CMMC Level 1 for Small Business: How I Helped a Landscaping Company Answer a Bid Question Before End of Day

A text came in last Friday afternoon. It was a client of mine who runs a small landscaping company, and attached to the message was a screenshot.

The screenshot was a question from a company she wanted to do work for. It asked, plainly: are you CMMC Level 1, Level 2, or Level 3?

She had no idea what any of that meant. And her bid was due by end of day.

So she did the smart thing. She texted the person who handles her tech and asked me to help her figure it out fast.

First Question: Where Is This Coming From?

Before I told her anything, I needed to know one thing. Was this question coming from a prime contractor?

That word didn't mean anything to her either, which is completely normal. Most small business owners have never had a reason to learn it. A prime is the company that holds the actual contract with the government. When a prime hires smaller companies to do pieces of the work, those smaller companies are subcontractors. And the security rules the prime has to follow get pushed down to everyone they hire. That's called flow-down.

She wasn't sure who she'd be working for or where the question originated. That's fine. We didn't need to solve the whole puzzle by 5 p.m. We needed to get her a truthful answer she could put on a bid.

How to Answer a CMMC Question on a Bid When You Have No Idea

Here's what I told her, and it's the same thing I'd tell anyone staring at that question for the first time.

"As it stands right now, you have no CMMC. Nothing's been assessed, nothing's been documented, so there's no level to claim yet."

Then I told her the part that actually mattered for her business. Given the kind of work a landscaping company does, the most I could see her ever needing is CMMC Level 1. She's cutting grass and maintaining grounds, not handling sensitive military data. Level 1 is the floor, and for her, it's very likely the ceiling too.

That's usually the moment the panic drops a notch. The question looks intimidating, but it's really just asking about the most basic tier there is.

What CMMC Level 1 for Small Business Actually Is

CMMC Level 1 is the foundational tier of the Department of Defense's cybersecurity certification program, and it applies to any business that handles basic Federal Contract Information under a government contract. Let me break that down the way I broke it down for her.

CMMC stands for Cybersecurity Maturity Model Certification. It's the DoD's way of making sure the companies in its supply chain are actually protecting government information instead of just promising they are. There are three levels.

Level 1 is the foundational one. It applies to businesses that handle Federal Contract Information, or FCI. That's basic information tied to a government contract that isn't meant for public release. It's not the highly sensitive stuff. Level 1 covers 17 basic safeguarding requirements that come straight from a federal rule called FAR 52.204-21. Things like using strong passwords, running antivirus, controlling who can get into your systems, and keeping people from walking up and using a computer they shouldn't.

Level 2 is for companies handling Controlled Unclassified Information, which is more sensitive. It covers all 110 controls in NIST SP 800-171 and usually requires a third-party assessment, so it's a much bigger project. If that turns out to be where a business lands, I've written about what that takes in my deeper post on CMMC compliance for small government contractors. Level 3 is for the small slice of contractors working on the most critical national security programs. The DoD estimates that's less than one percent of the entire defense base. A landscaping company is not living in Level 3 territory.

Most small businesses and subcontractors land at Level 1. Unless you're handling the sensitive controlled information that triggers Level 2, the basic tier is almost certainly where you sit. So if you're a small shop getting one of these questions for the first time, Level 1 is probably your answer too.

The Part That Matters Most: It's Self-Attested

There's one part of Level 1 I made sure she understood before anything else.

You assess yourself. There's no auditor coming to your office for Level 1. You confirm that you've got the 17 safeguards in place, and then a senior person in the company signs an affirmation saying it's true. That attestation gets submitted into the government's system, called SPRS, the Supplier Performance Risk System, and you renew it every year.

That sounds easy, and the process is. But it also means the responsibility sits squarely on you. When you attest, you are formally stating to the federal government that the answer is true.

So the two things that matter are simple. The answers have to be honest. And you need the documentation to back them up. If you ever get asked to prove it, "trust me, we do that" is not an answer. A written record that shows what you have in place, and when you confirmed it, is the answer.

I told her that's the real work. Not the assessment itself. Making sure everything is actually in place, and documenting all of it so the attestation is something we can stand behind.

"That Sounds Good. What Would It Cost?"

Once it clicked, she asked me to scope out what getting to Level 1 would cost as a project.

That's exactly the right next move, and it's the calm version of where she started the afternoon. She went from "I have no idea what this screenshot means and my bid is due in a few hours" to "okay, I understand where I stand, now help me get there properly." That's the whole job, as far as I'm concerned.

For a business like hers, getting to Level 1 isn't a massive undertaking. We make sure the 17 basic practices are actually running, we close any gaps, and I document everything so the self-attestation holds up. Then she has a real answer the next time a prime asks, and she's not scrambling on a Friday.

Why I'm Writing This Up

Because she is not the only one getting these texts.

CMMC requirements started showing up in real contracts and solicitations in late 2025, and they're being phased in over the next few years. That means more small businesses across Maryland, Northern Virginia, Pennsylvania, and the rest of the DMV are going to open a bid packet, see "CMMC Level 1, 2, or 3?" and have no idea what to do. A lot of them will be tempted to just guess, or claim a level they haven't actually earned, so they don't lose the bid.

Please don't do that. A wrong attestation isn't a small thing. It's a signed statement to the federal government, and certifying controls you don't actually have in place can turn into a False Claims Act problem. Real money, real penalties. Guessing high to win work you're not ready for is how a small company ends up in real trouble.

If you handle any kind of government contract information, even basic FCI, this applies to you. It flows down from the prime to every subcontractor, no matter how small. Being a two-person landscaping crew doesn't make you exempt.

My CMMC and Compliance Services Include

• CMMC Level 1 readiness reviews and gap checks

• Implementing the 17 basic safeguards Level 1 requires

• Documentation and evidence so your self-attestation in SPRS holds up

• Help understanding what a prime's flow-down requirements actually mean for you

• Microsoft 365 security configuration to support compliance

• Ongoing support so you stay compliant year to year, not just at bid time

Frequently Asked Questions

What is CMMC Level 1 for small business?

CMMC Level 1 is the foundational tier of the Department of Defense's cybersecurity certification program. It applies to companies that handle Federal Contract Information (FCI) and covers 17 basic safeguarding requirements from FAR 52.204-21, like using antivirus, requiring strong passwords, and controlling who can access your systems. It's the most common level for small businesses and subcontractors.

How do I answer a CMMC question on a bid if I've never dealt with it?

Don't guess and don't claim a level you haven't verified. If nothing has been assessed, the honest answer is usually that you don't currently have a CMMC level but you're working toward the one your contract requires. Then talk to someone who can help you scope and reach the right level so you have a real answer for the next bid.

Do I really need CMMC if I'm just a small subcontractor?

If you handle federal contract information as part of a Department of Defense contract, yes, it applies to you regardless of your size. The requirement flows down from the prime contractor to subcontractors at every tier. A small landscaping or trades company working on a government job is not automatically exempt.

What's the difference between Level 1, Level 2, and Level 3?

Level 1 is for basic Federal Contract Information and is self-assessed. Level 2 is for more sensitive Controlled Unclassified Information (CUI), covers all 110 NIST SP 800-171 controls, and often requires a third-party assessment. Level 3 is for the most critical national security work and applies to a very small percentage of contractors. Most small businesses fall into Level 1. If you think you might need Level 2, my post on CMMC compliance for small government contractors covers what that involves.

What does "self-attested" mean for CMMC Level 1?

It means no outside auditor checks your work for Level 1. You confirm that you have the required practices in place, and a senior official in your company signs an affirmation stating it's true. That affirmation is submitted annually into the government's SPRS system, which makes honesty and documentation critical.

What happens if I claim a CMMC level I don't actually have?

A CMMC attestation is a formal statement to the federal government. Certifying controls you don't actually have in place can carry serious consequences under the False Claims Act, including financial penalties. It's far safer to find out where you truly stand and get to the right level properly.

What is a prime contractor and why does it matter? A prime contractor is the company that holds the direct contract with the government. When the prime hires smaller companies to help with the work, the prime's security requirements get passed down to those subcontractors. This is called flow-down, and it's usually how a small business first hears about CMMC.

How long does it take to get to CMMC Level 1?

For a small business with a simple setup, getting to Level 1 is usually a manageable project rather than a months-long overhaul. The work is making sure the 17 required practices are actually in place, closing any gaps, and documenting everything so your self-attestation is something you can defend.

Does using Microsoft 365 make me CMMC compliant?

No. Microsoft 365 gives you tools that can support compliance, but using it doesn't make you compliant on its own. The settings have to be configured correctly and the practices have to actually be in use and documented.

Do I need to renew CMMC Level 1? Yes. Level 1 requires an annual self-assessment and a yearly affirmation in SPRS that you're still compliant. It isn't a one-time task. You also need to keep records of your assessments in case you're ever asked to show them.

Get Your CMMC Level 1 Answer Before the Next Bid

You shouldn't have to panic over a screenshot on a Friday afternoon. If you've gotten a CMMC question on a bid and you're not sure how to answer it, I can help you figure out where you actually stand and what it takes to get to the right level.

Based in Columbia, MD, I help small businesses across Maryland, Northern Virginia, Pennsylvania, West Virginia, Delaware, and the wider DMV area get CMMC Level 1 ready without the guesswork. If you'd like me to review where your business stands and scope out what compliance would cost, contact me today.