Get the guide
Nelson Ford, founder and principal consultant of Pilotcore

Built by Nelson Ford, CMMC CCP and CISSP

Pilotcore

Your Free CMMC Level 1 Compliance Guide

Relevant requirements for Canadian suppliers working on current or future DoD contracts that include CMMC Level 1 language. CMMC applies when contract language requires it and Federal Contract Information is handled on contractor systems.

The 15 CMMC Level 1 practices in plain English
Planning ranges: 1-2 weeks for initial scoping, 2-6 weeks for smaller Level 1 improvements, and 6-12+ weeks for larger remediation
Common readiness gaps, scoping questions, and evidence habits
Action plan with early planning ranges
Pilotcore CMMC Level 1 readiness guide book cover

IMPORTANT: CMMC requirements are being phased into designated U.S. Department of Defense contracts. Confirm timing and applicability in current solicitation documents.

Get the CMMC guide by email

Understand contract and attestation implications before submitting self-assessments.

Enter your work email and we'll send the guide link.

By submitting, you agree to our Terms of Service and Privacy Policy.

Your information is encrypted and protected

We respect your privacy. Unsubscribe anytime.

Who Should Download?

Any Canadian company expecting to handle Federal Contract Information for a designated DoD contract or prime flow-down. Prime contractors, suppliers, and partners can use it before contract-award timing creates pressure.

↓ See what's inside the guide below ↓

Who it is for

Who should download this guide?

This guide is for organizations that:

  • Canadian companies that bid on or support DoD contracts.
  • Handle Federal Contract Information.
  • Act as Canadian subcontractors to U.S. defense primes.
  • Provide IT, MSP, cloud, software, engineering, or manufacturing support to defense suppliers.
  • Need to understand CMMC Level 1 before completing a self-assessment or supplier questionnaire.
  • Want to compare CMMC expectations against NIST 800-171, SOC 2, ISO 27001, or current security controls.

If you are unsure whether CMMC applies to your organization, the guide can help you ask the right scoping questions.

Canadian contractor notes

Use the guide to separate CMMC from adjacent Canadian obligations.

Canadian suppliers pursuing DoD work often need more than a generic Level 1 checklist. The useful question is which records support the U.S. CMMC requirement, and which belong to Canadian defence, security, or controlled-goods programs.

  • Check the U.S. contract trigger.

    For a Canadian supplier, CMMC usually starts with a DoD solicitation, U.S. prime flow-down, or supplier questionnaire. The guide helps you separate contract language from general cybersecurity expectations.

  • Map Canadian defence programs separately.

    Controlled Goods Program, Joint Certification Program, PSPC contract security, and CPCSC expectations may still matter. The Level 1 guide does not replace those obligations; it helps you isolate the CMMC piece.

  • Reuse evidence without blurring the rules.

    Access records, device controls, visitor procedures, boundary notes, and endpoint protection evidence may support several defence conversations. The important step is mapping each record to the requirement that asks for it.

Confirm current applicability against the solicitation, flow-down terms, DoD guidance, PSPC guidance, and your legal or contracts team.

Why now

Prepare for DoD contract cyber requirements.

CMMC requirements are being phased into designated Department of Defense contracts based on current rollout guidance. Validate current contract language to confirm applicability and timing.

  • Phased rollout.

    Level 1 requirements enter contract flow through phased CMMC adoption.

  • Attestation risk managed.

    Attestation ownership, evidence records, and renewal timing explained.

  • Contract ready.

    Relevant when CMMC language appears in a DoD solicitation, prime flow-down, or contract.

The guide provides clear steps for contractors and subcontractors.

What you'll get

Inside the email delivery.

  • Requirements overview.

    The 15 Level 1 practices explained across access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Includes scope notes, implementation notes, and evidence examples.

  • Timeline and cost planning.

    1-2 weeks for initial scope review and gap analysis for a focused environment. 2-6 weeks for smaller Level 1 readiness improvements when Microsoft 365, cloud, and endpoint controls are already mature. 6-12+ weeks for larger environments, missing policies, weak identity controls, or deeper technical remediation. Plus cost estimates, resource requirements, and annual maintenance.

  • Common implementation challenges.

    Common readiness gaps, supplier and subcontractor scoping questions, self-assessment ownership, evidence records, and renewal checkpoints.

  • Implementation roadmap.

    Action plan with practical milestones, operating habits for maintaining evidence, the business case for early preparation, and the value of knowing your scope before a solicitation deadline.

Applicability

CMMC applies when DoD contract language requires it.

Any Canadian organization awarded a designated DoD contract that handles Federal Contract Information may need CMMC Level 1 when the clause is present. That includes subcontractors and service partners. The guide covers the scoping questions to ask before annual affirmation.

Readiness consulting

Want help applying the guide to your environment?

If CMMC is tied to an active opportunity, renewal, or supplier questionnaire, Pilotcore can help translate the guide into a practical readiness plan for your systems, team, and timeline.

  • scope and applicability review
  • FAR 52.204-21 gap analysis
  • remediation roadmap
  • evidence planning notes
  • technical safeguard recommendations
  • control and evidence review before self-attestation or assessment
Book a CMMC readiness call Explore CMMC readiness consulting

Comparing programs? Read CMMC vs CPCSC.

Frequently asked

CMMC Level 1 questions.

What is CMMC Level 1?

CMMC Level 1 is the entry-level CMMC status for contractors that handle Federal Contract Information under applicable DoD contracts, including Canadian suppliers in the U.S. defense supply chain. It maps to 15 safeguarding requirements in FAR 52.204-21 and uses annual self-assessment and affirmation.

Who needs CMMC Level 1?

Canadian organizations that bid on or support DoD contracts may need CMMC Level 1 when they handle Federal Contract Information and the solicitation or contract names the requirement. Subcontractors should check prime flow-down language.

Is this guide official government guidance?

No. The guide is practical readiness guidance from Pilotcore. Use it alongside current DoD, CMMC Program, FAR, SPRS, and solicitation-specific guidance.

Can Pilotcore certify my company for CMMC?

No. Pilotcore provides readiness, implementation, and evidence-preparation support. We are not a C3PAO and do not issue official CMMC certifications. That separation matters: the assessor must remain independent from the team that prepared your controls and evidence.

Can SOC 2, ISO 27001, or NIST 800-171 work help with CMMC?

Often, yes. Existing controls and documentation can reduce the effort, but they still need to be mapped to CMMC Level 1, FAR 52.204-21, and the actual contract scope.