CMMC 2.0 Level 1 Self Assessment Questionnaire

Carbide

Assess Your Readiness for CMMC 2.0 Level 1 Compliance

Are you prepared to meet the Department of Defense’s (DoD) requirements for protecting Federal Contract Information (FCI)?

Carbide’s CMMC 2.0 Level 1 Self-Assessment Questionnaire is designed to help you evaluate your organization’s current security posture and identify areas for improvement.

With this assessment, you’ll:

Gauge your compliance with the foundational controls required by CMMC 2.0 Level 1.
Identify gaps that may put your DoD contracts at risk.
Gain clarity on next steps to strengthen your security and align with federal standards.

Start your compliance journey with confidence. Complete the assessment today and we’ll send you a report that assesses your readiness for CMMC 2.0 Level 1 compliance.

Access Control (AC)

1. Do you restrict access to your information systems to only authorized users, processes, and devices?(Required)

Yes, access is fully restricted to authorized users/devices.

Partially restricted; some gaps exist in access control.

No formal access control measures are in place.

2. How do you limit information system access to authorized users?(Required)

Access is controlled using role-based permissions and regularly audited.

Access is partially controlled but not regularly reviewed.

Access is open or inconsistent.

3. Do you control and monitor access between your system and external systems?(Required)

Yes, all external connections are monitored and approved.

Partially; some external connections are not monitored.

No monitoring or control of external connections.

Identification and Authentication (IA)

4. Do you require users to authenticate their identities before accessing systems?(Required)

Yes, strong authentication (e.g., unique usernames and passwords, MFA).

Authentication is in place but not consistently applied.

No formal authentication process is used.

Media Protection (MP)

5. Do you sanitize or destroy physical and digital media containing Federal Contract Information (FCI) before disposal or reuse?(Required)

Yes, all media is sanitized or destroyed per policy.

Partial sanitization/destruction, with some gaps.

No formal process for sanitizing or destroying media.

Physical Protection (PE)

6. Do you limit physical access to your information systems and environments to authorized individuals?(Required)

Yes, physical access is strictly controlled (e.g., locks, badges).

Partially controlled, with some unauthorized access risks.

No physical access controls are in place.

System and Communications Protection (SC)

7. Do you use cryptography to protect information during transmission?(Required)

Yes, cryptographic methods (e.g., TLS, VPN) are in place for all transmissions.

Partially; some transmissions are encrypted.

No encryption is used for data in transit.

8. Do you have network rules that deny all traffic by default and allow only approved traffic?(Required)

Yes, deny-all/allow-by-exception rules are fully implemented.

Partially; some network rules are permissive.

No deny-all/allow-by-exception rules are applied.

9. Do you control the use of external systems (e.g., personal devices, external cloud services)?(Required)

Yes, external systems are reviewed and authorized.

Partially; some external systems are used without controls.

No restrictions or controls are in place for external systems.

System and Information Integrity (SI)

10. Do you regularly identify and patch system vulnerabilities?(Required)

Yes, vulnerabilities are identified, tracked, and patched promptly.

Partially; some vulnerabilities are not addressed.

No formal process for identifying or patching vulnerabilities.

11. Do you protect your systems against malicious code (e.g., antivirus, endpoint protection)?(Required)

Yes, with automated and updated protections in place.

Partially; protections are outdated or inconsistently applied.

No protections against malicious code are in place.

12. Do you monitor your system for security events (e.g., logging, alerts)?(Required)

Yes, real-time monitoring and alerts are in place.

Partially; some monitoring is performed but not comprehensive.

No monitoring of security events is performed.

Awareness and Training (AT)

13. Do you provide training for users about cybersecurity risks and their responsibilities?(Required)

Yes, comprehensive and regular training is provided.

Partial; training is irregular or incomplete.

No cybersecurity training is provided.

Configuration Management (CM)

14. Do you establish and enforce secure configuration settings for your systems?(Required)

Yes, secure configurations are enforced and documented.

Partial; some systems lack secure configurations.

No secure configurations are in place.

Incident Response (IR)

15. Do you have a process to identify and report cybersecurity incidents?(Required)

Yes, incidents are identified, reported, and documented.

Partially; some incidents are not identified or reported.

No incident response process is in place.

Maintenance (MA)

16. Do you perform and document regular maintenance of your systems?(Required)

Yes, maintenance is documented and scheduled.

Partially; maintenance is ad hoc or undocumented.

No regular maintenance is performed.

Personnel Security (PS)

17. Do you perform personnel screening (e.g., background checks) for individuals with access to FCI?(Required)

Yes, all personnel are screened according to policy.

Partially; some personnel are not screened.

No personnel screening is performed.

Please fill out the following to get your report.

Name(Required)

First Last

Email Address(Required)

Company(Required)

By submitting this request you consent to receive emails from Carbide. You can opt-out from receiving emails at any time.

Stay up-to-date on all things Carbide

Get expert security & privacy guidance delivered straight to your inbox.

Email(Required)

Signup Consent(Required)

Subscribe and stay informed.(Required)

CAPTCHA

Name

This field is for validation purposes and should be left unchanged.

What We Do

Platform
Trust Center
Cloud Monitoring
Integrations
Penetration Testing

Frameworks

CCPA
CCCS
CMMC
FedRAMP
GDPR
HIPAA
ISO 27001
NIST 800-53
NIST 800-171
PCI DSS
PIPEDA
SOC 2

Resources

All Resources
Case Studies
Blog
Videos
eBooks
News
Glossary

Company

About Carbide
MSP Partners
Customers
Careers
Contact

•Privacy Notice
•Terms of Service