CMMC Level 1 applies to Defense Industrial Base companies that only handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).

What is Federal Contract Information (FCI)?

Federal contract information, from 48 Code of Federal Regulations (CFR) 52.204-21, is information that is not intended for public release. FCI is provided by the Department of Defense (DoD) or created under a contract to develop or deliver a product or provide a service to the DoD. Not included under the FCI umbrella is information that’s provided by the DoD to the public (e.g., on public websites) or simple transactional information (e.g., information to process payments).

CMMC Level 1 Requirements

Level 1 represents the 17 “Foundational” controls based on FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Level 1 will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf (COTS) products. The vast majority of DOD contracts will require this level of compliance. 

Under CMMC 2.0 Compliance Level 1 there will be no certification assessment by a 3rd party required as this level does not involve sensitive national security information. Instead, the contractor will be required to conduct a self-assessment on an annual basis. These annual self assessments will have to be accompanied by an affirmation from a senior company official that the company is meeting requirements and who will be liable under the False Claims Act.

CMMC Level 1 Practices

Level 1 requires organizations to engage in a set of 17 practices from NIST 800-171.

search icon

Based on Existing Regulations

Based on the 17 controls found in FAR 52.204-21.

consultant icon

Federal Contract Information (FCI)

Required for any contractor that handles FCI.

handshake icon

Self-Assessment

Submission of annual self-assessment required.