| Opsfolio

Small defense contractors don’t always fail CMMC Level 1 because they lack safeguards. They fail because they cannot prove the safeguards exist.

CMMC Level 1 was designed to cover 15 “basic safeguarding” practices drawn from FAR 52.204-21. On paper, they are straightforward: use strong passwords, restrict physical access, keep anti-virus software current. For many executives, this looks like a routine compliance task. But the real challenge lies not just in implementing safeguards, but in demonstrating credible evidence that they are in place.

And the stakes are rising. Primes increasingly demand documentation from subcontractors before awarding work. The Department of Justice has warned that False Claims Act actions will extend to cybersecurity attestations, even at Level 1. (See this article for more context.) Perhaps most importantly, evidence discipline is a signal: contractors that can produce clear, dated, and organized artifacts under pressure look reliable, while those that scramble send a message of immaturity and risk.

This is the underappreciated compliance challenge of Level 1: the evidence gap. Level 1 may be self-attested, but evidence is still needed to assure contract eligibility.

1. Why Evidence Matters Even at Level 1

At first glance, CMMC Level 1 may seem like little more than a box-checking exercise. The regulation requires only an annual self-assessment against the 15 safeguards in FAR 52.204-21, with the resulting score submitted to the Supplier Performance Risk System (SPRS). It does not require a third-party assessor or formal audit.

But the CMMC Level 1 Assessment Guide makes it clear self-attestation is not just about signing a form. Organizations must be able to prove their claims if requested. Each requirement in the guide is accompanied by “assessment considerations” and “potential evidence” examples, underscoring what the government expects.

Evidence matters for three reasons:

Credibility with primes. Large defense contractors increasingly demand supporting evidence from their subcontractors. A self-attestation without artifacts may satisfy SPRS, but not a prime’s due diligence.
Regulatory risk. The Department of Justice has already pursued False Claims Act cases against contractors who submitted inaccurate cybersecurity attestations. The absence of evidence leaves organizations exposed if their claims are ever challenged.
Operational resilience. Evidence is a management discipline. If you cannot produce proof that a safeguard is in place, you likely lack the processes to sustain it. Evidence doubles as a health check on your own security practices.

In short, Level 1 is a self-attestation with proof. Evidence is what makes the attestation credible. Without it, compliance remains theoretical. Theory won’t protect revenue when primes or regulators demand to see proof.

2. What Good Evidence Looks Like (and What Doesn’t Matter at Level 1)

To build an evidence base that stands up to scrutiny, contractors need to collect a variety of documentation and system artifacts. But what artifacts should you collect? The NIST SP 800-171A guidelines which underpin CMMC point out that there is a degree of flexibility:

“Organizations have the flexibility to determine the specific methods and objects sufficient to obtain the needed evidence to support any claims of compliance.”

Flexibility, however, does not mean vagueness. Policies and procedures outline what should happen; evidence shows that it does happen. A password policy document, for example, only states the rule. A system screenshot showing that the policy is enforced across user accounts demonstrates that employees are actually bound by it. Similarly, a written statement that “server rooms are locked” has little weight on its own, while a dated visitor log proves that physical access is tracked and restricted in practice.

Evidence matters because it turns intent into verifiable action. The point is not to collect paperwork for its own sake, but to create artifacts that make it indisputable that the safeguard is live, current, and enforced in daily operations.

The CMMC Level 1 Assessment Guide expands on this point:

“Common types of documents that may be used as evidence include: • policy, process, and procedure documents; • training materials; • plans and planning documents; and • system, network, and data flow diagrams.”

In practice, evidence may also include system configurations, automated outputs, user lists, access logs, or other operational records.

Strong evidence is specific, current, and operational. Weak evidence is generic, static, or outdated.

Evidence Across the CMMC Control Families

Let’s go through the major CMMC Level 1 control families and see what counts as strong versus weak evidence for each one. The goal is not to collect mountains of paperwork, but to ensure that for every safeguard you can point to at least one clear, dated, and credible artifact.

Access Control (AC)

What this family covers: Who can use your systems, how their access is limited, and how accounts are removed when no longer needed.

What kind of evidence is needed: Proof that access is restricted, managed, and terminated when appropriate.

Strong evidence: A dated screenshot of your Active Directory settings showing password complexity and session lock rules, paired with a user termination record documenting prompt account deactivation.
Weak evidence: A generic written policy that says “employees must use strong passwords” with no link to actual system enforcement.

Identification and Authentication (IA)

What this family covers: Ensuring that users are who they claim to be and that authentication mechanisms are enforced.

What kind of evidence is needed: Artifacts showing unique user accounts, password requirements, and authentication logs.

Strong evidence: A system-generated report listing all current user accounts, with evidence of unique IDs and recent password resets.
Weak evidence: A training slide or internal memo reminding staff not to share passwords, without proof of system enforcement.

Media Protection (MP)

What this family covers: Protecting and sanitizing removable media (USB drives, DVDs, external hard drives) and ensuring sensitive data is not leaked.

What kind of evidence is needed: Records of how removable media is restricted, sanitized, or securely disposed.

Strong evidence: A disposal log signed and dated, documenting that retired hard drives were wiped or shredded.
Weak evidence: An outdated IT policy statement saying “media should be sanitized” with no record of actual disposal.

Physical Protection (PE)

What this family covers: Restricting physical access to facilities, systems, and equipment.

What kind of evidence is needed: Logs or controls that show who has access to sensitive spaces and when.

Strong evidence: A visitor sign-in sheet showing names, dates, and times for individuals entering a server room.
Weak evidence: A photo of a locked door with no documentation of who entered or how access was monitored.

System and Communications Protection (SC)

What this family covers: Protecting communications across networks, such as firewalls, encryption, and boundary defenses.

What kind of evidence is needed: Configurations or logs that show communications are controlled and protected.

Strong evidence: A firewall configuration export dated within the last quarter, annotated to explain rules limiting inbound and outbound traffic.
Weak evidence: A vendor brochure claiming a firewall product was purchased, with no proof of how it is configured or used.

System and Information Integrity (SI)

What this family covers: Identifying and fixing vulnerabilities, updating systems, and protecting against malware.

What kind of evidence is needed: Proof of updates, anti-virus operation, and monitoring for suspicious activity.

Strong evidence: An automated report from endpoint security software showing recent malware scans and detections, with a date and system identifier.
Weak evidence: An undated screenshot showing “Windows Update Complete” on a single machine, with no proof of ongoing patching or coverage across the environment.

How much is enough?

In practice, most compliance professionals advise a “one artifact per control” rule: at least one credible, dated artifact mapped to each of the 15 FAR requirements. This is not a regulatory mandate but a defensible best practice. One artifact per safeguard balances thoroughness with efficiency and creates a package primes and regulators are more likely to accept.

Do you need an SSP?

A System Security Plan (SSP) is a document that describes an organization’s information systems, the security requirements those systems must meet, and the policies and controls in place to satisfy those requirements.

The Level 1 Assessment Guide refers to SSP (System Security Plan) in many of the controls. Doesn’t that mean an SSP is required?

The controlling regulation for CMMC (32 CFR §170.15) requires only a self-assessment and SPRS submission. It does not mandate an SSP at Level 1. The guide borrows language from Level 2, where SSPs are mandatory under NIST 800-171.

But the practical reality is that auditors and primes may still expect an SSP for consistency. While not legally required, maintaining an SSP that maps safeguards to artifacts can reduce friction and help organize evidence.

3. Why Organization and Automation Decide Credibility

Evidence that exists but cannot be retrieved quickly may as well not exist. In the defense supply chain, credibility depends not only on having safeguards but on demonstrating them cleanly under pressure.

The most common approaches like Word or Excel binders of screenshots, or loose SharePoint folders of policies and logs, are fragile. They go stale quickly, lack version control, and force teams to scramble whenever proof is requested. The result is not only operational pain but a signal to primes that the contractor is immature.

A more professional posture requires three things:

Mapping every safeguard to at least one artifact.
Centralizing artifacts in a single source of truth.
Keeping evidence current with date stamps and annotations that make raw outputs understandable.

This is where technology can play a decisive role. Manual evidence gathering is not only time-consuming but prone to error. Compliance-as-code—capturing artifacts directly from system workflows—offers a way forward. Logs, configurations, and user records can be generated automatically, mapped to safeguards, and stored in an exportable format.

Opsfolio’s centralized evidence hub was designed to institutionalize this posture. Instead of relying on scattered screenshots and manual binders, contractors maintain a single source of truth where artifacts are automatically pulled from the workflows teams already run. Logs, configurations, and user records are captured, mapped to the relevant safeguards, and stored in an exportable format. The result is a living evidence system that’s always current, always organized, and always ready to satisfy a prime’s request or a DoW inquiry.

The Leadership Imperative

For executives, the message is clear: CMMC Level 1 may be self-attested, but it is not trivial. The risk is real—SPRS scores can be challenged, primes can cut subcontractors from bids, and the Department of Justice has signaled it will prosecute inaccurate attestations.

The organizations that systematize evidence now will not only retain their contracts but also earn trust with primes and position themselves for higher-level certifications. Those that treat evidence as an afterthought will continue to scramble when challenged and may find themselves disqualified when opportunity knocks.

📌 Executive takeaway: Require a mapped, centralized evidence system today. Aim for at least one artifact per safeguard. Maintain an SSP for clarity, even if not required. And invest in automation where possible to reduce cost and error.

👉 A simple way to begin is by taking Opsfolio’s CMMC Self-Assessment Tool. In 30 minutes, you’ll see where your organization stands against today’s CMMC Level 1 requirements and what gaps must be closed to protect your contracts. It’s the fastest way to turn uncertainty into a concrete plan of action.

The CMMC Level 1 Evidence Gap: Why Proof, Not Policy, Decides Contract Eligibility