CMMC Level 1


CMMC consists of three (3) levels ranging from Foundational to Expert. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas.

For DIB companies that only handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI), the compliance target is the 17 “Foundational” controls based on FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

CMMC Level 1 Requirements

Level 1 represents the basic cybersecurity hygiene practices for Defense Industrial Base (DIB) companies. The primary focus at this phase is safeguarding Federal Contract Information (FCI). In essence, this level establishes a solid security foundation for the other four steps in the hierarchy, and all organizations must comply with the certification requirements.

CMMC Level 1 Practices

Level 1 requires organizations to engage in a set of 17 practices from NIST 800-171.

search icon

Based on Existing Regulations

Based on the 17 controls found in FAR 52.204-21.

consultant icon

Federal Contract Information (FCI)

Required for any contractor that handles FCI.

handshake icon


Submission of annual self-assessment required.