Skip to content

CMMC Level 1 Preparation

CMMC Level 1 Readiness Support | McLean Risk

CMMC Level 1 Readiness Support

Readiness without bloat
Get ready—and stay ready.

CMMC Level 1 support that starts with scope, documents what you actually do, maps evidence cleanly, and provides an annual self-attestation preparation checklist.

What you get FAQ

What this solves

CMMC Level 1 is basic safeguarding aligned to FAR 52.204-21. The hard part for most small contractors isn’t security—it’s documentation and repeatable evidence.

Readiness means you can explain how each requirement is met, show the evidence, and keep it from drifting when accounts, devices, or staff change.

Common signals

  • Unclear system scope (FCI touches more systems than expected).
  • Evidence exists but is scattered (scramble when asked to prove it).
  • Policies are generic templates that don’t match your tooling.
  • Access reviews, onboarding/offboarding, or MFA enforcement aren’t repeatable.
  • No repeatable annual self-attestation preparation process — evidence and documentation can drift after initial setup.

How the work runs

We start with scope and evidence mapping before recommending new tools.

1) Scope definition

Identify where FCI lives, who accesses it, and the system boundaries.

2) Evidence mapping

For each requirement: what you do, who does it, and where it’s documented.

3) Evidence matrix

Define proof artifacts and where they are stored (with naming conventions).

4) Gap closure plan

Prioritize missing requirements and weak evidence—fast fixes first.

5) Documentation set

Policies/procedures/checklists tailored to your environment.

6) Self-attestation prep package

Annual checklist plus evidence organization guidance to support next affirmation.

What you get

The focus is defensible readiness: clear documentation plus organized proof.

Requirement-to-evidence matrix

Requirement → implementation → proof → location.

Tailored documentation set

Short, specific policies/procedures/checklists aligned to your tools.

Gap list + roadmap

Prioritized remediation options with owners and timelines.

Evidence checklist

What to capture, how to label it, and where to store it.

Annual self-attestation prep package

One-page checklist and evidence refresh guidance aligned to FAR 52.204-21.

Executive summary

Plain-language readiness status for leadership or primes.

Note: McLean Risk facilitates documentation alignment and readiness preparation. Clients retain responsibility for technical implementation, control operation, and final certification decisions.

Quick self-check

If these are true, you’re close—but your evidence discipline is the weak link.

  • MFA is enabled, but you don’t have a repeatable user access review process.
  • Devices are encrypted, but proof screenshots/logs aren’t organized.
  • You have policies, but they don’t match your actual tooling and workflow.
  • Offboarding is manual and inconsistent.
  • You don’t have a standing checklist for patching, access review, and evidence capture.

FAQ

Is Level 1 the same as NIST SP 800-171?

No. Level 1 aligns to FAR 52.204-21 basic safeguarding. NIST SP 800-171 is deeper and more aligned to higher maturity expectations.

Do we need new cybersecurity tools?

Often no. Configuration + process + evidence organization usually come first. Tools are recommended only when gaps require them.

What counts as evidence?

Screenshots of settings, access review records, MFA configs, training logs, patching logs, and written procedures—depending on the requirement.

Will you attest compliance for us?

No. McLean Risk helps you identify gaps and options. Final attestations remain with your organization.