Subcontractor Risk Check
Free · 3 Minutes · No Login Required

Will Your CMMC Self-Assessment Hold Up
When Your Prime
Asks For Proof?

CMMC Level 1 has 15 practices your business must meet — and your prime contractor is required to verify them. 10 questions show you exactly where you stand and what could cost you the contract.

10 Questions
3 min To complete
15 Required practices
🎁 Bonus: Get our 5 Quick Habits Cheat Sheet at the end — a one-page reference to print and post in your office to stay compliant year-round.
Shared logins
No SSP on file
Outdated antivirus
Unsecured devices
Expired SPRS score
Question 1 of 10
Who Can Use Your Systems
Where You Stand
Get compliant — without hiring an IT consultant.

PCC Self-Service Compliance gives small subs everything you need to pass CMMC Level 1: a guided self-assessment, plain-English documentation, an auto-generated System Security Plan, and SPRS submission guidance — built for trade subs in Hawaii, Guam, and CNMI.

First — check with your prime. If your prime contractor already runs a PCC compliance program, your access is included at no cost. Ask them before reaching out.
Plain-English self-assessment
Auto-generated SSP
SPRS submission guidance
Pacific-region support
Or email us directly: matt@pacificcybercompliance.com  ·  pacificcybercompliance.com
Free Reference · Print & Post
5 Quick Habits — CMMC Level 1
at a Glance
Five habits. 15 requirements. Print this and post it where your team works — it's the same checklist your prime contractor will use to verify you.
📋 Habit 1
The Master List
Know who and what belongs on your systems
  • Every employee has their own unique login — no shared accounts
  • Every company device is listed by serial number
  • Update the list the same day someone joins or leaves
  • Only company-owned devices connect to work systems
🔒 Habit 2
The Secure Network
Control what comes in and out of your internet
  • Router security features turned on
  • Separate internet connections for staff and guests
  • Built-in computer protection active on all devices
  • No open or unprotected internet connections
👤 Habit 3
One Person, One Login
Verify who accesses your systems every time
  • Strong, unique password for every employee
  • Two-step login on all online accounts
  • Computer locks automatically when left idle
  • Default router passwords changed immediately
⚙️ Habit 4
The Weekly Routine
Keep every device safe, current, and protected
  • Automatic updates turned on for all devices
  • Weekly scheduled security scan on all computers
  • Router checked monthly for software updates
  • Maintenance log kept to show the routine is followed
🏢 Habit 5
Lock, Log, Wipe
Protect the physical space and dispose safely
  • Work areas locked when unoccupied
  • Visitor sign-in sheet for every non-employee visit
  • Network equipment secured in a locked location
  • Devices wiped or destroyed before disposal
All 15 Requirements at a Glance
Practices 1–5 · Who Can Access
1.Limit who can log in
Keep a list of authorized employees and devices. Turn off access the day someone leaves.
2.Limit what each person can do
Regular employees get limited access. Only the manager has full control of the computer.
3.Control outside connections
Company work on company devices only. No personal computers, personal email, or coffee shop internet.
4.Control your public website
Know who posts online. Review before publishing. Remove sensitive content immediately.
5.Give everything a unique identity
Every person, device, and program has a unique name. Nothing anonymous on your network.
Practices 6–10 · Identity, Security & Network
6.Require proof before granting access
Unique passwords for every person. Two-step login on all online accounts. No factory-default passwords.
7.Wipe devices before disposal
Perform a full factory reset before reassigning. Use certified data destruction before throwing away.
8.Lock your physical workspace
Work areas locked when empty. Network equipment in a secured location. Screen locked when away from desk.
9.Manage visitors and keys
Sign-in sheet at the entrance. Escort all visitors. Track every key and access card.
10.Secure your network boundary
Router security turned on. Guest network separate from staff network. Computer protection active.
Practices 11–15 · Devices, Updates & Scanning
11.Separate public from internal systems
Your website is externally hosted. Guests on their own separate internet connection.
12.Fix known software problems promptly
Automatic updates on. Weekly check that all devices are current. Log every update cycle.
13.Run protection software on every device
Active security software on every computer, phone, and tablet that handles contract work.
14.Keep protection software current
Automatic updates on for security software. Stale protection is the same as no protection.
15.Scan regularly and check every file
Weekly scheduled full scan. Live scanning on for all incoming files, emails, and USB drives.

This sheet shows you what good looks like. It doesn't walk you through how to actually build your System Security Plan, calculate your SPRS score, or produce the evidence packet your prime contractor expects. That's what PCC Self-Service Compliance is for.