CMMC Level 1 is the lowest level of security controls required for a defense contractor to earn Cybersecurity Maturity Model Certification. This is considered the basic cybersecurity hygiene needed to safeguard Federal Contract Information (FCI).
Federal Contract Information, from 48 Code of Federal Regulations (CFR) 52.204-21, is information that is not intended for public release. FCI is provided by the Department of Defense (DoD), or created under a contract, to develop or deliver a product or provide a service to the DoD. Not included under the FCI umbrella is information that’s provided by the DoD to the public (e.g., on public websites), or simple transactional information (e.g., information to process payments).
Certifications
CMMC Level 1 requires organizations to engage in a set of 17 practices from NIST 800-171.
Based on the 17 controls found in FAR 52.204-21.
Required for any contractor that handles FCI.
Submission of an annual self-assessment is required.
CMMC Level 1 represents the 17 “foundational” controls based on FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. CMMC Level 1 will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf (COTS) products. The vast majority of DOD contracts will require this level of compliance.
There are 17 controls that must be met to achieve CMMC Level 1, all of which are mapped directly to the Federal Acquisition Regulation (FAR) 52.204.21.
Here is how the 17 controls are broken down:
Access Control (AC)
Identification and Authentication (IA)
Media Protection (MP)
1.118 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse
Physical Protection (PP)
System and Communications Protection (SC)
System and Information Integrity (SI)
CMMC Level 1, part of the Cybersecurity Maturity Model Certification (CMMC) framework, focuses on the protection of Federal Contract Information (FCI). It is crucial for contractors working with the Department of Defense (DoD) as it verifies their compliance with basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21. Compliance with CMMC Level 1 demonstrates a contractor’s commitment to securing sensitive government information.
Contractors that handle FCI and work with the DoD should perform a CMMC Level 1 assessment. This includes both prime contractors and subcontractors. It’s essential for ensuring the security of sensitive government data. Explore all levels to the CMMC certification process.
The self-assessment process entails a contractor assessing its own adherence to the CMMC Level 1 practices. This includes reviewing and examining various aspects of their security measures, from policies and procedures to hardware and software safeguards.
Yes, contractors can choose to engage a third party to assist with their Level 1 self-assessment. However, it’s important to note that even with third-party assistance, the assessment remains a self-assessment, and it does not result in certification.
A Level 1 self-assessment should be conducted annually. This ensures that the contractor continually meets the basic safeguarding requirements for FCI as specified in FAR Clause 52.204-21.
Documenting compliance in SPRS, with an accompanying senior company official affirmation, affirms that a contractor is meeting all the basic safeguarding requirements for FCI. This documentation instills confidence in government sponsors and prime contractors when considering subcontractors.
Yes, the CMMC Self-Assessment Guide provides specific criteria and methodologies for each practice. The assessment methods include examination, interviews, and testing. These methods are used to determine if a contractor meets the intent of the Level 1 practices.
Yes, the CMMC Level 1 practices apply to contractors of all sizes, whether they are small, medium, or large. The CMMC self-assessment methodology is designed to be equally applicable to all contractors.
Before conducting a CMMC self-assessment, the contractor must specify the CMMC Self-Assessment Scope. For Level 1, the assets that process, store, or transmit FCI are considered in scope and should be assessed against the Level 1 practices. The CMMC Self-Assessment Scope document provides additional information.
Yes, the CMMC framework has specific terms that align with its practices. Understanding these terms is essential for interpreting the Level 1 practices accurately. Some of these terms include “Asset,” “Component,” “Information System (IS),” and “Monitor.”
The CMMC Self-Assessment Guide – Level 1 provides detailed guidance on the CMMC framework and the Level 1 assessment process. Contractors should refer to this document for a comprehensive understanding of their responsibilities and requirements for CMMC Level 1 compliance.
Under CMMC 2.0 Compliance CMMC Level 1 there will be no certification assessment by a third party required as this level does not involve sensitive national security information. Instead, the contractor will be required to conduct a self-assessment on an annual basis. These annual self assessments will have to be accompanied by an affirmation from a senior company official that the company is meeting requirements and who will be liable under the False Claims Act.