CMMC Level 1 Readiness Check
Right-sized support for FCI-only contractors who need to validate their 17 basic safeguarding practices — without being overbuilt for a Level 2 path they do not yet need. ForgePoint keeps Level 1 and Level 2 deliberately separate so small contractors are not pushed into scope, spend, or documentation complexity that does not match their actual exposure.
Who This Service Is For
Small contractors performing work under federal contracts who handle FCI but have not confirmed CUI exposure — and need a clear, honest baseline check.
FCI-only contractors performing DoD or federal work.
Organizations unsure whether Level 1 or Level 2 applies to them.
Small businesses without an internal compliance function.
Contractors preparing for a first CMMC self-assessment.
Organizations that need a starting point before scope is confirmed.
The Problem This Solves
Many small contractors are pushed toward Level 2 complexity — tools, platforms, and documentation overhead — before anyone has confirmed their actual FCI or CUI exposure.
Vendor pressure to buy Level 2 platforms for a Level 1 environment.
Uncertainty about whether Level 1 or Level 2 applies.
No baseline review of the 17 CMMC Level 1 practices.
Self-assessment completed without external validation or structure.
Wasted spend on documentation and tools not required at Level 1
Questions Answered
This service answers the foundational questions that every small contractor needs answered before making any CMMC decision.
Does Level 1 actually apply — or is Level 2 exposure more likely?
Are all 17 basic safeguarding practices in place?
Where are the gaps against CMMC Level 1 requirements?
Is the environment structured for a defensible self-assessment?
What should be addressed before the self-assessment is submitted?
CMMC Level 1 and Level 2 Are Not the Same Path
CMMC Level 1 — This Service
Federal Contract Information (FCI) only
17 basic safeguarding practices (FAR 52.204-21)
Annual self-assessment — no third party required
Right-sized for small FCI-only contractors
Good foundation not— sufficient if CUI is present
VS
CMMC Level 2 — Separate Path
Controlled Unclassified Information (CUI) required
110+ practices aligned to NIST SP 800-171
Third-party C3PAO assessment for most contracts
SSP, POA&M, and evidence documentation required
Required for most DoD contracts involving CUI
What ForgePoint Delivers
-
FCI/CUI Exposure Check
Confirm whether the environment is genuinely FCI-only or whether CUI exposure makes Level 2 the right path.
-
17-Practice Gap Review
Review all 17 CMMC Level 1 practices — identifying what is in place, what is missing, and what needs attention before self-assessment.
-
Self-Assessment Readiness Review
Assess whether the organization is structured to complete a defensible annual self-assessment with confidence.
-
Findings Summary & Gap List
A clear, plain-language summary of findings — strengths, gaps, and prioritized next steps sized for a small contractor.
-
Path Recommendation
A clear recommendation: stay on the Level 1 path, address specific gaps, or escalate to a Level 2 readiness engagement.
How the Engagement Works
Typical Timelin
1-2 Weeks
Weeks — right-sized for small contractors
Faster than a Level 2 engagement by design.
Structured intake and review — no unnecessary overhead.
Findings delivered in plain language, not dense compliance reports.
What Is Intentionally Out of Scope
CMMC Level 2 controls, NIST SP 800-171 gap analysis, SSP, or POA&M.
Certification guarantees or official assessment conclusions.
Legal interpretation of contracts or DFARS clauses.
Technical remediation implementation.
Unlimited advisory access or helpdesk support.
Recommended Next Steps After This Service
Let's Build Your Readiness Advantage
Schedule a no-obligation conversation to discuss your environment, challenges, and the best first step