Are you a contractor that bids on U.S. Department of Defense projects? You’re probably familiar with the rollout of the new Cybersecurity Maturity Model Certification (CMMC) requirements. These guidelines mandate that organizations must implement more stringent cybersecurity practices when safeguarding sensitive data. A certified third-party assessor organization (C3PAO) must conduct an audit to verify compliance. 
The new CMMC framework includes a series of five hierarchal levels to assess a company’s cybersecurity “maturity.” Every organization that wants to bid on DoD contracts must meet the minimum requirements for the level stipulated in the DoD contract. A C3PAO audit determines whether the contractor satisfies the standards. 

CMMC Level 1 Requirements

Level 1 represents the basic cybersecurity hygiene practices for Defense Industrial Base (DIB) companies. The primary focus at this phase is safeguarding Federal Contract Information (FCI). In essence, this level establishes a solid security foundation for the other four steps in the hierarchy, and all organizations must comply with the certification requirements. 

CMMC Level 1 Practices

This level requires organizations to engage in a set of 17 practices that fall under six domains:

search icon

1. Access Control:

This area applies to implementing appropriate CMMC controls regarding limiting system and information access to authorized users and verifying and controlling connections to external information systems.

consultant icon

2. Identification and Authentication:

This practice addresses the identification of information system users and authenticating users, processes and devices.

handshake icon

3. Media Protection:

This practice pertains to the sanitization and destruction of media containing FCI before disposing of it or releasing it for reuse.


consultant icon

4. Physical Protection:

CMMC Level 1 requires implementing practices to limit physical access to information systems and equipment. It also covers monitoring visitor activity, maintaining audit logs and managing physical access devices.

search icon

5. System and Communications Protection:

This practice covers monitoring, controlling and protecting organizational communications and implementing subnetworks for system components physically separated from internal networks.

handshake icon

6. System and Information Integrity:

This practice addresses the timeliness of correcting system flaws, providing adequate protection from malicious coding and performing periodic scans of files from external sources.

Getting Help With Level 1 Compliance

Although these requirements are less stringent than those for higher levels in the hierarchy, many companies don’t know where they stand and may fall short in one or several areas. Working with a capable CMMC advisory service is crucial for ensuring compliance and meeting the new guidelines. 

Contact Us Today