP.L1-3.8.3
Purpose
Ensure information is not recoverable from media that leaves company control.

Policy

  1. Any physical or digital media that has held federal contract information is sanitized before disposal, reuse, or release.
  2. Acceptable sanitization methods: full-disk wipe for drives, factory reset for phones and tablets, physical destruction (shredding) for paper and damaged drives.
  3. A media disposal log is maintained recording: date, item description, sanitization method, person performing the action, and witness (if applicable).
  4. Disposal log entries are retained for a minimum of three years.
  5. Media awaiting destruction is kept in a locked area until processed.

Responsibilities

  • IT contact: performs sanitization, signs the log
  • All employees: hand over devices/media; do not take them home or discard them
  • System owner: audits the disposal log annually
Approved by (name & title)
Date · Next review (12 months)
Policy 04 · Physical Protection

Physical Protection Policy

Covers
PE.L1-3.10.1 · PE.L1-3.10.3 · PE.L1-3.10.4 · PE.L1-3.10.5
Purpose
Limit physical access to areas where federal contract work is performed.

Policy

  1. The designated work area is secured by lock at the end of every business day and during any period it is unattended.
  2. Only authorized employees and approved contractors may enter the work area unescorted.
  3. All visitors (clients, vendors, family members, delivery personnel, prospective hires) are escorted by an employee from arrival to departure and must sign the visitor log.
  4. The visitor log records: visitor name, organization, host employee, time in, time out. The log is retained for one year minimum.
  5. Physical access devices (keys, badges, fobs, alarm codes) are issued by the system owner and tracked in a register. Devices are collected within one business day of employee separation, and codes are changed when group access changes.

Responsibilities

  • System owner: issues and revokes access devices, maintains the register
  • All employees: lock up, escort visitors, log entries
  • Office manager: maintains the visitor log
Approved by (name & title)
Date · Next review (12 months)
Policy 05 · System & Communications

Network & Boundary Protection Policy

Covers
SC.L1-3.13.1 · SC.L1-3.13.5
Purpose
Defend the network boundary between company systems and the public internet.

Policy

  1. A firewall (appliance or cloud) protects every internet-facing system. The firewall is configured to deny inbound traffic by default and allow outbound traffic only as needed.
  2. Firewall configuration is reviewed at least annually and after any significant change.
  3. Guest Wi-Fi is logically separated from the internal work network. Guest devices cannot reach internal devices or shared storage.
  4. Public-facing systems (marketing website, contact forms) are hosted separately from internal work systems and do not have direct access to FCI.
  5. Remote access is permitted only through approved methods: VPN with MFA, or an SSO-controlled cloud application.

Responsibilities

  • IT contact: maintains firewall configuration, performs reviews
  • All employees: connect to the work network, not guest, for work
  • System owner: approves changes to network architecture
Approved by (name & title)
Date · Next review (12 months)
Policy 06 · System & Information Integrity

System Integrity & Patching Policy

Covers
SI.L1-3.14.1 · SI.L1-3.14.2 · SI.L1-3.14.4 · SI.L1-3.14.5
Purpose
Keep systems patched, protected from malware, and monitored.

Policy

  1. Operating systems and applications on all in-scope devices are configured to install security updates automatically. Critical patches are installed within 14 days; high-priority within 30 days.
  2. Antivirus / endpoint protection is installed and enabled on every in-scope device. Built-in Windows Defender or macOS endpoint security is acceptable when properly configured.
  3. Antivirus signatures are updated automatically. Signature freshness is verified at least monthly.
  4. A full-system scan is run on every in-scope device at least weekly. Real-time scanning is enabled by default.
  5. Patch status and antivirus status are documented quarterly.

Responsibilities

  • IT contact: verifies patch status, antivirus status, scan logs quarterly
  • All employees: reboot when prompted, do not disable antivirus
  • System owner: reviews quarterly status reports
Approved by (name & title)
Date · Next review (12 months)
Policy 07 · Incident Response

Incident Response Policy

Covers
Supports overall L1 hygiene
Purpose
Detect, contain, and report cyber incidents involving company systems.

Policy

  1. A cyber incident includes: malware infection, unauthorized access to systems or data, lost or stolen devices, suspected phishing compromise, or any event suspected to compromise federal contract information.
  2. Any employee who suspects an incident must notify the system owner immediately, by any available means.
  3. On notification, the system owner: contains the affected device (disconnect from network), preserves evidence, and notifies senior management.
  4. If federal contract information may be involved, the company evaluates obligations under any applicable contract clauses (e.g., DFARS 252.204-7012 requires 72-hour reporting to DC3 if CUI is involved).
  5. An incident record is maintained including: detection time, scope, actions taken, root cause, and lessons learned. Records are retained for three years.

Responsibilities

  • All employees: report immediately
  • System owner: leads containment and reporting
  • Senior management: notifies the prime / agency as required
Approved by (name & title)
Date · Next review (12 months)
Policy 08 · Acceptable Use

Acceptable Use Policy

Covers
Supports access control, IA, SC, SI
Purpose
Set expectations for how employees use company systems and information.

Policy

  1. Company systems and accounts are for company business. Limited personal use is permitted if it does not interfere with work or violate this policy.
  2. Federal contract information is not stored on personal devices, personal cloud accounts, or personal email.
  3. Employees do not download unapproved software to in-scope devices.
  4. Employees do not connect personal USB drives or external storage to in-scope devices without approval.
  5. Suspected phishing emails are reported to the system owner and not forwarded or clicked.
  6. Devices are locked when unattended.

Responsibilities

  • All employees: acknowledge in writing at hire and annually
  • System owner: maintains signed acknowledgments
Approved by (name & title)
Date · Next review (12 months)
Custodia · bidfedcmmc.com · Built from FAR 52.204-21 · Not legal advice
Pair with
SSP template →
Your SSP will reference these policies by name.
Scoping worksheet →
Define the boundary the policies apply to.
Self-assessment checklist →
Score yourself against the 15 requirements.
Built by Custodia

We give this away because we sell the easy version for $249/mo.

This policy packis genuinely complete and yours to keep. If you'd rather have the platform fill it in, collect the evidence, send the renewal reminders, and post your SPRS score for you — that's what we built.

Start the 7-day free trial →Keep going DIY →