IT Operations & Cybersecurity Encyclopedia

CMMC Level 1 evidence preparation guide

CMMC Level 1 evidence preparation helps organizations that handle Federal Contract Information show that basic safeguarding practices are implemented, documented, and repeatable. The goal is to make evidence easy to review: what systems are in scope, who has access, how devices are protected, how media is handled, how physical access is controlled, and how basic system integrity is maintained.

CMMC Level 1, Federal Contract Information, basic safeguarding, evidence collection, and owner signoffAccess control, identification, media protection, physical protection, system integrity, policies, screenshots, and ticketsCompliance readiness, managed IT operations, cybersecurity review, and assessor-ready documentation

Why it matters

Make basic safeguarding visible and repeatable

CMMC Level 1 evidence does not need to be theatrical or overcomplicated. It needs to be accurate, current, tied to the right scope, and supported by screenshots, exports, policies, procedures, tickets, and owner statements.

A good evidence package explains where FCI is processed, stored, or transmitted; which users and devices are involved; which controls are in place; and who is responsible for maintaining them.

Practical rule: Do not prepare Level 1 evidence until the FCI boundary, users, devices, applications, locations, policies, and evidence owners are clearly identified.

Review scope

What CMMC Level 1 evidence should cover

FCI scope

Identify where Federal Contract Information is received, stored, processed, transmitted, printed, archived, and disposed.

User access

Show account lists, approval, least privilege, admin access, removal records, and periodic access review.

Device protection

Document managed devices, endpoint protection, patch status, ownership, encryption where used, and support process.

Media handling

Capture rules for removable media, printed FCI, secure disposal, clean desk behavior, and storage locations.

Physical controls

Show locks, visitor handling, office access, key/badge control, cabinet security, and after-hours protection.

System integrity

Provide malware protection, patching, vulnerability review, alert triage, and incident/remediation evidence.

Review matrix

CMMC Level 1 evidence decision matrix

AreaWhat to verifyQuestions to answerEvidence
FCI in emailEmail is often the first place FCI appears and may create hidden scope.Collect mailbox access, retention, MFA status, anti-malware controls, user procedures, and forwarding rules.Who can receive, forward, or archive FCI email?
FCI in file sharesShared folders can expose FCI to too many users if permissions are stale.Collect folder permissions, owners, access review, backup status, and disposal process.Who owns this folder and who should have access?
Printed FCIPaper records need physical protection and disposal procedures.Collect clean desk policy, locked storage, visitor handling, shredding process, and owner evidence.Where does printed FCI go after use?
Unmanaged endpointUnmanaged devices create weak evidence for endpoint protection and patching.Bring the device under management, remove access, or document compensating controls and remediation plan.Should this device be allowed to access FCI?
Departed employeeAccess removal evidence is a common review point.Collect termination checklist, account disablement, device return, badge/key return, and mailbox/file access review.Can access removal be proven with dates?

Step-by-step review

CMMC Level 1 evidence preparation runbook

1

Define FCI scope

Identify contracts, users, systems, email, file shares, cloud services, devices, locations, paper records, and vendors that touch FCI.

2

Collect control evidence

Gather policies, screenshots, exports, access lists, device inventory, physical-control photos, disposal process, and support tickets.

3

Validate users and devices

Review user accounts, admin roles, departed users, device ownership, endpoint protection, patch status, and unmanaged access.

4

Review physical and media handling

Confirm locked storage, visitor handling, clean desk rules, removable media process, paper handling, and secure disposal.

5

Close evidence gaps

Create remediation tickets for stale access, unmanaged devices, missing policies, weak disposal, or undocumented physical controls.

6

Build the evidence package

Index each artifact by practice area, owner, date, system, screenshot/export source, and next review date.

Common risks

Common CMMC Level 1 evidence gaps

Unclear FCI boundary

Evidence becomes weak when teams cannot explain where FCI exists.

Stale user access

Departed users, old vendors, and unnecessary admin rights create avoidable findings.

Unmanaged devices

Devices outside patching and endpoint protection make safeguarding harder to prove.

Paper handling ignored

Printed FCI, visitor access, locked storage, and disposal need evidence too.

Screenshots without context

Screenshots should show date, system, scope, owner, and what practice they support.

No owner signoff

Each evidence area needs an accountable business or IT owner.

Related support

Where IT Perfection can help

IT Perfection can help prepare CMMC Level 1 evidence through managed IT services, cybersecurity services, and cloud services.

For independent CMMC readiness review and evidence validation, OC Security Audit can support security audit services and cybersecurity risk assessments.

Created by Ali Hassani, CISO

CMMC Level 1 perspective from Ali Hassani

Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.

This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.

Level 1 evidence should be simple, current, and traceable

Ali Hassani, CISO and cybersecurity consultant, has 25+ years of experience across compliance readiness, managed IT, Microsoft infrastructure, endpoint management, and executive risk communication.

FAQ

CMMC Level 1 Evidence Preparation FAQ

What is CMMC Level 1 evidence?

It is documentation that shows basic safeguarding practices for Federal Contract Information are implemented and maintained.

What should be scoped first?

Identify where FCI is received, stored, processed, transmitted, printed, archived, and disposed.

Are screenshots enough?

Screenshots help, but they should be supported by policies, exports, tickets, owner signoff, and dates.

Who should own the evidence?

Each evidence area should have a named business or IT owner responsible for accuracy and updates.

Can IT Perfection help prepare Level 1 evidence?

Yes. IT Perfection can help organize scope, collect evidence, close IT gaps, and prepare an evidence package.