CMMC Level 1 is the lowest level of security controls required for a defense contractor to earn Cybersecurity Maturity Model Certification. This is considered the basic cybersecurity hygiene needed to safeguard Federal Contract Information (FCI). 

What is Federal Contract Information (FCI)?

Federal Contract Information, from 48 Code of Federal Regulations (CFR) 52.204-21, is information that is not intended for public release. FCI is provided by the Department of Defense (DoD), or created under a contract, to develop or deliver a product or provide a service to the DoD. Not included under the FCI umbrella is information that’s provided by the DoD to the public (e.g., on public websites), or simple transactional information (e.g., information to process payments).

Talk to an Expert


CMMC Level 1 Practices

CMMC Level 1 requires organizations to engage in a set of 17 practices from NIST 800-171.

search icon

Based on Existing Regulations

Based on the 17 controls found in FAR 52.204-21.

consultant icon

Federal Contract Information (FCI)

Required for any contractor that handles FCI.

handshake icon


Submission of an annual self-assessment is required.

CMMC Level 1 Requirements

CMMC Level 1 represents the 17 “foundational” controls based on FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. CMMC Level 1 will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf (COTS) products. The vast majority of DOD contracts will require this level of compliance. 

There are 17 controls that must be met to achieve CMMC Level 1, all of which are mapped directly to the Federal Acquisition Regulation (FAR) 52.204.21.

CMMC Level 1 Practices

Here is how the 17 controls are broken down:

Access Control (AC)
  • 1.001 – Limit information system access to authorized users, process acting on behalf of authorized users, or devices (including other information systems)
  • 1.002 – Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
  • 1.003 – Verify and control/limit connections to and use of external information systems
  • 1.004 – Control information posted or processed on publicly accessible information systems
Identification and Authentication (IA)
  • 1.076 – Identify information system users, processes acting on behalf of users, or devices
  • 1.077 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems
Media Protection (MP)
  • 1.118 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse
Physical Protection (PP)
  • 1.131 – Limit physical access to organization information systems, equipment, and the respective operating environments to authorized individuals
  • 1.132 – Escort visitors and monitor visitor activity
  • 1.133 – Maintain audit logs of physical access devices
  • 1.134 – Control and manage physical access devices
System and Communications Protection (SC)
  • 1.175 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
  • 1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
System and Information Integrity (SI)
  • 1.210 – Identify, report, and correct information and information system flaws in a timely manner
  • 1.211 – Provide protection from malicious code at appropriate locations within organizational information systems
  • 1.212 – Update malicious code protection mechanisms when new releases are available
  • 1.213 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed

CMMC Level 1 FAQs

Please note that this FAQ is a summary and should be used in conjunction with the
official CMMC documentation for precise guidance and compliance instructions.

1. What is CMMC Level 1 and why is it important?

CMMC Level 1, part of the Cybersecurity Maturity Model Certification (CMMC) framework, focuses on the protection of Federal Contract Information (FCI). It is crucial for contractors working with the Department of Defense (DoD) as it verifies their compliance with basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21. Compliance with CMMC Level 1 demonstrates a contractor’s commitment to securing sensitive government information.

2. Who should perform a CMMC Level 1 assessment?

Contractors that handle FCI and work with the DoD should perform a CMMC Level 1 assessment. This includes both prime contractors and subcontractors. It’s essential for ensuring the security of sensitive government data. Explore all levels to the CMMC certification process.

3. What does the self-assessment process involve?

The self-assessment process entails a contractor assessing its own adherence to the CMMC Level 1 practices. This includes reviewing and examining various aspects of their security measures, from policies and procedures to hardware and software safeguards.

4. Can a third party assist with the self-assessment?

Yes, contractors can choose to engage a third party to assist with their Level 1 self-assessment. However, it’s important to note that even with third-party assistance, the assessment remains a self-assessment, and it does not result in certification.

5. How often should a Level 1 self-assessment be conducted?

A Level 1 self-assessment should be conducted annually. This ensures that the contractor continually meets the basic safeguarding requirements for FCI as specified in FAR Clause 52.204-21.

6. What is the purpose of documenting compliance in the Supplier Performance Risk System (SPRS)?

Documenting compliance in SPRS, with an accompanying senior company official affirmation, affirms that a contractor is meeting all the basic safeguarding requirements for FCI. This documentation instills confidence in government sponsors and prime contractors when considering subcontractors.

7. Are there specific criteria and methodologies for the assessment?

Yes, the CMMC Self-Assessment Guide provides specific criteria and methodologies for each practice. The assessment methods include examination, interviews, and testing. These methods are used to determine if a contractor meets the intent of the Level 1 practices.

8. Are CMMC Level 1 practices applicable to contractors of all sizes?

Yes, the CMMC Level 1 practices apply to contractors of all sizes, whether they are small, medium, or large. The CMMC self-assessment methodology is designed to be equally applicable to all contractors.

9. How can a contractor determine the scope of the self-assessment?

Before conducting a CMMC self-assessment, the contractor must specify the CMMC Self-Assessment Scope. For Level 1, the assets that process, store, or transmit FCI are considered in scope and should be assessed against the Level 1 practices. The CMMC Self-Assessment Scope document provides additional information.

10. Are there specific terms used in the CMMC framework that contractors should be aware of?

Yes, the CMMC framework has specific terms that align with its practices. Understanding these terms is essential for interpreting the Level 1 practices accurately. Some of these terms include “Asset,” “Component,” “Information System (IS),” and “Monitor.”

11. Where can I find additional guidance on the CMMC framework and assessment process?

The CMMC Self-Assessment Guide – Level 1 provides detailed guidance on the CMMC framework and the Level 1 assessment process. Contractors should refer to this document for a comprehensive understanding of their responsibilities and requirements for CMMC Level 1 compliance.

CMMC Level 1 and Self-Assessment

Under CMMC 2.0 Compliance CMMC Level 1 there will be no certification assessment by a third party required as this level does not involve sensitive national security information. Instead, the contractor will be required to conduct a self-assessment on an annual basis. These annual self assessments will have to be accompanied by an affirmation from a senior company official that the company is meeting requirements and who will be liable under the False Claims Act.