If you’re a small manufacturer or contractor in Charlotte or anywhere across the Carolinas, CMMC Level 1 is likely your starting point.
On paper, it sounds simple.
But most teams run into the same issue. They understand the requirement, but not what it looks like day to day.
So, let’s walk through it.
First, What Is CMMC Level 1?
CMMC Level 1 focuses on basic cybersecurity practices.
It’s built around 15 security requirements from NIST 800-171, designed to protect Federal Contract Information (FCI).
Nothing overly complex. But it does require consistency.
1. Access Control (Who Can Get In)
You need to control who has access to your systems and data.
What that looks like in practice:
-
- Every user has their own login
- Access is limited based on job role
- Accounts are removed when someone leaves
Simple example:
Someone in accounting should not have access to engineering files.
2. Identification and Authentication (Proving Identity)
It’s not enough to have accounts. You need to verify who is logging in.
What that looks like:
-
- Strong passwords
- Multi-Factor Authentication (MFA) for email, VPN, and cloud systems
Simple example:
A password plus a code sent to a phone.
3. Physical Security (Protecting Your Facility)
This is often overlooked, especially in manufacturing environments.
You need to control who can physically access systems.
What that looks like:
-
- Locked server rooms or network closets
- Controlled building access
- Visitor logs
Simple example:
You know who is in your building and why.
4. Media Protection (Handling Devices and Data)
This includes USB drives, laptops, and printed documents.
What that looks like:
-
- Limiting use of external drives
- Secure disposal of devices and paper records
- Controlling where data is stored
Simple example:
No sensitive data sitting on random USB drives.
5. Boundary Defense (Protecting Your Network)
You need to manage traffic coming in and out of your network.
What that looks like:
-
- Firewalls that are properly configured
- Monitoring network activity
Simple example:
Unauthorized traffic is blocked before it reaches your systems.
6. Malware Protection (Stopping Threats Early)
Every system needs protection from malware.
What that looks like:
-
- Antivirus or endpoint protection on all devices
- Regular scans
- Alerts for suspicious activity
Simple example:
If something malicious shows up, it is detected and contained quickly.
7. Patch Management (Keeping Systems Updated)
Outdated systems are one of the biggest risks we see across North Carolina.
What that looks like:
-
- Regular updates for operating systems and software
- A defined patch schedule
- Tracking updates across systems
Simple example:
Critical updates are installed within days, not months.
8. Account Management
You need to manage the full lifecycle of user accounts.
What that looks like:
-
- Creating accounts only when needed
- Disabling accounts when employees leave
- Regularly reviewing who has access
Simple example:
A former employee should not still have access to email or shared files.
9. Device Identification
You need to know what devices are connecting to your systems.
What that looks like:
-
- Keeping an inventory of company devices
- Blocking unknown or unauthorized devices
Simple example:
A personal laptop should not be able to connect to your network without approval.
10. System Use Monitoring
You need basic visibility into what’s happening on your systems.
What that looks like:
-
- Logging user activity
- Reviewing logs when needed
Simple example:
If something unusual happens, you can go back and see who did what.
11. Data Integrity
You need to protect systems and data from unauthorized changes.
What that looks like:
-
- Preventing unauthorized software installs
- Monitoring for unexpected changes
Simple example:
If a file or system setting changes unexpectedly, you know about it.
12. Configuration Management
You need to keep systems configured in a secure, consistent way.
What that looks like:
-
- Standard settings across devices
- Limiting unnecessary features or services
Simple example:
All company laptops follow the same security setup, not random configurations.
13. Data in Transit Protection
You need to protect information when it’s being sent.
What that looks like:
-
- Secure connections (HTTPS, VPN)
- Encrypted email when needed
Simple example:
Sensitive information is sent over protected connections.
14. Security Awareness Training
Your team needs to understand basic security risks.
What that looks like:
-
- Regular training on phishing and safe behavior
- Reminders and simple guidelines
Simple example:
Employees know not to click suspicious links or open unknown attachments.
15. Risk Awareness
You need a basic understanding of your risks.
What that looks like:
-
- Knowing where your biggest gaps are
- Taking steps to reduce them over time
Simple example:
You know outdated systems are a risk and have a plan to fix them.
Where Most Businesses Struggle
It is rarely about understanding the requirements.
It comes down to consistency.
We see it across Charlotte and the Carolinas:
-
-
- MFA enabled in some places but not everywhere
- Antivirus installed but not actively monitored
- Patching done occasionally instead of on a schedule
- Policies written but not followed
-
That gap between what is in place and what is consistently working is where issues show up.
What This Looks Like in Real Life
CMMC Level 1 is not about building something complex.
It is about getting the basics right every day.
If you are in Charlotte, Greenville, Raleigh, or anywhere in North Carolina:
You do not need a complicated system.
You need clear, repeatable habits.
Final Thought
Most companies do not fail CMMC Level 1 because it is difficult.
They fail because the basics are not consistent.
Get the fundamentals right, and Level 1 becomes manageable.
Ignore them, and even simple requirements turn into real risk.
