CMMC Level 1 30-Day Self-Assessment Playbook for Small NC Manufacturers

Posted: May 22, 2026 to Technology.

CMMC Level 1 30-Day Self-Assessment Playbook for Small NC Manufacturers

If you run a small manufacturing shop in North Carolina, say 30, 60, or even 90 employees, the Cybersecurity Maturity Model Certification (CMMC) rule that dropped into the Federal Register in late 2025 might have felt like something for the big primes in Charlotte and Raleigh. It is not. Any defense industrial base (DIB) supplier that touches Federal Contract Information (FCI) needs at least CMMC Level 1 certification, and the clock is ticking on a phased enforcement schedule that starts as early as mid-2026 for new contracts.

The good news: Level 1 is deliberately narrow. It covers 17 controls pulled from NIST SP 800-171 Rev 3, and none of them require the kind of infrastructure overhaul that Level 2 demands. With a disciplined 30-day sprint, a small manufacturer can self-assess, document compliance, and hand the results to a Registered Practitioner Organization (RPO) like Petronella Technology Group RPO #1449 for a free readiness check before engaging a C3PAO for formal certification.

This playbook lays out exactly what to do each week, what to gather, what to skip (versus Level 2), and where NC manufacturers trip up most often.

What CMMC Level 1 Actually Covers

CMMC Level 1 is the entry tier. It maps to the 17 basic safeguarding requirements for FCI from NIST SP 800-171 Rev 3, things like keeping sensitive information limited to authorized users, scanning for malware, and controlling physical access to equipment. It does not require a full System Security Plan (SSP) in the Level 2 sense, though you will document your policies and procedures.

The scope is your assets that process, store, or transmit FCI. For most small manufacturers, that means a handful of machines: maybe a file server, an ERP workstation handling contract data, a handful of laptops running email and spreadsheets, and possibly a shared network drive. If your manufacturing floor runs on isolated PLCs that never touch a contract document, those PLCs are likely out of scope.

FCI is broadly defined, any information not intended for public release that a federal contract requires you to provide. That includes specifications, drawings, pricing data, delivery schedules, and quality assurance records. If you hold a DoD contract, your purchase orders alone constitute FCI.

Week 1: Boundary Scoping and Asset Inventory (Days 1–7)

Week 1 is the most important week. Do not skip it. The single biggest reason small shops fail self-assessments is an incomplete understanding of their FCI boundary.

Day 1–2: Walk the floor and build a master asset list. Every system that touches FCI goes on the list. Start with: file servers, email servers, domain controllers, user workstations that handle contract documents, network-attached storage, cloud tenants (Microsoft 365, SharePoint, Google Workspace), backup appliances, and any mobile devices that sync FCI. For each asset, record the hostname, IP address, operating system, installed software, physical location, and whether it processes, stores, or transmits FCI.

Day 3–4: Draw your security boundary. FCI systems must be logically or physically separated from everything else. If your manufacturing execution system (MES) shares a flat network with the accounting workstation processing DoD invoices, you have a problem. Draw a network topology diagram showing the FCI boundary and every system inside it. This diagram becomes your primary scoping document.

Day 5–7: Identify what is already in place. Inventory existing security controls. Do you have Windows Defender running on all workstations? A firewall separating the office LAN from the shop floor? Multi-factor authentication on Microsoft 365? Write down everything you already have, you will map these to the 17 controls in Week 2.

Week 2: Control Mapping and Gap Analysis (Days 8–14)

Take your asset inventory and network diagram and map them against the 17 CMMC Level 1 practices. The full list is available in the CMMC model documentation, but the key groups are:

• Access Control (AC): Limit FCI access to authorized users only. Enforce least privilege. End shared generic logins, every operator and admin needs a unique account.
• Identification and Authentication (IA): Require unique identification. No shared passwords on critical systems. MFA is not explicitly required at L1 (it is at L2), but implementing it now saves you later.
• Media Protection (MP): Sanitize or destroy media containing FCI before disposal. Yes, that old hard drive in the parts bin counts.
• Physical Protection (PE): Lock the server room. Control visitor access. Simple stuff, but often missing in small shops where the "server room" is a closet with a broken latch.
• System and Communications Protection (SC): Protect the boundary firewall. Block unauthorized outbound connections.
• System and Information Integrity (SI): Run anti-malware. Apply patches in a reasonable timeframe.

Real-world gap example: A 40-person machine shop in Greensboro discovered during their gap analysis that the shop-floor tablet used to pull engineering drawings (FCI) from SharePoint was logged into a shared account and had not received a Windows update in 14 months. That is two violations, shared credentials (AC) and missing patches (SI), fixed in one afternoon.

What you can skip versus Level 2: Level 1 does not require a written incident response plan, continuous monitoring, audit logging configuration, penetration testing, or a formal risk assessment. Those are Level 2 requirements. Do not create overhead you do not need yet. Stick to the 17 basic practices.

Week 3: Evidence Collection and Documentation (Days 15–21)

This is where most small manufacturers get stuck. CMMC auditors do not take your word for it, they want evidence. Screenshots, configuration exports, policy documents, and dated records.

Set up a structured folder hierarchy and start filling it:

• Policies and Procedures: Write one-page policies for each of the 17 control areas. Keep them short. "Access Control Policy: All users must have unique accounts. Accounts are reviewed quarterly. Former employee accounts are disabled within 24 hours." Signed and dated.
• Technical Evidence: Export Active Directory user lists showing unique accounts. Screenshot the firewall rule set. Capture the anti-malware scan schedule and last scan date. Photograph the locked server room door and the visitor log.
• Training Records: Document that employees received CMMC awareness training. Even a 20-minute lunch-and-learn with a sign-in sheet counts.

The ComplianceArmor advantage: Petronella Technology Group's ComplianceArmor documentation platform is built specifically for this. Instead of scattered folders and manual screenshots, ComplianceArmor walks you through each control, auto-generates policy templates, and lets you attach evidence directly in a single dashboard. For small shops running this 30-day sprint, it eliminates the biggest headache: "I think I have that screenshot somewhere."

A common NC gotcha: Small manufacturers frequently subcontract with one another. A job shop in Hickory might machine parts for a prime in Raleigh, and the drawings (FCI) get emailed back and forth. That email channel is inside your security boundary and must comply with L1 controls. Do not assume FCI stops at your loading dock.

Week 4: Self-Assessment and RPO Readiness Check (Days 22–30)

Now you assemble everything into the self-assessment. CMMC Level 1 allows a self-assessment with affirmation by a company official, you do not need a third-party C3PAO audit for L1 certification. But the affirmation requirement is serious: a senior company official must sign attesting to compliance, and a false attestation carries legal exposure under the False Claims Act.

Day 22–25: Run through each control with a pass/fail. Open your evidence folder. For each of the 17 practices, confirm you have: (a) a written policy, (b) technical implementation evidence, and (c) personnel training records. Mark pass or fail. If you fail a control, for example, you discover one legacy workstation without anti-malware, fix it and document the remediation before the affirmation date.

Day 26–28: Write your System Security Plan (SSP), the L1 version. Level 1's SSP is dramatically simpler than Level 2's. Describe your security boundary, your asset inventory, how each of the 17 controls is implemented, and any plans of action and milestones (POA&Ms) for controls that need improvement.

Day 29–30: Engage Petronella Technology Group RPO #1449 for a free readiness check. This is the smartest move a small manufacturer can make before signing an attestation. An RPO is authorized by the CMMC Accreditation Body to perform pre-assessment readiness checks. They are not a C3PAO, they do not issue certifications, so there is no conflict of interest.

The readiness check typically covers: reviewing your scoping diagram, spot-checking evidence for 4–5 high-failure controls, verifying your SSP structure, and flagging anything a C3PAO would ding. It takes two to three hours and gives you confidence that your self-assessment will hold up under scrutiny.

Where NC Manufacturers Trip Up (Based on Real Assessments)

Shared credentials on industrial equipment. The CNC machine or coordinate-measuring machine runs on a Windows XP-era PC logged in as "Admin" with password "password." That machine technically sits inside the FCI boundary if it pulls digital drawings. Do not ignore it.

Unmanaged cloud shadow IT. An engineer uses a personal Dropbox to share FCI drawings because it is faster than the company SharePoint. That Dropbox account is now storing FCI without any contractual protection, and it is invisible to your controls.

Printers and multifunction devices. Network printers that cache FCI documents to their internal hard drives are FCI storage systems. If they are not configured to wipe the drive after each job, they count. Most small manufacturers never think to include the copier in their asset inventory.

Vendor remote access. Your ERP vendor needs remote access for support. If that vendor connects over an unencrypted RDP session and can reach your FCI network, you have a control gap. Require VPN + MFA for any third-party remote access to the FCI boundary.

Outdated firmware on network gear. A small metal fabricator learned this the hard way: their off-the-shelf router from 2019 had a known CVE for a backdoor account. The router handled all FCI traffic. A C3PAO check would flag it on sight.

Using L1 as the On-Ramp

Do not treat CMMC Level 1 as a checkbox to clear and forget. Every control you implement, unique accounts, access logging, media sanitization, physical security, patching discipline, is the foundation for Level 2 readiness. And Level 2 is coming. The DoD has explicitly stated that CUI-scoped contracts will require L2, and the grandfathering window for existing contracts is limited.

Petronella Technology Group's free RPO readiness check often includes a brief gap preview toward Level 2. It is not a full L2 pre-assessment, that would be a separate engagement, but it gives you a realistic picture of what the next tier would cost in time and budget. For many small NC manufacturers, that visibility alone justifies the conversation.

What to Include in Your System Security Plan (SSP) for CMMC Level 1

The System Security Plan for CMMC Level 1 is not the sprawling document that Level 2 demands, but it is still a required artifact and one that auditors will examine closely if your self-assessment ever comes under review. A well-written Level 1 SSP tells the story of your FCI boundary, your assets, and how each of the 17 controls is implemented in plain language that an assessor can verify against your evidence folder.

Section 1: Organizational Overview and Security Boundary. Start with your company name, address, CAGE code if you have one, and a brief description of your role in the defense supply chain. Then describe your security boundary. This is the most important paragraph in the entire SSP. State explicitly which networks, systems, and physical locations are inside the FCI boundary and which are outside. Attach your network topology diagram as an appendix and reference it here. If you have a flat network where FCI and non-FCI traffic co-mingle, be honest about it and explain how you segment FCI data logically (for example, through permissions and data classification) until you can implement physical or VLAN segmentation.

Section 2: Asset Inventory. List every asset inside the boundary. For each asset include: hostname or identifier, IP address, operating system and version, role or function, whether it processes, stores, or transmits FCI, and its physical location. If you used ComplianceArmor to build your inventory, export the asset register and attach it. The assessor will spot-check assets from this list against your evidence, so accuracy matters more than polish.

Section 3: Control Implementation Descriptions. For each of the 17 Level 1 practices, write a brief paragraph describing how you meet the requirement. Use this format: control name and number, a one-sentence summary of your implementation, and a reference to the specific evidence you have stored. For example, under AC.L1-3.1.1 (limit system access to authorized users): "All users within the FCI boundary have unique Active Directory accounts. Shared or generic accounts are prohibited. User account lists and group membership exports are maintained in the evidence folder under AccessControl/UserAccounts." Do not write novels. Concise, verifiable statements are what assessors want.

Section 4: Plans of Action and Milestones (POA&Ms). If you have any controls that are not fully implemented at the time of your self-assessment, document them here. Each POA&M should include: the control identifier, the current state, the target state, the remediation steps, the responsible party, and the target completion date. The CMMC model allows POA&Ms for Level 1 self-assessments, but you cannot carry open POA&Ms indefinitely. The Accreditation Body expects remediation within a reasonable timeline, typically 90 to 180 days depending on severity.

Section 5: Affirmation Statement. The final page of your SSP should contain the affirmation statement that your senior company official will sign. The statement confirms that the information in the SSP and supporting evidence is accurate and that the organization is compliant with the applicable CMMC Level 1 practices. This is a legally binding attestation. Make sure every statement in the SSP is supported by evidence before anyone signs it.

Common Audit Gotchas Craig Petronella, CMMC RPO #1449, Has Seen with Small NC Manufacturers

Over years of working with small manufacturers across North Carolina, Petronella Technology Group has compiled a list of recurring issues that trip up otherwise well-prepared shops. These are real patterns from real pre-assessments.

The printer problem. The most common oversight in small manufacturers is the networked multifunction printer. These devices store scanned documents on internal hard drives. If your shop scans a purchase order or an engineering drawing (both FCI) and the printer caches it, that printer is now storing FCI. We have walked into machine shops where the printer in the front office had 18 months of cached FCI documents accessible via its web interface with no password. The fix is simple: enable automatic hard drive overwrite after each job, or remove the hard drive entirely and treat the printer as a pass-through device only.

The subcontractor email gap. North Carolina's manufacturing ecosystem runs on subcontracting. A fabricator in Sanford sends FCI drawings to a finishing shop in Asheboro via email. The fabricator has MFA on their email, but the finishing shop does not. The FCI is now transmitted over an unsecured channel and stored in an unprotected mailbox. CMMC Level 1 requires basic protection of FCI in transit and at rest. If you exchange FCI with subcontractors, you need to verify that their controls meet at least the same level as yours, or use a secure file transfer method.

The forgotten laptop. In nearly every small shop we have assessed, there is a laptop that belongs to a former employee, is still on the network, and has FCI documents on it. Sometimes it is sitting in a drawer. Sometimes it is being used by a new hire under the old user's account. The policy is clear: disable accounts within 24 hours of separation and sanitize or reclaim the device. We recommend setting a quarterly calendar reminder to audit terminated user accounts and orphaned devices.

The unlocked IDF closet. Physical protection is one of the simplest Level 1 controls, yet it fails consistently. In one case, a manufacturer in Hickory had their network switch and server in a janitorial closet that anyone could access. The door had a push-button lock that had been wedged open for years. A C3PAO assessor would photograph that and flag it immediately. Walk your facility, identify every location where FCI equipment lives, and ensure those locations are physically locked with access controlled.

Contractor and visitor device policies. When a DoD contractor visits your facility and plugs their laptop into your network to check email, that device is inside your FCI boundary. If it is compromised, your FCI is at risk. Level 1 does not require full endpoint detection on visitor devices, but you should have a policy stating that non-organization devices are not permitted on the FCI network without prior approval and a signed acceptable use agreement.

Tooling Recommendations for CMMC Level 1

The right tools make the difference between a painful 30-day scramble and a structured, repeatable process. Petronella Technology Group has evaluated dozens of platforms and configurations for small manufacturers. Here is what we recommend for a Level 1 engagement.

Documentation platform. Every small manufacturer should use a centralized documentation platform for policies, evidence, and SSP management. We built ComplianceArmor specifically for this purpose. It walks you through each of the 17 Level 1 controls with pre-written policy templates, guided evidence collection prompts, and a built-in SSP generator. Instead of maintaining a scattered folder of screenshots and Word documents, you get a single dashboard that any auditor can review. ComplianceArmor also tracks your POA&M items and sends reminders when remediation deadlines approach. For small shops running the 30-day sprint, this is the single biggest time saver available.

Endpoint security. For anti-malware and system integrity monitoring, we recommend Petronella's managed XDR solution. It provides real-time endpoint detection, automated patch status reporting, and centralized logging that directly supports the SI controls at Level 1. The managed element means your shop does not need a dedicated security analyst to review alerts. Our team handles that remotely.

Identity and access management. Microsoft 365 Business Premium includes the baseline identity controls you need for Level 1: unique user accounts, group policy enforcement, and basic conditional access policies. If you are not on Microsoft 365 yet, the move alone closes multiple Level 1 gaps at once. For on-premises Active Directory, ensure your domain controllers are patched and that you have enforced password policies, account lockout thresholds, and audit logging for failed logins.

Network security. A next-generation firewall with intrusion prevention capabilities should sit at your FCI boundary. Many small manufacturers use the firewall built into their cable modem or a consumer-grade router. That is not sufficient. A proper business-grade firewall gives you the ability to segment traffic, log connections, and enforce outbound filtering. If budget is tight, start with a low-cost appliance from a reputable vendor and configure it yourself using the CMMC Level 1 network protection guidance.

Data protection and email security. Petronella encrypted data and email solutions provide transport-layer encryption and secure file sharing for FCI exchanged with subcontractors and primes. This closes the email gap discussed earlier and provides auditable records of every FCI transmission.

What to Expect During the CMMC Level 1 Assessment

If you choose to go beyond self-assessment and engage a C3PAO for formal certification, the assessment process follows a predictable structure. Knowing what to expect reduces anxiety and helps you prepare.

Pre-assessment briefing. The C3PAO will schedule a kickoff call to review your SSP, your asset inventory, and your evidence folder. They will identify any obvious gaps before the onsite visit and give you a chance to remediate. This is not a pass-fail checkpoint, but it is in your interest to address everything they flag. We recommend having your RPO on this call as well to advocate for your documentation approach.

Onsite assessment. Typically one to two days for a small manufacturer. The assessor will interview key personnel, inspect physical security controls, and spot-check evidence for a sample of the 17 practices. They will not look at everything. They will look at high-risk areas: physical access to FCI systems, user account management, anti-malware configuration, and boundary protection. Expect the assessor to ask for a live demonstration of controls, for example, show me that you can create a new user account and verify the unique ID requirement.

Evidence validation. The assessor will select 5 to 7 controls and ask to see the corresponding evidence. This is where your structured evidence folder, or your ComplianceArmor dashboard, pays off. If you can open the right folder or export within 30 seconds, the assessor moves on. If you are hunting through shared drives and email attachments, that is a red flag that your documentation process is not mature.

Closeout and findings. At the end of the onsite visit, the assessor will present their initial findings. For Level 1, findings are typically pass or fail per control with no scoring levels. If all 17 practices are fully implemented, you receive a provisional pass pending documentation review. If there are gaps, you receive a list of findings and a timeline to remediate, typically 30 to 90 days. Once you provide evidence of remediation, the C3PAO will issue the final certification.

Post-assessment affirmation. After the C3PAO issues certification, your company official signs the affirmation and the result is submitted to the CMMC Accreditation Body. Your certification is valid for the duration specified in your contract or until a significant change in your environment triggers a reassessment.

90-Day Preview: What Comes After CMMC Level 1

Level 1 certification is not the end of the road. For most small manufacturers, it is the beginning of a progressive compliance journey. Here is what the next 90 days look like if you choose to build on your Level 1 foundation.

Days 31 to 45: Stabilize and operationalize. You have your certification. Now make the controls stick. Assign ownership for each control area. Set up recurring tasks: weekly patch review, monthly user account audit, quarterly physical security walkthrough. The mistake many manufacturers make is treating certification day as the finish line. Controls degrade fast without ongoing attention. ComplianceArmor includes automated recurring evidence collection reminders that help you maintain readiness without dedicated staff.

Days 46 to 60: Review your contracts for CUI. Level 1 covers FCI. Level 2 covers Controlled Unclassified Information (CUI). Not every DoD contract involves CUI, but many do, and the distinction is not always obvious at contract award. Work with your contracting officer or prime contractor to determine which of your contracts require CUI handling. If any do, you will need Level 2 certification before those contracts can be awarded or renewed. Petronella Technology Group offers a CUI scoping assessment that reviews your contract portfolio and identifies which contracts are likely to trigger CUI requirements.

Days 61 to 75: Conduct a Level 2 gap analysis. Level 2 adds 96 additional practices beyond the 17 you already have. That sounds intimidating, but many Level 2 controls are extensions of what you already implemented. For example, Level 1 requires unique accounts. Level 2 adds privileged account management, automated account management, and periodic access reviews. Your existing Level 1 user account documentation is already halfway there. A formal gap analysis, which an RPO can perform, gives you a prioritized roadmap and a realistic budget estimate for Level 2 certification.

Days 76 to 90: Begin Level 2 preparation. The largest lift for Level 2 is typically the incident response plan, the risk assessment, and the continuous monitoring program. Plan to allocate 4 to 6 months for Level 2 preparation depending on your current environment and your budget for tooling. Many small manufacturers opt for a phased approach: implement the highest-effort controls first (incident response, continuous monitoring, configuration management) while deferring lower-risk items to a POA&M.

Every small NC manufacturer that completes Level 1 with solid documentation and evidence discipline is well positioned for Level 2. The work you do in the 30-day sprint is not wasted. It is the foundation.

Frequently Asked Questions About CMMC Level 1

Do I need a C3PAO for Level 1 certification?

No. CMMC Level 1 allows self-assessment with affirmation by a senior company official. You do not need a third-party C3PAO audit to achieve Level 1 certification. However, we strongly recommend having an RPO, such as Petronella Technology Group, perform a readiness review before you sign the affirmation to ensure your evidence and documentation will withstand scrutiny.

What happens if I fail a control during self-assessment?

You can document the failed control as a POA&M in your SSP and remediate it within a reasonable timeframe, typically 90 to 180 days. You do not need to have all 17 controls fully implemented on the day you sign your affirmation, but you must have a credible plan and timeline for closing each gap. Failure to remediate within the stated timeline could result in loss of certification.

How long does Level 1 certification last?

Level 1 certification is valid for the life of the contract under which it was obtained, unless there is a significant change to your environment that affects your FCI boundary. The DoD may also require reassessment at certain intervals as part of contract renewal. Check your specific contract language for expiration terms.

Does Level 1 require multi-factor authentication?

No. MFA is explicitly required at Level 2 but not at Level 1. However, implementing MFA now is inexpensive and dramatically reduces your risk of credential compromise. Many of the common audit gotchas we see involve shared or weak credentials that MFA would have mitigated. We recommend enabling MFA on your Microsoft 365 tenant and any remote access points even though Level 1 does not mandate it.

Can I use cloud services for FCI storage at Level 1?

Yes, but only if the cloud service provides basic safeguarding of FCI as defined by the 17 Level 1 controls. Microsoft 365 Commercial and Government Community Cloud (GCC) tenants meet these requirements when configured correctly. Consumer-grade services like personal Dropbox accounts, free Gmail, or personal Google Drive do not. Ensure your cloud service agreement includes data protection provisions that align with NIST 800-171 basic safeguarding requirements.

What is the difference between CMMC Level 1 and DFARS 252.204-7012?

DFARS 252.204-7012 is the clause that requires DoD contractors to implement NIST SP 800-171 and report cyber incidents. CMMC Level 1 maps to the basic safeguarding of FCI, which is a narrower requirement than the full NIST SP 800-171 coverage required by DFARS 7012. If you are flowing down DFARS 7012 in your contracts, you are likely already operating above Level 1. CMMC does not replace DFARS 7012. It adds a certification layer on top of it.

How much should a small manufacturer budget for Level 1 readiness?

For a 30-to-90-person shop, the direct costs are relatively low. Expect to spend on documentation tools, endpoint security software, and potentially a network firewall upgrade. The largest cost is internal labor, roughly 40 to 80 hours of staff time over the 30-day sprint. Petronella Technology Group's RPO readiness check and ComplianceArmor platform are designed to keep those hours manageable by providing templates, automated evidence collection, and expert review that catches mistakes before they become costly findings.

What if my prime contractor requires Level 2 before I am ready?

This scenario is becoming more common as primes push CMMC requirements down their supply chains. If you receive a Level 2 requirement from a prime, you have options. You can request a timeline extension under your existing contract. You can engage an RPO immediately to begin Level 2 preparation, compressing the typical 4-to-6-month timeline to 60 to 90 days with dedicated resources. Or you can scope your CUI to a limited subset of systems and achieve Level 2 for only that enclave, a strategy known as narrow scoping that many small manufacturers use to reduce cost and complexity. Petronella Technology Group can advise on which approach fits your specific contract portfolio and budget.