CMMC Level 1 · FCI Compliance

CMMC Level 1 Made Clear and Manageable

One flat-fee engagement. Nine structured deliverables. Your SPRS score updated. Your team prepared. Your compliance owned — not rented.

$7,000 flat fee. 15 practices. Everything you need.

Schedule a Free Discovery Call →See All 9 Deliverables

Understanding Level 1

What Is CMMC Level 1?

CMMC Level 1 is the baseline cybersecurity compliance tier for Department of Defense contractors who handle Federal Contract Information (FCI) — information provided by or generated for the government under a contract that is not intended for public release.

Level 1 requires compliance with 15 basic cybersecurity practices derived from FAR 52.204-21. Unlike Level 2, Level 1 does not require a third-party assessor — instead, organizations must complete an annual self-assessment and submit their score in SPRS (Supplier Performance Risk System). The challenge: most organizations that attempt Level 1 on their own produce incomplete documentation, miss required evidence, or submit SPRS scores that don't reflect their actual posture — exposing them to risk if the DoD performs a spot check.

What You Get

9 Structured Deliverables. Complete Coverage.

Every deliverable is audit-ready, organized in your Cavalry GRC Tool, and designed to hold up to a DoD spot check.

01

Scope Definition

We identify exactly which systems, processes, contracts, and people fall under CMMC Level 1 requirements. Nothing gets over-scoped. Nothing that should be in scope gets missed.

02

Policy & Procedure Development

We draft or refine the documentation that supports every Level 1 practice — written in clear, audit-ready language that holds up to a DoD review.

03

Gap Analysis

We compare your current practices against all 15 Level 1 requirements and document exactly where you're compliant, partially compliant, or missing the mark.

04

Evidence Guidance & Organization

We identify exactly what evidence each practice requires — screenshots, logs, training records, configurations — and guide your team or their IT resources in gathering it.

05

SPRS Submission Support

We guide your team through the complete SPRS submission process, ensuring your self-assessment score is accurate, defensible, and properly recorded.

06

Staff Training & Awareness

Your team learns the basics: password hygiene, access control, incident reporting, and the security behaviors that Level 1 practices require. Practical, not theoretical.

07

Gap Remediation Planning

Any gaps identified during assessment get a prioritized remediation plan — with recommended actions, timelines, and clear ownership — so you can close them before finalizing your self-assessment.

08

Assessment Preparation Coaching

We prepare your leadership and staff for the possibility of a DoD spot check — what questions will be asked, what evidence will be requested, and how to respond confidently.

09

Continuous Monitoring Guidance

We establish simple, practical routines your team can follow year-round to maintain your Level 1 posture — not just on assessment day.

Pricing

Flat Fee. Full Scope. No Surprises.

$7,000

Complete Level 1 Self-Assessment Package

Flat fee covering all 9 deliverables. No hourly rates. No scope creep. No unexpected invoices. You know exactly what you're getting and what it costs before you sign anything.

  • Scope definition
  • Policy & procedure development
  • Full gap analysis
  • Evidence collection
  • SPRS submission support
  • Staff training
  • Gap remediation planning
  • Assessment coaching
  • Monitoring guidance
🛡️Requires Cavalry GRC Tool subscription — $150/month per organization
Schedule Your Free Discovery Call →

Common Questions

Frequently Asked Questions

Typically 4–8 weeks, but it largely depends on your organization’s size, existing documentation, and how responsive your team is in developing and adopting policies and procedures, implementing required practices, and gathering the evidence needed to demonstrate compliance.

Level 1 does not use a formal POA&M process — that's a Level 2 construct. For Level 1, your self-assessment score in SPRS should reflect your actual posture at the time of submission. If gaps exist, the right path is to close them before self-attesting. We help you understand your real posture so your submission is accurate and defensible.

It depends on the type of information your contracts involve — and the two levels are scoped around different types. Level 1 applies to organizations handling Federal Contract Information (FCI): government-provided information not intended for public release. Level 2 applies to organizations handling Controlled Unclassified Information (CUI): a more sensitive category with specific handling and protection requirements. If your contracts involve FCI but not CUI, Level 1 is likely your requirement. If you're handling CUI, you're looking at Level 2. Not sure which applies? Schedule a discovery call and we'll work through it together.

Yes — Compliance Cavalry serves defense contractors across the entire country. All engagements are fully remote-capable.

You own everything. All documentation, evidence, and compliance tracking lives in your GRC Tool. You maintain your posture independently using the continuous monitoring routines we establish. No forced retainers.

Ready to Get Level 1 Right the First Time?

Schedule a free discovery call and we'll walk you through exactly what your Level 1 engagement looks like, what your timeline should be, and what we'll need from your team.

Schedule a Free Discovery Call →📞 (360) 930-6990
✉ biz@ComplianceCavalry.com🕐 Monday – Friday, 7:30am – 5:00pm