IT Operations & Cybersecurity Encyclopedia
CMMC Level 1 evidence preparation guide
CMMC Level 1 evidence preparation helps organizations that handle Federal Contract Information show that basic safeguarding practices are implemented, documented, and repeatable. The goal is to make evidence easy to review: what systems are in scope, who has access, how devices are protected, how media is handled, how physical access is controlled, and how basic system integrity is maintained.
Why it matters
Make basic safeguarding visible and repeatable
CMMC Level 1 evidence does not need to be theatrical or overcomplicated. It needs to be accurate, current, tied to the right scope, and supported by screenshots, exports, policies, procedures, tickets, and owner statements.
A good evidence package explains where FCI is processed, stored, or transmitted; which users and devices are involved; which controls are in place; and who is responsible for maintaining them.
Practical rule: Do not prepare Level 1 evidence until the FCI boundary, users, devices, applications, locations, policies, and evidence owners are clearly identified.
Review scope
What CMMC Level 1 evidence should cover
FCI scope
Identify where Federal Contract Information is received, stored, processed, transmitted, printed, archived, and disposed.
User access
Show account lists, approval, least privilege, admin access, removal records, and periodic access review.
Device protection
Document managed devices, endpoint protection, patch status, ownership, encryption where used, and support process.
Media handling
Capture rules for removable media, printed FCI, secure disposal, clean desk behavior, and storage locations.
Physical controls
Show locks, visitor handling, office access, key/badge control, cabinet security, and after-hours protection.
System integrity
Provide malware protection, patching, vulnerability review, alert triage, and incident/remediation evidence.
Review matrix
CMMC Level 1 evidence decision matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| FCI in email | Email is often the first place FCI appears and may create hidden scope. | Collect mailbox access, retention, MFA status, anti-malware controls, user procedures, and forwarding rules. | Who can receive, forward, or archive FCI email? |
| FCI in file shares | Shared folders can expose FCI to too many users if permissions are stale. | Collect folder permissions, owners, access review, backup status, and disposal process. | Who owns this folder and who should have access? |
| Printed FCI | Paper records need physical protection and disposal procedures. | Collect clean desk policy, locked storage, visitor handling, shredding process, and owner evidence. | Where does printed FCI go after use? |
| Unmanaged endpoint | Unmanaged devices create weak evidence for endpoint protection and patching. | Bring the device under management, remove access, or document compensating controls and remediation plan. | Should this device be allowed to access FCI? |
| Departed employee | Access removal evidence is a common review point. | Collect termination checklist, account disablement, device return, badge/key return, and mailbox/file access review. | Can access removal be proven with dates? |
Step-by-step review
CMMC Level 1 evidence preparation runbook
Define FCI scope
Identify contracts, users, systems, email, file shares, cloud services, devices, locations, paper records, and vendors that touch FCI.
Collect control evidence
Gather policies, screenshots, exports, access lists, device inventory, physical-control photos, disposal process, and support tickets.
Validate users and devices
Review user accounts, admin roles, departed users, device ownership, endpoint protection, patch status, and unmanaged access.
Review physical and media handling
Confirm locked storage, visitor handling, clean desk rules, removable media process, paper handling, and secure disposal.
Close evidence gaps
Create remediation tickets for stale access, unmanaged devices, missing policies, weak disposal, or undocumented physical controls.
Build the evidence package
Index each artifact by practice area, owner, date, system, screenshot/export source, and next review date.
Common risks
Common CMMC Level 1 evidence gaps
Unclear FCI boundary
Evidence becomes weak when teams cannot explain where FCI exists.
Stale user access
Departed users, old vendors, and unnecessary admin rights create avoidable findings.
Unmanaged devices
Devices outside patching and endpoint protection make safeguarding harder to prove.
Paper handling ignored
Printed FCI, visitor access, locked storage, and disposal need evidence too.
Screenshots without context
Screenshots should show date, system, scope, owner, and what practice they support.
No owner signoff
Each evidence area needs an accountable business or IT owner.
Related support
Where IT Perfection can help
IT Perfection can help prepare CMMC Level 1 evidence through managed IT services, cybersecurity services, and cloud services.
For independent CMMC readiness review and evidence validation, OC Security Audit can support security audit services and cybersecurity risk assessments.
Created by Ali Hassani, CISO
CMMC Level 1 perspective from Ali Hassani
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
Level 1 evidence should be simple, current, and traceable
Ali Hassani, CISO and cybersecurity consultant, has 25+ years of experience across compliance readiness, managed IT, Microsoft infrastructure, endpoint management, and executive risk communication.
FAQ
CMMC Level 1 Evidence Preparation FAQ
What is CMMC Level 1 evidence?
It is documentation that shows basic safeguarding practices for Federal Contract Information are implemented and maintained.
What should be scoped first?
Identify where FCI is received, stored, processed, transmitted, printed, archived, and disposed.
Are screenshots enough?
Screenshots help, but they should be supported by policies, exports, tickets, owner signoff, and dates.
Who should own the evidence?
Each evidence area should have a named business or IT owner responsible for accuracy and updates.
Can IT Perfection help prepare Level 1 evidence?
Yes. IT Perfection can help organize scope, collect evidence, close IT gaps, and prepare an evidence package.