Submit any questions you would like answered on the podcast!

lot of contractors assume CMMC Level 1 is just a simple checkbox. It is not.

In this episode, Austin and Brooke break down what CMMC Level 1 actually requires, what a self-assessment really looks like, and why self-attestation without documentation can create serious risk.

They cover the difference between Level 1 and Level 2, what Federal Contract Information (FCI) actually is, how Level 1 maps to the formal assessment process, and why organizations need policies, evidence, and artifacts before signing an attestation.

This episode also explains:

• What CMMC Level 1 covers and what it does not
• Why Level 1 is always self-assessed, not C3PAO certified
• The difference between self-assessment and self-attestation
• What documentation and evidence should exist before attesting
• Why authorized users, devices, processes, visitor logs, and physical access controls matter
• What the CFR says about evidence retention
• When a Level 1 claim may actually be scrutinized
• How whistleblowers, breaches, or customer requests can trigger verification
• The False Claims Act risk of saying you are compliant when you are not

If you are planning to self-attest to CMMC Level 1, this episode will help you understand what the government expects before you sign your name to anything.