CMMC Level 1
CMMC Level 1 applies to Defense Industrial Base companies that only handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).
What is Federal Contract Information (FCI)?
Federal contract information, from 48 Code of Federal Regulations (CFR) 52.204-21, is information that is not intended for public release. FCI is provided by the Department of Defense (DoD) or created under a contract to develop or deliver a product or provide a service to the DoD. Not included under the FCI umbrella is information that’s provided by the DoD to the public (e.g., on public websites) or simple transactional information (e.g., information to process payments).
CMMC Level 1 Requirements
Level 1 represents the 17 “Foundational” controls based on FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Level 1 will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf (COTS) products. The vast majority of DOD contracts will require this level of compliance.
Under CMMC 2.0 Compliance Level 1 there will be no certification assessment by a 3rd party required as this level does not involve sensitive national security information. Instead, the contractor will be required to conduct a self-assessment on an annual basis. These annual self assessments will have to be accompanied by an affirmation from a senior company official that the company is meeting requirements and who will be liable under the False Claims Act.
CMMC Level 1 Practices
Level 1 requires organizations to engage in a set of 17 practices from NIST 800-171.
Based on Existing Regulations
Based on the 17 controls found in FAR 52.204-21.
Federal Contract Information (FCI)
Required for any contractor that handles FCI.
Submission of annual self-assessment required.