Your Laptop Is Fine. Here's What Actually Matters for CMMC.
You don't need new hardware—you need the right configuration.
"Do I need to buy special government-approved computers?"
We hear this question at least three times a week. Small defense contractors convince themselves they need to replace every laptop, desktop, and phone in their office before they can even start on CMMC Level 1. They've heard horror stories about six-figure IT overhauls and specialized "government-grade" hardware.
Here's the truth that should save you a lot of money and a lot of stress: your current equipment is almost certainly fine. CMMC Level 1 doesn't care what brand your laptop is, what kind of phone you carry, or whether you work from a corporate office or your spare bedroom. It cares how you've configured your devices and your network.
The Myth That's Costing You Time (Not Money)
Somewhere along the way, "cybersecurity compliance" became synonymous with "expensive technology purchases." Maybe it's because the big consulting firms make more money if you think you need a complete hardware refresh. Maybe it's because the government's technical language makes everything sound more complex than it is.
Whatever the cause, it's created a myth that stops small contractors dead in their tracks before they even begin.
"I need specialized, government-approved hardware"
You've been told you need to rip out every machine and replace it with something "certified." The budget estimates start climbing. The project stalls before it begins.
Standard business laptops and computers work just fine
A Dell Latitude. A Lenovo ThinkPad. A MacBook Pro. An HP ProBook. All perfectly capable of CMMC Level 1 compliance. The hardware isn't the issue—your settings are.
"My personal phone can't be used for DoD work"
You assume mobile devices are automatically non-compliant and you need separate "work phones" with special software.
Your phone can be compliant with proper configuration
iPhones and Android devices can meet CMMC Level 1 requirements. It's about enabling the right settings—passcodes, encryption, screen locks—not about buying new devices.
"Encryption requires special enterprise software"
You've been quoted thousands for encryption solutions and assume it's complex, expensive technology.
Most modern devices have encryption built in
Windows has BitLocker. macOS has FileVault. iPhones and modern Androids encrypt by default. You likely just need to verify it's turned on.
The pattern here is clear: CMMC Level 1 is about how you configure and manage your devices, not what brand or model they are.
What Actually Matters: The Five Configuration Areas
Instead of shopping for new hardware, here's where your time and attention should go. These are the configuration areas that CMMC Level 1 assessors actually care about. None of them require a purchase order.
1. Passwords and Access Controls
This is the front door to your devices. CMMC doesn't require biometric scanners or hardware tokens at Level 1—it requires that you have meaningful password and access policies in place and that your devices enforce them.
Think about it: Do your laptops require a password to log in? Do those passwords have minimum length and complexity requirements? Are they changed periodically? Are old accounts from former employees disabled?
These are settings you configure once and your devices enforce automatically. Your current laptop already supports every one of these. You just need to make sure the right options are turned on—and that you can prove they're turned on.
2. Screen Lock and Session Timeout
When you walk away from your computer, does the screen lock automatically? How quickly? This is one of the simplest CMMC requirements, and it's a setting that takes about 30 seconds to configure on any laptop.
Windows, macOS, and mobile devices all have built-in screen lock and timeout settings. There's nothing to buy. There's only a setting to enable and a configuration to document.
3. Encryption
Encryption sounds intimidating. It sounds expensive. In reality, it's probably already available on your device—and might even be turned on already.
- Windows 10/11 Pro and Enterprise: BitLocker is built in. It's a feature of the operating system you already own.
- macOS: FileVault comes with every Mac. It's a toggle in System Settings.
- iPhones: Encrypted by default when you set a passcode.
- Modern Android devices: Encrypted by default on most models manufactured in the last several years.
The key question isn't "do I have encryption?"—it's "can I prove encryption is active on every device that handles Federal Contract Information?"
4. Antivirus and Malware Protection
You almost certainly have antivirus software. Windows Defender comes free with every Windows machine and is a legitimate, capable solution. macOS has built-in protections. You don't need a $5,000 enterprise security suite for CMMC Level 1.
What you do need is to verify it's enabled, confirm it's updating automatically, and—here's the part people miss—document that it's active and current on every device in your environment.
5. Updates and Patching
CMMC Level 1 requires that you identify and fix system flaws in a timely manner. Translation: keep your devices updated. Enable automatic updates. Don't click "remind me later" for six months straight.
Your operating system, your applications, your browsers—they all need to stay current. This isn't about buying anything new. It's about configuring automatic updates and verifying they're working.
💡 Pro Tip: The Pattern You Should Notice
Every single one of these configuration areas follows the same formula:
- Verify the setting is available on your device (it almost always is)
- Enable the right configuration
- Document that it's configured correctly
That third step—documentation—is where most small contractors stumble. Not because the settings are hard, but because they don't know how to document or what to capture. More on that in a moment.
Need Help Configuring Your Devices?
Our Turnkey Package includes step-by-step configuration guides for every device in your environment—laptops and desktops (both Mac and Windows), phones and tablets (both iOS and Android), and even your small office or home office network setup. All tailored to your specific platform, whether you're running Google Workspace or Microsoft 365.
Book a Free 30-Minute ConsultationExplore the Toolkit
Yes, Your Phone Can Be Compliant Too
Mobile devices are the wild card that makes small contractors nervous. You're checking email on your phone. You're opening attachments from a prime contractor in your truck. You're reviewing documents between meetings on a tablet.
Does all of that need to stop? No. But it does need to be configured and managed properly.
If a mobile device touches Federal Contract Information—even just email—it falls within the scope of your CMMC assessment. That doesn't mean you need a separate "work phone." It means:
- The device has a strong passcode or biometric lock enabled
- The device encrypts data (most modern smartphones do this automatically)
- The screen locks after a period of inactivity
- The device is kept updated
- You have a policy for what happens if the device is lost or stolen
Your iPhone or Android device can meet every one of these requirements. The hardware is capable. The question is whether the settings are enabled and whether you can prove it.
The BYOD Question
Using personal devices for work (Bring Your Own Device) isn't automatically disqualified under CMMC Level 1. But it does add complexity to your documentation. You need clear policies about what personal devices can access, how they're configured, and what happens when an employee leaves.
This is an area where having the right templates and policy guidance saves hours of headaches. Don't try to write a BYOD policy from scratch—use one designed specifically for CMMC compliance in a small business environment.
The Real Gap: Having It vs. Proving It
Here's the uncomfortable truth that this entire article has been building toward:
Configuration Isn't Enough. Documentation Is the Requirement.
You could have every laptop, phone, and tablet in your office configured perfectly. BitLocker enabled. Passwords enforced. Automatic updates running. Screen locks at two minutes. Antivirus current.
And you could still fail a CMMC assessment.
Because CMMC doesn't just ask "are you doing this?" It asks "can you prove you're doing this?" An assessor—or a prime contractor asking for evidence—needs documentation. Screenshots. Configuration records. Policy documents that describe your approach. Evidence that these settings are applied consistently across every device in your environment.
This is the gap that catches people off guard. They spend time configuring everything correctly (which is important) but skip the documentation step (which is what makes you actually compliant).
For each device configuration area, you need to be able to show:
- What your policy says — A clear document describing your configuration requirements
- How it's implemented — Evidence that the settings are actually applied on your devices
- That it's consistent — Proof that every device, not just one, meets the standard
- That it's current — Documentation that's been reviewed and is up to date
This is where most small contractors get stuck. Not because the technical work is hard, but because they don't know what documentation an assessor actually wants to see.
💡 Pro Tip: Platform-Specific Configuration Guides Make This Faster
Generic CMMC guidance tells you "enable encryption" and "enforce passwords." That's not particularly useful when you're staring at your computer wondering which menu to click.
What you need is a guide that says: "Open this specific setting, on this specific platform, toggle this specific option, and take this specific screenshot for your evidence." That level of specificity is what turns a weekend-long research project into a 30-minute configuration task. Our toolkit includes exactly that—detailed guides covering Mac and Windows computers, iOS and Android phones and tablets, and small office/home office network configuration, all tailored to Google Workspace and Microsoft 365 environments.
Google Workspace vs. Microsoft 365: Both Work, Both Need Configuration
One of the most common questions we get is whether Google Workspace or Microsoft 365 is "better" for CMMC compliance. The short answer: both platforms are fully capable of supporting CMMC Level 1 compliance. The longer answer involves some nuance around editions, admin settings, and configuration details that differ between the two.
Google Workspace
Google Workspace has its own admin console with security settings that map to CMMC requirements. Device management, password policies, session controls, and data protection settings are all configurable through the admin panel.
The specific edition of Google Workspace you're using matters—not all editions include the same security controls. (We covered this in detail in our Google Workspace edition guide.)
Microsoft 365
Microsoft 365 provides extensive security configuration through its admin center, Entra ID (formerly Azure AD), and Intune for device management. Password policies, conditional access, encryption settings, and update management are all available.
Like Google, the specific plan you're on determines what security features are available. Direct purchase vs. reseller accounts can also affect your options. (Details in our Microsoft 365 comparison.)
The point isn't which platform is "right"—it's that both require deliberate configuration. Out-of-the-box settings on either platform won't meet CMMC requirements. You need to go in, adjust the security settings, and document what you've done.
And because the admin interfaces, setting locations, and terminology differ between Google and Microsoft, you need guidance that's specific to your platform. Generic instructions that say "enable MFA" don't help when you can't find the setting.
Platform-Specific Guides. Expert Support. No Guesswork.
Our Turnkey Package ($2,495/year) includes detailed configuration guides for laptops and desktops (Mac and Windows), phones and tablets (iOS and Android), and small office/home office network setups—all tailored to both Google Workspace and Microsoft 365 environments. Plus 8 bi-weekly expert consultation sessions to walk you through every step. Most clients complete their Level 1 assessment in 2-4 weeks.
Book Your Free ConsultationA Quick Reality Check for Your Devices
Before you go any further, take two minutes and answer these questions about your current setup. Be honest—this is just for you.
Your 2-Minute Device Assessment
- Do all laptops and desktops require a password to log in? (If yes: you're partially meeting access control requirements.)
- Do your devices lock the screen after a period of inactivity? (If yes: session management is in progress.)
- Is encryption turned on? Check BitLocker (Windows) or FileVault (Mac). (If yes: data protection is partially addressed.)
- Is antivirus software installed and running on every computer? (If yes: malware protection is in progress.)
- Are automatic updates enabled? (If yes: system patching is partially covered.)
- Do mobile devices that access work email have a passcode or biometric lock? (If yes: mobile device security is in progress.)
If you answered "yes" to most of these, your hardware and basic configuration are in better shape than you thought. The remaining work is verifying specific settings, tightening configurations to meet exact requirements, and documenting everything.
What Happens Next
Your laptops are fine. Your phones can work. Your tablets don't need to be replaced. That's the headline, and it should take some weight off your shoulders.
But "your hardware works" is only step one. The journey from "my devices are capable" to "I'm CMMC Level 1 compliant" involves:
- Detailed configuration — Going into each device (Mac, Windows, iOS, Android) and your network equipment to enable and verify every required setting
- Network configuration — Ensuring your small office or home office network is properly secured, segmented, and documented
- Evidence collection — Capturing screenshots, configuration exports, and reports that prove your settings are correct across all devices and your network
- Policy documentation — Creating clear policies that describe your device and network management approach (don't worry—our next article in this series covers why your policies don't need to be 50 pages long)
- Consistent application — Ensuring every device in your environment, not just one, is configured correctly
This is where trying to figure it all out on your own starts to get frustrating. Not because the work is technically difficult—it's not—but because knowing exactly which settings to change, exactly what evidence to capture, and exactly what format an assessor wants to see requires specific knowledge about CMMC requirements and assessment expectations.
The Fastest Path Forward
Our clients don't spend weeks researching which settings to change. They open our platform-specific configuration guide for their exact device—whether it's a Windows laptop, a Mac, an iPhone, an Android tablet, or their home office router—follow the step-by-step instructions for their environment (Google Workspace or Microsoft 365), capture the evidence our templates tell them to capture, and move on to the next requirement.
That's why most clients complete their entire Level 1 assessment in 2-4 weeks. The device configuration piece? That's typically handled in the first few sessions—not because they bought new equipment, but because they had the right guide showing them exactly what to do with the equipment they already own.
Coming Up Next in This Series
Now that you know your devices are fine, the next question on your mind is probably about documentation and policies. In Part 4: "You Don't Need 50-Page Policies", we'll tackle the documentation myth head-on and show you what CMMC Level 1 policies actually need to look like for a small business.
Spoiler: they're a lot shorter than you think.
Catch Up on the Series
- Part 1: You're Already 70% Compliant. You Just Don't Know It Yet.
- Part 2: The 15 CMMC Practices Explained Like You're a Human, Not a Lawyer
- Part 3: Your Laptop Is Fine. Here's What Actually Matters. (You are here)
- Part 4: You Don't Need 50-Page Policies. (Coming soon)
- Part 5: Your Compliance Evidence Is Everywhere. Let's Fix That.
- Part 6: What Happens After You're CMMC Compliant?
Stop Researching. Start Configuring.
Your equipment is ready. You just need the roadmap. Book a free 30-minute consultation and we'll assess your current setup—computers, phones, tablets, and network—identify exactly what needs to be configured, and show you how our guides for Mac, Windows, iOS, Android, and small office/home office networks get you from "devices I own" to "devices that are compliant."
Book Your Free 30-Minute ConsultationLearn About the Turnkey Package