CMMC Level-1 Official Requirements

CMMC Level 1 – Official Practice Statements (17 Requirements)


AC.L1-3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

AC.L1-3.1.2L Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

AC. L1-3.1.20 Verify and control/limit connections to and use of external information systems.

AC. L1-3.1.22 Control information posted or processed on publicly accessible information systems.

IA. L1-3.5.1 Identify information system users, processes acting on behalf of users, or devices.

IA. L1-3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

IA.L1-3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

MP.L1-3.8.3 Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.

PE.L1-3.10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

PE.L1-3.10.3 Escort visitors and monitor visitor activity.

PE. L1-3.10.4 Maintain audit logs of physical access.

PE. L1-3.10.5 Control and manage physical access devices.

.PE.L1-3.14.1Identify, report, and correct information and information system flaws in a timely manner.

SL.L1-3.14.2 Provide protection from malicious code at appropriate locations within organizational information systems.

SL.L1-3.14.4 Update malicious code protection mechanisms when new releases are available.

SL.L1-3.14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

SL.L1-3.13.1 Monitor, control, and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

These requirements form the minimum cybersecurity standard for handling Federal Contract Information (FCI) under CMMC Level 1.

MEET THE FOUNDER & CEO

Your Guide: Carson Shaffer


CISSP | CISA | Veteran | SMB Cybersecurity Expert


Carson Shaffer has spent a lifetime turning complexity into clarity. A veteran of the U.S. Air Force, Carson brings military-grade discipline to small business cybersecurity. With top-tier certifications in cybersecurity (CISSP) and IT auditing (CISA), along with firsthand experience running a technology services firm for two decades, he brings both strategic insight and practical experience to helping businesses stay secure and compliant. Carson understands firsthand how small companies operate — and where they struggle.

He built CyberStrongBiz to help companies like yours avoid contract loss and audit failure by simplifying frameworks like

CMMC Level 1 and NIST CSF 2.0. His work blends real-world implementation with plain-English guidance — no scare tactics, no fluff, and no cookie-cutter policies.

Carson is also a nationally awarded speaker who’s trained MSPs, coached business owners, and led technical teams — always with humor, clarity, and a deep understanding of how people actually work.

black and silver laptop computer

Why Choose Us?


Specialized for Small Businesses:

Tailored, cost-effective solutions designed to address your unique challenges.

NIST CSF 2.0 and CMMC Level-1 Compliance:

We align with national standards to deliver trusted, globally recognized results.

Affordable Expertise:

Enterprise-grade services that fit your small business budget.

This is not the same, generic “cybersecurity audit” that so many MSP and MSSPs are offering today – with Engineering, Quality Assurance as well as IT backgrounds, we understand that any audit must work towards a standard, detailed specification.

The gold standard today is the NIST CSF (Cybersecurity Framework from the National Institute of Standards and Technology) - the baseline which encompasses corporate governance, identification of risk areas, detection, protection, response and recovery against Cybersecurity threats. All of it.

And the insurance companies agree.

NIST is where CMMC comes from

This is not just a port scan or a pen test. This is a comprehensive program that begins an SMB on a journey to REALLY being protected against cyber threats – not just closing ports on the firewall.