CMMCSecurity HeadersDFARS

CMMC Level 1 Website Security: What Assessors Actually Check

March 2025 · 8 min read · CertusAudit

The Cybersecurity Maturity Model Certification (CMMC) final rule went live November 10, 2025. Every DoD contractor that handles Federal Contract Information (FCI) now needs Level 1 certification. Level 2 certification — for contractors handling Controlled Unclassified Information (CUI) — requires third-party assessment.

Here's what many contractors miss: assessors evaluate the totality of your IT hygiene, and your public-facing website is part of that picture.

CMMC Level 1: The 15 Controls

Level 1 self-attestation covers 15 basic safeguarding requirements drawn from FAR 52.204-21. These apply to any contractor handling FCI — which includes most DoD prime and subcontractors. The controls cover access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity.

Your public website is technically out of scope for CMMC — by definition, publicly disclosed information is excluded. However, your website hosting environment, DNS, email, and any web-based portals used to exchange data with the government are in scope.

What CMMC Assessors Look At on Your Website

During Level 2 pre-assessment interviews and document reviews, C3PAOs (CMMC Third-Party Assessment Organizations) commonly ask about:

HTTPS and TLS configuration

Is HTTPS enforced across your entire domain? Is the certificate current and properly configured? Expired or misconfigured TLS is a documented IT hygiene red flag. NIST SP 800-52 Rev 2 guidance applies. Assessors will note contractors who cannot maintain basic certificate hygiene as indicators of broader IT management weakness.

HTTP Strict Transport Security (HSTS)

Does your site enforce HTTPS via the HSTS header? Without it, SSL-strip attacks can silently redirect users to unencrypted connections. CISA BOD 18-01 mandated HSTS for federal agencies. CMMC assessors look for whether contractor IT teams understand and implement these controls.

Content Security Policy (CSP)

A missing CSP header is noted in CMMC Level 2 assessments under NIST SP 800-53 SC-18 (Mobile Code). It signals that the contractor's IT team may not be implementing basic script execution controls — a concern that maps to AC.1.001 (Limit system access to authorized users).

Third-party script exposure

EO 14028 (Improving the Nation's Cybersecurity) and NIST SP 800-161 address software supply chain risk. CMMC Level 2 control SR.3.169 requires organizations to assess supply chain risks of third-party components. An excessive number of unaudited third-party scripts on your public website is documented in assessor notes as a supply chain hygiene concern.

WordPress and CMS hygiene

WordPress sites with numerous plugins and no Subresource Integrity (SRI) hashes are a specific concern. Compromised WordPress plugins are one of the most common vectors for website compromise. Assessors ask whether contractors maintain patch discipline on all internet-facing systems — and your CMS is one of them.

The CMMC Website Security Checklist

  • ✓ HTTPS enforced on all pages (no HTTP fallback)
  • ✓ TLS certificate current and properly configured (TLS 1.2 minimum, TLS 1.3 preferred)
  • ✓ HSTS header present: Strict-Transport-Security: max-age=31536000; includeSubDomains
  • ✓ Content Security Policy header present
  • ✓ X-Frame-Options: SAMEORIGIN (prevents clickjacking)
  • ✓ X-Content-Type-Options: nosniff
  • ✓ No mixed content (all resources loaded over HTTPS)
  • ✓ Third-party scripts audited and minimized
  • ✓ SRI hashes on externally loaded scripts where possible
  • ✓ CMS (WordPress etc.) fully patched, unused plugins removed
  • ✓ Privacy policy published (OMB M-03-22 requirement)

CMMC Timeline and What's Coming

The DFARS CMMC clause (252.204-7021) became effective November 10, 2025. Full implementation for all DoD contracts is phased through November 2028. By 2028, every DoD contractor at any tier must have the appropriate CMMC certification for their contract. Level 1 self-attestations must be renewed annually. Level 2 certifications are valid for three years.

The DoD has been clear: contractors who cannot demonstrate basic IT hygiene — including controls visible in their internet-facing infrastructure — will not survive the assessment process.

Check your website's CMMC hygiene signals now

CertusAudit scans your security headers, TLS configuration, and supply chain signals. Free federal readiness score in 60 seconds.

Run My Federal Audit →

Related: Section 508 Disqualification · SAM.gov Identity Requirements