📋 Habit 1
The Master List
Know who and what belongs on your systems
- ✓Every employee has their own unique login — no shared accounts
- ✓Every company device is listed by serial number
- ✓Update the list the same day someone joins or leaves
- ✓Only company-owned devices connect to work systems
🌐 Habit 2
The Secure Network
Control what comes in and out of your internet connection
- ✓Router security features turned on
- ✓Separate internet connections for staff and guests
- ✓Computer built-in protection active on all devices
- ✓No open or unprotected internet connections
🔐 Habit 3
One Person, One Login
Verify who accesses your systems every single time
- ✓Strong, unique password for every employee
- ✓Two-step login turned on for all online accounts
- ✓Computer locks automatically when left idle
- ✓Default router passwords changed immediately
🔄 Habit 4
The Weekly Routine
Keep every device safe, current, and protected
- ✓Automatic updates turned on for all devices
- ✓Weekly scheduled security scan on all computers
- ✓Router checked monthly for software updates
- ✓Maintenance log kept to show the routine is followed
🔒 Habit 5
Lock, Log, Wipe
Protect the physical space and dispose of devices safely
- ✓Work areas locked when unoccupied
- ✓Visitor sign-in sheet used for every non-employee visit
- ✓Network equipment secured in a locked location
- ✓Devices wiped or destroyed before disposal
All 15 Requirements at a Glance
FAR 52.204-21 · CMMC Level 1 · 6 Domains
Practices 1–5 · Who Can Access
Practice 1
Limit who can log in
Keep a list of authorized employees and devices. Turn off access the day someone leaves.
Practice 2
Limit what each person can do
Regular employees get limited access. Only the manager has full control of the computer.
Practice 3
Control outside connections
Company work on company devices only. No personal computers, personal email, or coffee shop internet.
Practice 4
Control your public website
Know who posts online. Review before publishing. Remove sensitive content immediately.
Practice 5
Give everything a unique identity
Every person, device, and program has a unique name. Nothing anonymous on your network.
Practices 6–10 · Identity, Security & Network
Practice 6
Require proof before granting access
Unique passwords for every person. Two-step login on all online accounts. No factory-default passwords.
Practice 7
Wipe devices before disposal
Perform a full factory reset before reassigning. Use certified data destruction before throwing away.
Practice 8
Lock your physical workspace
Work areas locked when empty. Network equipment in a secured location. Screen locked when away from desk.
Practice 9
Manage visitors and keys
Sign-in sheet at the entrance. Escort all visitors. Track every key and access card.
Practice 10
Secure your network boundary
Router security turned on. Guest network separate from staff network. Computer protection active.
Practices 11–15 · Devices, Updates & Scanning
Practice 11
Separate public from internal systems
Your website is externally hosted. Guests on their own separate internet connection.
Practice 12
Fix known software problems promptly
Automatic updates on. Weekly check that all devices are current. Log every update cycle.
Practice 13
Run protection software on every device
Active security software on every computer, phone, and tablet that handles contract work.
Practice 14
Keep protection software current
Automatic updates on for security software. Stale protection is the same as no protection.
Practice 15
Scan regularly and check every file
Weekly scheduled full scan. Live scanning on for all incoming files, emails, and USB drives.
Need help getting compliant?
PCC gives subs a plain-English path to CMMC Level 1.
The 15 practices are straightforward — but knowing which ones you've already met, which have gaps, and how to document everything for your SPRS submission is where most subs get stuck. PCC handles all of it.