CMMC LEVEL 1
Is Your Business Ready to Work with the Department of Defense?
Federal contracts require it. Prime contractors demand it. Nettology makes it achievable.
CMMC Level 1 certification is now a baseline requirement for any company in the Defense Industrial Base (DIB) that handles Federal Contract Information (FCI). If you supply goods or services to the DoD — directly or as a subcontractor — compliance isn’t optional. It’s the cost of doing business.
17 Practices
Foundational cybersecurity controls
6 Domains
Covering your full security posture
Annual Review
Self-assessment affirmed via SPRS
Framework Overview
What Is CMMC Level 1?
The Cybersecurity Maturity Model Certification (CMMC) is a DoD-mandated framework designed to protect sensitive federal information across the defense supply chain. Level 1 — the foundational tier — covers 17 practices drawn directly from FAR Clause 52.204-21 and aligns with basic cyber hygiene principles.
In plain terms: if your organization touches Federal Contract Information in any form, you must demonstrate that you have the fundamental cybersecurity controls in place to protect it.
DOMAIN | PRACTICES | Access Control (AC) | 4 Practices |
|---|---|
Identification & Authentication (IA) | 2 practices |
Media Protection (MP) | 1 practice |
Physical Protection (PE) | 4 practices |
System & Communications Protection (SC) | 2 practices |
System & Information Integrity (SI) | 4 practices |
Applicability
Who Needs CMMC Level 1?
CMMC Level 1 applies to any organization that handles Federal Contract Information — data provided by or generated for the government under a contract not intended for public release. This includes a wide range of businesses in the defense supply chain, not just large prime contractors.
A prime or subcontractor with an active DoD contract
A supplier providing goods or services that flow into a federal program
A company in manufacturing, aerospace, defense, or technology bidding on government work
Any organization subject to FAR Clause 52.204-21
CMMC Level 1 applies to any organization that handles Federal Contract Information — data provided by or generated for the government under a contract not intended for public release. This includes a wide range of businesses in the defense supply chain, not just large prime contractors.
Our Engagement
The Nettology CMMC Level 1 Engagement
Without Compliance
Contract ineligibility — you cannot bid or perform on DoD contracts requiring CMMC
Loss of existing work — prime contractors may terminate relationships with non-compliant subs
False Claims Act exposure — affirming compliance without meeting requirements carries legal risk
Cybersecurity incidents — unprotected FCI creates liability and reputational damage
With CMMC Level 1
Bid with confidence on DoD contracts requiring CMMC compliance
Strengthen supply chain relationships and become a preferred partner
Protect sensitive federal information and reduce breach risk
Build a documented security posture as a foundation for future growth
Business Impact
What's at Stake
Non-compliance isn’t just a technicality — it carries real consequences for your business, your contracts, and your reputation.
1
Discovery & Scoping
We start with a focused kickoff to understand your organization, your contracts, the systems that process FCI, and the people who interact with that data. Scope definition is everything — getting this right saves time and money downstream.
2
Gap Assessment
Our consultants systematically evaluate your current environment against all 17 CMMC Level 1 practices. We document what you're doing well, identify gaps, and produce a clear, prioritized gap analysis report.
3
Remediation Planning
We translate findings into a practical remediation roadmap — no jargon, no guesswork. Each gap is paired with a specific, cost-conscious recommendation aligned to your existing infrastructure and budget.
4
Implementation Support
Nettology doesn't hand you a report and walk away. Our engineers can implement the required technical controls, configure systems, update policies, and train your team to close every gap identified.
5
Self-Assessment Preparation
We prepare your organization for the annual self-assessment, reviewing your System Security Plan (SSP), Plan of Action & Milestones (POA&M), and supporting documentation to ensure accuracy and completeness.
6
SPRS Submission Guidance
We guide you through calculating your CMMC Level 1 score and submitting your affirmation to the DoD Supplier Performance Risk System (SPRS) — completing your compliance cycle.
Deliverables
What's Included
Every Nettology CMMC Level 1 Compliance Engagement includes the following deliverables and support.
CMMC Level 1 Gap Assessment Report
A complete analysis of your compliance posture across all 17 practices and 6 domains, with findings rated by severity and effort.
System Security Plan (SSP)
A properly structured SSP documenting your environment, FCI boundaries, personnel, and system controls — the foundation of your compliance record.
Plan of Action & Milestones (POA&M)
A living document capturing outstanding items, remediation timelines, and accountability assignments.
Remediation Roadmap
A clear, prioritized action plan with technology recommendations, policy updates, and procedural improvements tied to your specific gaps.
Policy & Procedure Templates
Customized templates for Acceptable Use, Access Control, Incident Response, Media Protection, and more — tailored to your business.
Staff Awareness Briefing
A focused cybersecurity awareness session covering FCI handling, access hygiene, incident reporting, and physical security basics.
SPRS Score Calculation & Submission
Step-by-step guidance through calculating your self-assessment score and completing the required SPRS affirmation.
Annual Compliance Review
A lightweight annual touchpoint to re-evaluate your posture, update documentation, and recertify your SPRS submission.
Why Nettology
Your Trusted Compliance Partner
We’ve been helping businesses in Pennsylvania, New Jersey, Delaware, and across the country build secure, resilient IT environments for years. CMMC compliance is a natural extension of the work we already do.
Practical, Not Bureaucratic
We translate compliance requirements into plain language and actionable steps. No unnecessary complexity. No scope creep.
We Stay Until It's Done
Our engagement includes implementation support, not just a report. We help remediate gaps, configure systems, and prepare your team.
Right-Sized for Your Business
Whether you're a 10-person manufacturer or a 200-person technology firm, our engagement scales to fit your environment and your budget.
No Conflict of Interest
We advise based on what's right for your organization, not what generates the most billable hours or hardware purchases.
Built on FAR Expertise
CMMC Level 1 is rooted in FAR 52.204-21 — frameworks our team has worked with extensively in security assessments across industries.
Your IT Partner for the Long Run
Beyond compliance, we're here to manage and protect your entire IT environment — so you can stay focused on your contracts and your mission.
Common Questions
Frequently Asked Questions
Most engagements are completed within 4–8 weeks, depending on your organization’s size, existing security posture, and how quickly remediation items can be addressed. We’ll give you a realistic timeline after our initial scoping conversation.
No. CMMC Level 1 requires an annual self-assessment and affirmation by a senior company official — a third-party C3PAO is not required at this level. Nettology prepares you to conduct that self-assessment accurately and with confidence.
The DoD Supplier Performance Risk System (SPRS) is the portal where contractors record and affirm their CMMC self-assessment scores. Your score and affirmation must be on file before you can be awarded contracts requiring CMMC Level 1. We walk you through every step of this process.
Possibly — it depends on what’s in place and whether it’s been formally documented. Many organizations have technical controls but lack the System Security Plan, policies, or evidence to support a defensible self-assessment. We can scope an engagement appropriately if you already have a strong baseline.
Absolutely. Level 1 builds the foundation for Level 2, which covers 110 practices aligned to NIST SP 800-171 and typically requires a third-party assessment. We’ll keep your roadmap in mind from day one so that Level 2 work builds naturally on what we’ve already put in place.
Get Started Today
(610) 978-5160
Your next DoD contract opportunity could hinge on your compliance status.
Don't let cybersecurity requirements stand between your business and federal work.
Schedule a Free CMMC Level 1 Readiness Consultation
In 30 minutes, we’ll help you understand your current exposure, answer your questions, and outline what a Nettology engagement would look like for your organization.