The 15 CMMC Level 1 Practices Explained Like You're a Human, Not a Lawyer

"Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)."

Only people who are supposed to use your systems should be able to use them. Everyone gets their own login. No shared passwords.

Each employee has their own username and password for your company email and file storage. When someone leaves the company, you disable their account that same day. You don't have a sticky note on the break room wall with the "company password."

"Limit information system access to the types of transactions and functions that authorized users are permitted to execute."

People should only have access to the stuff they need for their job. The intern doesn't need admin access. Your bookkeeper doesn't need access to engineering files.

In Google Workspace or Microsoft 365, you set up shared drives so the accounting team can access financial folders but not the project files for a specific contract. Your office manager can manage calendars but can't delete other people's email.

"Verify and control/limit connections to and use of external information systems."

Be careful about what outside services, apps, and devices connect to your business systems. Don't let random apps or personal devices access your company data without approval.

You don't let employees install random third-party apps that connect to your company Google Drive or OneDrive. If someone wants to use a new project management tool that syncs with company files, it goes through an approval process first—even if that "process" is just asking the boss.

"Control information posted or processed on publicly accessible information systems."

Be careful about what you put on your website, social media, or any public-facing platform. Don't accidentally post sensitive contract information where anyone can find it.

Before posting a project update on your company LinkedIn page, someone reviews it to make sure it doesn't include details about a government contract, internal processes, or anything that should stay private. You have a basic rule: when in doubt, don't post it publicly.

"Identify information system users, processes acting on behalf of users, or devices."

You need to know who and what is on your network. Every person gets a unique account. Every device is identifiable. No anonymous access.

Every employee logs in with their own email address—like jane.smith@yourcompany.com—not a generic "front.desk@" or "info@" account for daily work. If you looked at a file's edit history, you could tell exactly who touched it and when.

"Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems."

Before anyone gets access, they have to prove they're actually them. Passwords, multi-factor authentication (that code texted to your phone)—something that verifies identity.

Every employee signs in with a password that meets your company's complexity requirements. Ideally, you also have multi-factor authentication turned on—so after entering a password, they confirm with a code on their phone. This is a setting you can enable in Google Workspace or Microsoft 365 in about five minutes.

"Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse."

When you throw away or repurpose a computer, hard drive, USB drive, or phone, wipe the data first. Don't donate your old laptop with contract files still on it.

Before recycling an old company laptop, you factory-reset it or use a disk-wiping tool to erase everything. If it's a USB drive you no longer need, you either wipe it or physically destroy it. You keep a simple log: "Wiped laptop serial #XYZ on [date]."

"Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals."

Don't let random people walk up to your computers and servers. Lock your office. Control who gets in the building.

Your office has a locked front door. Employees have keys or access cards. The server closet (or the room with important equipment) isn't left open for anyone to wander into. If you work from a home office, you have a dedicated workspace that guests and family members don't use.

"Escort visitors and monitor visitor activity; maintain audit logs of physical access."

When non-employees visit your office, someone accompanies them. Don't leave the repair technician alone in a room full of computers with contract data.

When the IT technician comes to fix the printer, an employee stays in the area. Visitors sign in at the front and sign out when they leave. It doesn't have to be fancy—a clipboard with names, dates, and times works fine.

"Maintain audit logs of physical access."

Keep a record of who enters areas where your systems and data are located.

That visitor sign-in sheet we just mentioned? That's an audit log. If you have an electronic key card system, it automatically tracks entries. Even a simple spreadsheet listing who accessed the server room and when counts. The point is having a record you can look back at if needed.

"Control and manage physical access devices."

Keep track of your keys, access cards, and badges. Know who has them. Get them back when someone leaves.

You maintain a list of who has which office keys or access badges. When an employee leaves, collecting their key or badge is part of the offboarding checklist—right alongside disabling their email. If a key goes missing, you change the locks or re-key rather than hoping for the best.

"Screen individuals prior to authorizing access to organizational systems containing Federal Contract Information."

Before giving someone access to systems with government contract data, do a basic check on them. You need to know who you're trusting with sensitive information.

You run a background check before hiring employees who'll handle contract data. This doesn't have to be a federal investigation—a standard employment background check satisfies this requirement. The key is having a documented process: "Before granting access, we verify [these things]."

"Protect and monitor the physical facility and support infrastructure for organizational systems."

Take reasonable steps to physically protect your workspace—things like fire safety, environmental controls, and making sure your equipment isn't vulnerable to theft or damage.

Your office has working fire alarms and extinguishers. The server or network equipment isn't sitting on the floor in a flood-prone basement. You lock up at night. If you have security cameras, even better—but basic physical security measures are what this is about.

"Identify, report, and correct information and information system flaws in a timely manner."

Keep your software updated. When there's a security patch or update available, install it. Don't ignore those "update available" notifications for six months.

You have automatic updates turned on for Windows, macOS, or Chrome OS. When Google Workspace or Microsoft 365 rolls out security updates, they happen automatically. For other business software, you check for updates regularly—at least monthly. When something breaks or looks suspicious, you have a way to report and address it.

"Provide protection from malicious code at appropriate locations within organizational information systems."

Use antivirus and anti-malware protection. Keep it updated. Make sure it's actually running on your computers.

Every company computer runs antivirus software—Windows Defender (built into Windows), or a business antivirus solution like SentinelOne or Bitdefender. It's set to update automatically and run regular scans. You haven't disabled it because "it slows things down."