This article is written by Mike Semel, a CMMC Certified Assessor who has created Compliance ESSENTIALS for MSPs that includes guidance on implementing CMMC Level 1 and CMMC for MSPs to help MSPs deliver CMMC Level 2 compliance.
If you think CMMC is only for big prime contractors and smaller defense contractors that handle Controlled Unclassified Information (CUI), requiring CMMC Level 2 compliance, you’re leaving a massive pile of money on the table.
CMMC Level 1 is the entry ticket for over 200,000 defense contractors that only touch Federal Contract Information (FCI)—not CUI.
The Level 1 contractors have Department of War (DoW) contracts but never see technical drawings, controlled tech data, or sensitive research. They just get non-public contract details, schedules, and contract-related communications. Many are small local businesses that would never describe themselves as defense contractors. Their websites don’t have pictures of fighter jets or submarines. You have to ask if they have government contracts.
Examples include janitorial companies that clean offices at a local National Guard armory or reserve center, landscaping companies that mow laws or remove snow at military facilities, building maintenance companies, security guard companies, alarm companies, truckers, painters, electricians, etc. Some may already be your clients.
And every one of them needs help from somebody who understands cybersecurity and can guide them through a self-assessment. That “somebody” can be you.
CMMC Level 1 Is Not Just “Basic IT”
Level 1 is all about protecting FCI — information the government gives or generates under a federal contract that’s not public, but also isn’t CUI or classified.
The DoW has boiled Level 1 down to 15 basic safeguarding requirements broken into 58 specific objectives: things like the access control, passwords, malware protection, secure disposal, physical security, and basic network protections you do every day.
These are all defined in the CMMC Level 1 Scoping Gude and Self-Assessment Guide you can download for free.
On paper, that sounds simple. That’s why a lot of contractors say, “We already do that. Our IT guy handles it.”
But under the CMMC Final Rule, “simple” still has structure and teeth:
- Level 1 contractors must perform a formal self-assessment at least annually.
- A perfect score is required to pass.
- They must submit their score and a legal affirmation of compliance into the Supplier Performance Risk System (SPRS) to qualify for new awards and option years.
- If they don’t have a current, passing Level 1 (Self) status in SPRS, the contracting officer can’t award or renew the contract.
So, Level 1 isn’t “optional hygiene.” It’s now a go/no-go business requirement for doing work with the DoW.
The Catch: 15 Requirements, 58 Questions, and the False Claims Act
Here’s where the MSP opportunity really kicks in.
Those 15 requirements break down into 58 specific things the contractor has to legally attest are in place and working.
DoW didn’t write that list so people could just “check yes” and move on. The Level 1 Assessment Guide makes it clear that to complete a self-assessment the contractor must:
- Examine documents, configurations, logs, and diagrams.
- Interview staff.
- Test safeguards to show they actually work.
Then they legally affirm in a federal system that everything is truly implemented. That’s where the False Claims Act risk comes in. If a contractor says “we’re compliant” but can’t actually back it up, they’ve just made a false statement to the federal government—and the Department of Justice has already used the FCA to go after small companies that misrepresented cybersecurity. Penalties can include treble damages, per-claim penalties, and very expensive legal adventures.
Why This Is a Perfect Fit for MSPs
Let me translate Level 1 into MSP language:
- The 15 requirements are things you already sell: patching, antivirus, basic boundary protection, user accounts, backups, physical security practices, and media handling.
- The gap isn’t just technology—it’s scoping, documentation, and evidence.
- Most Level 1 contractors don’t have CISOs, compliance teams, or security architects. They have an owner, maybe a controller, and you.
Level 1 gives you a repeatable, high-margin service offering that sits on top of what you already do:
- CMMC Level 1 readiness assessments
- Evidence collection and documentation
- SPRS scoring support (coaching them, not signing for them)
- Annual re-assessment and continuous improvement
You don’t need to dive into the deep end of the CMMC pool to help with Level 1. You just need to understand the 15 requirements, the 58 objectives, and how to translate all that into normal-people language for your clients.
How to Package CMMC Level 1 as a Service
Here’s a simple way to turn this into a scalable productized offering.
1. FCI Scoping & Discovery Workshop
After verifying they have contracts, help the client answer: Where does FCI live?
- Which systems, users, locations, and cloud services touch FCI?
- Are there ways to segment FCI into a smaller, better-controlled enclave?
Most small contractors have never thought about “FCI scope” that probably includes cloud services and mobile devices. You can walk in and untangle it for them.
2. Gap Assessment Against the 15 Requirements / 58 Objectives
Take the Level 1 Guide and walk through each requirement and its objectives in plain English:
- Do you control who can access FCI systems and what they can do?
- Do you know exactly how you identify and authenticate users?
- How do you dispose of old computers, drives, and paper that contain FCI?
- How do you manage visitors and physical access?
Turn your findings into a simple scorecard: Met / Not Met / Not Applicable, with a prioritized remediation roadmap.
3. Remediation Projects (Your Normal MSP Work, with Compliance Framing)
Now all the things you’ve been begging them to do “for security” become required for contract eligibility:
- Locking down firewalls and remote access
- Cleaning up old local admin accounts
- Implementing basic endpoint protection and patching
- Putting a real process around user onboarding/offboarding
- Tightening physical access to network closets and servers
You get paid project work and recurring services, and the client gets closer to a passing Level 1 score.
4. Documentation & Evidence Binder
While CMMC Level 1 doesn’t require documentation to be uploaded with the legal affirmation of compliance, contractors are subject to random DoW audits and may be investigated based on whistleblower complaints.
Help the client build an “evidence binder” (physical or digital) that includes:
- Short, practical policies and procedures
- Network and data flow diagrams showing FCI systems
- Visitor logs and key/access records
- Screenshots or reports showing security settings and scans
You’re not turning them into a Fortune 500, just giving them enough documentation to defend their self-assessment.
5. Coaching & Annual Tune-Ups
Finally, sit with the owner or executive and walk through the self-assessment so they can honestly affirm compliance in the SPRS system.
Then turn this into a recurring engagement:
- Annual Level 1 self-assessment support
- Mid-year check-ins to update documentation and address changes
- Ongoing monitoring, patching, and security services
Now you’ve shifted from “IT guy” to risk and compliance partner—which is harder to replace, easier to justify at higher prices, and far more defensible when something goes wrong.
The Bottom Line
CMMC Level 1 isn’t a throwaway requirement. It’s a federal gatekeeper for small defense contractors—and a massive opportunity for MSPs who are willing to learn the rules and lead their clients through them.
You can sit on the sidelines or you can own Level 1, help clients keep their contracts, and build a profitable, defensible service solution out of work you’re already half doing today. This is your space to claim.
