Once we’ve mapped your systems and users, it’s time to analyze what’s working — and what’s missing. Step 2 is where we assess your security posture through a structured gap analysis based on the 17 required CMMC Level 1 practices.

We start by reviewing key areas like access controls, device protections, software updates, and physical security — using simple, yes-or-no checklists that translate directly into compliance scoring. Behind the scenes, we’re building what you can picture as a radar chart of your cybersecurity readiness, with each practice shown as a slice of the circle — some full, some needing work.

We also use this step to simulate how an auditor might view your environment. For example, we check whether unused accounts are disabled, or if all employees use unique logins. These insights get layered into a visual progress report — think of it like a bar chart that compares your current state against what’s required. Green bars? You’re good. Yellow or red? We’ll fix it in the next steps.

You’ll walk away from this stage with a simple scorecard, a list of missing elements (if any), and the reassurance that we now know exactly how to get you from where you are — to where you need to be.

Corrective Action & Control Implementation

After the gap assessment is complete, we transition into active remediation. This is where we close the gaps between your current security posture and the requirements for CMMC Level 1 certification. Our team supports both technical and administrative remediation, ensuring that the 17 required practices are not just understood, but implemented and enforceable.

On the technical side, we guide your team through adjustments to access control mechanisms, such as removing shared accounts, applying least privilege policies, and implementing time-based logouts. We advise on simple, cost-effective methods for implementing multi-factor authentication, secure log storage, and automated screen lockouts. Our recommendations are customized to your existing tools and systems—no unnecessary software or vendor lock-in.

Administratively, we help you draft the policies that must be in place for auditors to validate your controls. This includes a customized System Security Plan (SSP), detailing your infrastructure, boundary, and specific control implementations. We provide policy templates tailored to CMMC Level 1 expectations, including access control, physical security, incident reporting, and removable media handling.

All documentation is aligned with DoD expectations for traceability, version control, and audit-readiness. This phase is also where we train your staff on maintaining compliant behavior, such as secure email practices, badge requirements, or clean desk policies. Once these changes are implemented, we conduct a post-remediation review to verify that your new state is compliant and sustainable.

Submission & Official Compliance Entry

With your technical and administrative controls in place, your organization is ready to complete the official self-assessment. Unlike CMMC Level 2 and above, Level 1 allows for self-assessment accompanied by a senior official affirmation statement. However, the information submitted must be accurate, complete, and defensible in the event of a DoD inquiry or audit.

We guide your leadership team in preparing this self-assessment using the DoD’s standardized scoring methodology (based on NIST 800-171). You’ll receive your final SSP and POA&M files, which must be retained for a minimum of three years and made available upon DoD request.

Next, we walk your organization step-by-step through the Supplier Performance Risk System (SPRS) account setup process. This includes requesting access via PIEE (Procurement Integrated Enterprise Environment), validating the correct Entity ID (SAM registration), and submitting your score securely.

We assist in drafting your executive affirmation letter, which must be signed by a senior official within your organization, attesting to the accuracy of the self-assessment. Once everything is submitted and your SPRS entry is confirmed, you will be officially marked as CMMC Level 1 compliant.

This phase includes a final compliance package for your internal records, complete with your SSP, POA&M, system boundary diagram, training logs, and a compliance certificate issued by Federal Bid Partners LLC.

Sustaining Compliance & Staying Competitive

Achieving CMMC Level 1 certification is not a one-time activity—it must be reaffirmed annually, and your practices must evolve alongside threats and federal updates. That’s why Federal Bid Partners offers post-certification services to help your organization maintain compliance long-term.

We offer optional quarterly or semi-annual check-ins where we review your control implementation status, validate policy adherence, and update any documentation as needed. If an incident occurs or a significant change is made to your IT infrastructure, we assist in revising your SSP and POA&M accordingly.

Our team monitors changes from DoD, NIST, and the CMMC-AB to ensure you stay ahead of emerging updates. If CMMC Level 2 becomes a requirement in your future contracts, we’ll help you plan a seamless transition to that higher level of certification.

To reinforce your credibility with clients and primes, we provide you with a CMMC Level 1 Compliant Badge for use on your website, capability statements, and proposal submissions. We also maintain your SPRS score documentation in case of an audit or revalidation request from an agency.

By sustaining your compliance with proactive support and strategic foresight, you not only remain eligible for DoD work—you stay competitive in a tightening cyber landscape.