If your company does business with the Department of Defense — even as a subcontractor two or three tiers removed from the prime — you’ve probably heard the acronym CMMC floating around lately. Maybe your point of contact mentioned it. Maybe it showed up in a contract clause. Maybe you’re not entirely sure what it means or whether it applies to you.
Here’s the short version: it almost certainly applies to you, the enforcement timeline is real, and getting compliant is more manageable than most people think — especially at Level 1.
This guide is written for defense contractors and subcontractors throughout the country — companies that support government programs and DoD supply chains at every tier.
What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It’s a framework developed by the Department of Defense to ensure that companies handling sensitive government information have adequate cybersecurity practices in place.
The concern is straightforward: adversaries — particularly state-sponsored hackers from China, Russia, and elsewhere — have been systematically targeting defense contractors to steal sensitive technical data, designs, and intellectual property. The DoD determined that voluntary cybersecurity guidelines weren’t working, so they created a mandatory certification requirement.
CMMC has three levels. The CMMC Level 1 requirements 2026 are the entry point — designed for companies that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). If you’re a subcontractor handling general contract information, product specs, or invoicing data related to a DoD contract, Level 1 is likely where you start.
Who Needs CMMC Compliance?
Any company in the DoD supply chain that handles Federal Contract Information needs at least CMMC Level 1 certification. This includes:
- Direct prime contractors working with the Navy, Army, Air Force, or other DoD agencies
- Subcontractors who receive work from prime contractors across the defense industrial base
- Tier 2 and Tier 3 suppliers — companies that supply materials, services, or components to subcontractors
- IT service providers, staffing firms, and professional services companies with access to DoD contract systems
The DoD supply chain spans thousands of companies across every state. If your company touches DoD work in any way — engineering, manufacturing, logistics, staffing, consulting — CMMC requirements very likely apply to you.
The 17 Practices of CMMC Level 1
CMMC Level 1 requires 17 specific cybersecurity practices drawn from the NIST SP 800-171 framework. These are foundational security controls — not exotic or highly technical requirements, but things every business should be doing anyway. Here’s a plain-language breakdown:
Access Control (4 practices)
- Limit system access to authorized users only
- Limit system access to the types of transactions and functions authorized users are permitted to execute
- Verify and control all connections to external systems
- Control information posted or processed on publicly accessible systems
Identification & Authentication (2 practices)
- Identify all users, processes, and devices before allowing system access
- Use multi-factor authentication for local and network access to privileged accounts
Media Protection (1 practice)
- Sanitize or destroy information system media containing Federal Contract Information before disposal or reuse
Physical Protection (2 practices)
- Limit physical access to systems to authorized individuals
- Escort visitors and monitor visitor activity in sensitive areas
System & Communications Protection (2 practices)
- Monitor, control, and protect communications at external boundaries and key internal boundaries
- Implement subnetworks for publicly accessible system components
System & Information Integrity (4 practices)
- Identify, report, and correct information and system flaws in a timely manner
- Provide protection against malicious code (malware)
- Update malware protection tools as new releases are available
- Perform periodic scans of information systems and real-time scans of files from external sources
Configuration Management (2 practices)
- Establish and maintain baseline configurations for IT systems
- Establish and enforce security configuration settings for technology products employed in organizational systems
If you look at that list and think, “We’re probably doing most of this already,” you might be right. But “probably doing” and “documented, verified, and certifiable” are very different things — and the distinction matters when a DoD auditor or prime contractor comes asking.
The Self-Assessment Process for CMMC Level 1
Unlike CMMC Level 2 and Level 3, Level 1 allows for annual self-assessment. This means your company can assess your own compliance against the 17 practices without hiring a third-party certifier — as long as the assessment is completed honestly and documented appropriately.
The CMMC Level 1 requirements 2026 self-assessment process involves:
- Reviewing each of the 17 practices against your current environment
- Documenting how each practice is implemented (or creating a plan to implement it)
- Submitting your self-assessment results to the Supplier Performance Risk System (SPRS)
- Having a senior company official affirm the assessment results
That last point matters more than most people realize. The senior official affirmation makes the assessment a legal certification. Submitting a false or inaccurate SPRS score carries significant legal consequences under the False Claims Act.
The 2026 Enforcement Timeline
The DoD began including CMMC requirements in contracts in 2026, and the rollout has been accelerating. By 2026, CMMC requirements are expected to appear in the majority of new DoD contracts and contract renewals. Prime contractors are already flowing down CMMC requirements to their supply chains.
What that means practically: if you’re waiting for your prime contractor to tell you that you need to be compliant before you start, you’re already behind. The time to get your CMMC Level 1 requirements 2026 documentation in order is now — before a contract opportunity is on the table and the deadline is tight.
Where Companies Typically Struggle
Most small and mid-sized defense subcontractors we work with face similar challenges when they start the CMMC process:
- No documented policies. The controls might be in practice, but there’s nothing written down — and documentation is what gets you certified.
- Multi-factor authentication isn’t deployed everywhere. MFA on email is common; MFA on VPN, remote access, and privileged accounts is less so.
- Outdated hardware or software that can’t support modern security configurations.
- No formal process for patching and vulnerability management.
- Confusion about what counts as FCI — and therefore whether they even need to comply.
These are solvable problems. They’re not expensive to fix — but they do require someone who knows what they’re looking for.
Ready to Get CMMC Compliant?
Castle Technology Partners specializes in helping defense contractors navigate the CMMC Level 1 compliance process. We’ll walk through your current environment, identify gaps against the 17 practices, help you build the documentation you need, and make sure your SPRS submission is accurate and defensible.
We also provide the ongoing cybersecurity services to keep you compliant year over year — not just through your first assessment, but through every renewal.