← Custodia

CMMC Level 1 for Remote Work: Home Offices, Laptops, and FCI

How CMMC Level 1 works for remote teams and home offices: what is in scope, how to handle personal devices, visitor logs, home Wi-Fi, paper FCI, and evidence.

By David Fuentes· Compliance Officer, CustodiaJune 17, 20268 min read

CMMC Level 1 was written broadly enough to cover a machine shop, a construction trailer, a cloud-only software firm, or a three-person remote consultancy. Remote work is not the problem. Unclear scope is the problem.

The short answer

  • Remote work is allowed at Level 1 if the systems that touch FCI meet the 15 safeguarding requirements.
  • A remote employee's device is in scope when it reads, stores, syncs, prints, or sends FCI.
  • A fully remote company may mark some facility-specific items NOT APPLICABLE, but only with a documented reason.
  • The cleanest remote setup is company-managed laptop, company email, MFA, no local FCI storage unless needed, and no personal cloud storage.

What is in scope

The DoD CMMC Level 1 Scoping Guide says assets are in scope when they process, store, or transmit FCI. For remote work, translate that into five questions:

  1. Can this person open an FCI email?
  2. Can this device download or sync an FCI file?
  3. Can this application store contract schedules, drawings, or task orders?
  4. Can this printer or scanner handle paper FCI?
  5. Can this cloud service move FCI from one person to another?

Every yes belongs in the boundary. Every no can usually stay outside it.

Home-office controls

Remote-work areaLevel 1 expectationEvidence to keep
Laptop or desktopNamed user, screen lock, patching, malware protection, and no shared account.Device inventory, update screenshot, AV screenshot, user assignment.
Email and file storageCompany tenant, MFA, named users, no public links to FCI folders.MFA screenshot, user export, folder permissions screenshot.
Home Wi-FiModern encryption, non-default router password, work device separated from casual guest use.Remote-work policy and employee attestation.
PrintingAvoid printing FCI when possible; if printed, store it securely and shred it.Paper FCI rule, locked storage note, shredding log.
Remote accessNo exposed RDP. Use VPN, secure cloud access, or managed remote access with MFA.VPN/MFA screenshot or remote-access policy.

Personal devices

Level 1 does not use the phrase "bring your own device," but the requirements still apply. If a personal laptop touches FCI, you need to show the same things you would show on a company laptop: identity, authentication, access control, patching, malware protection, scanning, and a way to remove FCI when access ends.

If you allow personal devices, write the rule down: which devices are approved, what settings are required, whether local downloads are allowed, and what happens when a person leaves the contract. If your team runs on Microsoft 365, the Microsoft 365 setup checklist maps each setting to a Level 1 requirement.

Visitor logs and physical access

A fully remote company may not have a company office, server room, or front desk. That does not mean the physical-protection requirements vanish. It means you document what is not applicable and still protect the physical things that do exist: laptops, phones, paper FCI, removable media, and printers.

  • No office? Document that visitor logging for a company facility is NOT APPLICABLE.
  • Paper FCI at home? Store it in a drawer or cabinet and shred it when no longer needed.
  • Shared household? Require screen lock and do not leave FCI visible on a kitchen table or shared printer tray.
  • Company laptop? Offboard it like an asset: recover, wipe, or remove access.

Remote-work evidence checklist

  1. Remote-work policy covering FCI, personal devices, printing, and home Wi-Fi.
  2. Device inventory with owner, operating system, and whether it touches FCI.
  3. MFA screenshot for the company tenant and remote-access tools.
  4. FCI folder permissions screenshot.
  5. Patch and antivirus status screenshot for each in-scope device type.
  6. Paper FCI and media disposal rule with a simple disposal log.
  7. NOT APPLICABLE note for any facility requirement that truly does not apply.

Primary sources

FAQ

Can a remote company meet CMMC Level 1?

Yes. CMMC Level 1 does not require a traditional office. A remote company can meet Level 1 by scoping the systems that process, store, or transmit FCI and implementing the 15 FAR 52.204-21 requirements for those systems, people, devices, and any relevant home-office processes.

Are home laptops in CMMC Level 1 scope?

A home laptop is in scope if it processes, stores, or transmits FCI. If the laptop can read FCI email, download FCI files, sync a folder containing FCI, or print FCI, it should be treated as an in-scope asset and protected accordingly.

Can employees use personal devices for CMMC Level 1 work?

Personal devices are risky but not automatically forbidden by Level 1. If a personal device touches FCI, the company still needs to control access, identify the device, authenticate users, protect against malware, patch it, and manage disposal or data removal. Many small contractors choose company-managed devices because the evidence is cleaner.

How do visitor logs work for a fully remote company?

If there is no company facility where FCI systems or paper FCI are stored, visitor logging for that facility may be NOT APPLICABLE with a documented reason. Home offices still need sensible physical protection for company laptops and paper FCI, such as screen locks and locked storage.

Does home Wi-Fi need to be in the CMMC Level 1 scope?

Home Wi-Fi is part of the environment used to transmit FCI when employees work remotely. For Level 1, use practical controls: WPA2 or WPA3, a non-default router password, no shared guest access to work devices, and VPN or secure cloud access where appropriate.

Keep reading
  1. CUI
    Do You Actually Handle CUI? A 5-Minute Self-Check (2026)

    Most small contractors assume they handle CUI and over-scope, or assume they do not and under-comply. Here is the honest 5-minute check that settles it, and decides your CMMC level.

    Read →
  2. CMMC Level 1
    What Is FCI? The 90-Second Definition That Decides Your CMMC Level (2026)

    FCI is the routine non-public information you handle under a federal contract. It's what triggers CMMC Level 1, and it's almost certainly already in your inbox.

    Read →
  3. CMMC Level 1
    CMMC Level 1 Scoping, How to Draw the Boundary (Free Worksheet), 2026

    Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.

    Read →
Free · Every Monday

Get the federal bids a small business can win, in your inbox.

The Monday Bid Digest: brand-new SAM.gov solicitations matched to your NAICS, pre-filtered to Level 1 fit, with the CMMC gate called out on every one. Two minutes, no spam.

Get the Monday Bid Digest
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)