FREE DOWNLOAD
CMMC 2.0 began on November 10, 2025, and your DoD contracts might be at risk. Find out what your IT team needs documented before the auditor arrives. The free CMMC Compliance Checklist outlines exactly how to keep your IT team compliant.
Pass Level 1-3 compliance requirements confidently with the following team-assessment tools:
CMMC Compliance Itemized Excel Sheet
Detailed CMMC Compliance Checklist
This resource was developed by InfoSec professional Bob Salmans. It was designed to help your IT team ace CMMC compliance and continue winning DoD contracts.
Use this CMMC checklist with:
CMMC Level 1 will apply to any organization handling Federal Contract Information (FCI). These will typically be small to mid-sized defense contractors, IT service providers, and government suppliers who don't touch classified data but are still required to demonstrate basic cybersecurity best practices to maintain their DoD contract eligibility.
If your team manages systems, networks, or data under a DoD contract, you'll need to complete a Level 1 assessment. When your next contract renewal or audit comes around, you don't want your team scrambling to create relevant documentation. Here's what Level 1 compliance requires.
ㅤ
ㅤReview the CMMC Level 1 Self-Assessment Guide.
Understand the 15 required security controls, and 56 objectives.
Verify that the security requirements are in place within your organization
ㅤDocument all assets that store, process, or transmit FCI.
Include both physical and virtual assets.
Identify and list all personnel who handle FCI, as they require specific training.
ㅤThere is no official self-assessment template, so use or create a custom spreadsheet. Our CMMC Checklist includes a downloadable .xlsx that your team can use to perform a self-assessment.
Review each control and verify implementation.
Update your assessment regularly as requirements evolve.
ㅤㅤCollect documentation to prove each control is implemented.
Use screenshots, or system & audit logs.
Store evidence in a secure place with clear naming conventions, and organize it by control for easy retrieval.
ㅤㅤCollect documentation to prove each control is implemented.
Use screenshots, or system & audit logs.
Store evidence in a secure place with clear naming conventions, and organize it by control for easy retrieval.
ㅤWhile not required for Level 1, a System Security Plan (SSP) is required for Levels 2 and 3. An SSP is a formal document that outlines the security controls and processes that an organization has put in place to meet requirements.
Include:
A description of each control’s implementation
References to evidence in appendices
Protect SSP files by marking them Sensitive (headers/footers/watermarks).
Store large or sensitive files (e.g., logs) in a secure repository and reference them in the SSP.
You'll gain access to a self-assessment template, and full Level 1-3 compliance steps.
Getting up and training is simple and painless. Here’s why managers train their teams with us.
The way that CBT Nuggets structures their courses allows me to fit in short training sessions throughout the day which has really accelerated my learning.
Andrew R. | Senior Network Architect
Read more reviewsDelivering trusted IT training across industries and around the world.
Schedule a demo