CMMC Level 1 Requirements: Practical Guide for Federal Contract Information (FCI)

CMMC 2.0
8 Min
Blog
Category
Andrew Freund
Founder & CEO, Kraken Compliance
June 2, 2026

CMMC level 1 requirements are now a contract-readiness issue for many defense suppliers. If your organization handles federal contract information but not controlled unclassified information, Level 1 is the baseline you need to understand before bidding, renewing, or supporting a DoD contract.

Key Takeaways

  • CMMC Level 1 is the foundational tier of the cybersecurity maturity model certification program. It establishes the basic cybersecurity hygiene needed to safeguard federal contract information.
  • CMMC Level 1 compliance requires the implementation of 15 basic safeguarding requirements focused on protecting Federal Contract Information (FCI). These security controls required by Level 1 align to FAR 52.204-21 and selected NIST SP 800-171 Rev 2 concepts.
  • Level 1 is achieved through an annual self-assessment and executive affirmation in the Supplier Performance Risk System, also called SPRS. No third party C3PAO assessment is required.
  • If a contractor handles CUI, references DFARS clause 252.204-7012, full NIST 800 171, or CMMC Level 2, the organization should plan to achieve CMMC Level 2 rather than stop at Level 1.
  • The CMMC Phase 1 rollout started on November 10, 2025, and CMMC Level 1 requirements are being phased into DoD solicitations, RFPs, contracts, and extensions.

In a small office, several people are reviewing laptops while secure cabinets and employee badges are visible in the background. The environment suggests a focus on safeguarding federal contract information and adhering to cybersecurity practices, such as those outlined in the CMMC Level 1 requirements.

What Is CMMC Level 1 and Why It Matters

CMMC Level 1 serves as the foundational level of the Cybersecurity Maturity Model Certification (CMMC), establishing basic cybersecurity practices necessary for protecting Federal Contract Information (FCI). The program is designed to protect DoD data across the defense industrial base and the wider defense industrial supply chain.

CMMC 2.0 has three levels: Level 1 Foundational, Level 2 Advanced, and Level 3 Expert. CMMC Level 1 applies to organizations that only handle FCI. It does not cover controlled unclassified information.

CMMC Level 1 only requires full implementation of the Level 1 security requirements and an annual self-assessment affirmed by a senior official. It does not require a formal third-party certification assessment by a C3PAO or DIBCAC.

Failure matters. Failing to comply with CMMC 2.0 Level 1 requirements can expose an organization to potential harm, including sensitive information being leaked or stolen. Organizations that do not meet CMMC Level 1 compliance may face penalties from the Department of Defense or other regulatory bodies, False Claims Act exposure, and loss of future contract eligibility.

What Is Federal Contract Information (FCI)?

Federal Contract Information means non-public information provided by or generated for the Government, including the DoD, under a contract to develop or deliver a product or service. This definition comes from the Federal Acquisition Regulation (FAR), specifically FAR 52.204-21.

Examples include non-public statements of work, technical requirements, internal delivery schedules, and performance deliverables created under a DoD contract to develop or deliver a product. CMMC Level 1 is applicable to defense contractors that handle FCI, which is information provided by the Department of Defense for developing or delivering products or services.

What is not FCI? Public DoD website content and simple transactional data used to process payments are generally excluded. FCI is still sensitive because attackers can use it to infer mission details, exploit supply-chain weaknesses, or gain leverage in future contracts.

CMMC 2.0 Levels: Where Level 1 Fits vs Level 2

Level 1 protects FCI. Level 2 protects CUI using all 110 NIST SP 800-171 Rev 2 security requirements. Level 3 adds government-led DIBCAC assessment expectations for the most sensitive work.

CMMC Level 1 uses self-assessments. Level 2 is met by either a self-assessment or a C3PAO assessment, depending on the contract. Government-led DIBCAC assessments apply at Level 3.

Here is the simple decision point:

  • If you only handle FCI, Level 1 may be enough.
  • If the contract references CUI, DFARS 252.204-7012, full NIST SP 800-171, or CMMC Level 2, plan for Level 2.
  • If you want to achieve CMMC level readiness for future work, understanding access control, communications protection, and information integrity now will help.

CMMC Level 1 Requirements Overview

CMMC Level 1 consists of 15 basic safeguards drawn from FAR 52.204-21, restructured by DoD into six domains and 15 security requirements for the CMMC 2.0 model. These are the minimum security controls for protecting Federal Contract Information.

The six primary cybersecurity domains associated with CMMC Level 1 include Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, and System & Information Integrity.

These basic safeguarding requirements are high-level, but they must be backed by real technology, procedures, and behavior. Paper policies alone are not enough. The security requirements must be implemented everywhere FCI is stored, processed, or transmitted, including laptops, email, cloud services, and other organizational information systems.

CMMC Level 1 Domains

Access Control (AC)

Access control ensures only authorized users and devices can reach systems containing FCI. In plain terms, organizations must limit information system access, limit information system access to authorized users, and limit system access to authorized users, users processes, processes acting for users, and approved devices.

Practical examples include:

  • Unique accounts for information system users.
  • No shared administrator logins.
  • Disabling accounts when employees leave.
  • Blocking anonymous access to cloud file shares.
  • Restricting system access to authorized transactions and functions.

The 15 safeguarding requirements in CMMC Level 1 also require that organizations verify, control, and limit all network connections to external information systems. That means external tools, partner portals, and unmanaged devices should not connect freely to organization information systems.

Identification and Authentication (IA)

IA verifies that people, processes, and devices are who they claim to be before allowing access. Organizations are required to ensure every user has a unique ID and authenticate devices before granting network access in compliance with CMMC Level 1.

This means you should identify information system users, identify users, processes, and devices, and authenticate them before granting information system access. Each employee should log in with individual credentials, not a generic team account.

While MFA is not required at Level 1, it is a strong best practice for remote access and administrative access, especially if the organization chooses to pursue CMMC Level 2 down the road.

Media Protection (MP)

Media Protection covers information system media such as USB drives, portable hard drives, retired laptops, and printed documents containing FCI. At Level 1, the core requirement is simple: sanitize or destroy information system media before disposal or release for reuse.

That means shredding paper records, securely wiping hard drives, and documenting how media is handled. Proper disposal or sanitization of information system media containing FCI is mandated under CMMC Level 1. A “reuse physical protection” procedure may be as simple as verifying media is wiped before reassignment.

Physical Protection (PE)

Physical protection controls who can physically access buildings, rooms, devices, and respective operating environments where FCI systems live.

Examples include:

  • Locked server closets.
  • Badge-controlled office areas.
  • Visitor sign-in sheets and audit logs.
  • Escorting visitors near FCI systems.
  • Managing keys, badges, and the physical access devices system.

CMMC Level 1 mandates that organizations maintain physical access controls to prevent tampering with equipment and server closets. Small businesses can meet this through practical safeguards: locked filing cabinets, limited keys, and documented visitor handling.

The image shows a locked server room door located in a clean office hallway, emphasizing the importance of physical access control to safeguard federal contract information and protect organizational communications in compliance with CMMC level 1 requirements. The door represents a key internal boundary that limits physical access to authorized users, ensuring the integrity of information systems.

System and Communications Protection (SC)

System and Communications Protection focuses on boundaries. CMMC Level 1 includes monitoring and controlling organizational communications at both external and internal network boundaries.

At Level 1, organizations must protect organizational communications by monitoring, controlling, and protecting communications at external boundaries and key internal boundaries. Firewalls and gateways are common tools for controlling information transmitted between internal systems and external networks.

Another SC requirement covers publicly accessible system components. A public web server should sit in a subnetwork, often called a DMZ, separated from the internal networks system where FCI lives. This protects internal networks from direct exposure.

System and Information Integrity (SI)

System and Information Integrity protects systems from malicious code and unaddressed flaws. Identifying and correcting information system flaws in a timely manner is a requirement under CMMC Level 1.

At minimum, organizations should:

  • Install malicious code protection at appropriate locations.
  • Update malicious code protection mechanisms when new releases are available.
  • Perform periodic scans of systems.
  • Use real-time scans for files from external sources.
  • Correct information and system flaws in a timely manner.

Basic email filtering also supports malicious code defenses by reducing phishing and infected attachments. The Level 1 focus is concrete: keep malicious code out, perform periodic scans, run periodic scans consistently, and patch flaws promptly.

Who Needs CMMC Level 1 and When

CMMC Level 1 applies to DoD prime contractors and subcontractors that receive, process, create, store, or transmit FCI but do not handle CUI on their systems.

DoD solicitations and contracts will state the required CMMC level. Prime contractors are also getting ahead of the curve by requiring subcontractors to meet CMMC Level 1 security and assessment requirements now.

CMMC requirements do not apply to contracts or subcontracts exclusively for delivery of COTS items. The exemption is contract-based; it does not cover a contractor’s own systems that process FCI or CUI under other contracts.

Effective November 10, 2025, DoD began rolling out CMMC Level 1 requirements into new and recompete contracts. Noncompliance with CMMC Level 1 can result in an inability to bid on Department of Defense contracts, as achieving CMMC Level 1 is a prerequisite for participation in these opportunities.

CMMC Level 1 Self-Assessment and SPRS Affirmation

Organizations must perform an annual self-assessment to evaluate their adherence to the 15 security requirements specified in FAR 52.204-21 for CMMC Level 1 compliance. Achieving CMMC 2.0 Level 1 compliance involves a mandatory annual self-assessment where organizations evaluate their implementation of the 15 security requirements specified in FAR 52.204-21.

The self-assessment process for CMMC Level 1 includes defining the assessment scope, performing the assessment using methods like examination, interview, and test, and documenting findings for each control. During the self-assessment, organizations must define the assessment scope, perform the assessment using methods like “examine,” “interview,” and “test” for each of the 15 controls, and document findings accordingly.

Use the CMMC Level 1 self assessment guide and 32 CFR Part 170 as references. Results are pass/fail: all 15 must be met or validly not applicable. Level 1 has no POA&Ms and no Conditional status.

To achieve CMMC Level 1 compliance, organizations must document their self-assessment results in the Supplier Performance Risk System (SPRS) and have a senior company official affirm compliance annually. The self-assessment process requires careful documentation and an official affirmation from a senior company official, which must be submitted into the DoD's Supplier Performance Risk System (SPRS). Success relies on compiling concrete evidence of daily operational compliance because it is a self-assessment framework.

Practical Steps to Achieve CMMC Level 1

Start with an inventory. Identify every information system, cloud service, laptop, email platform, and location where FCI is stored, processed, or transmitted.

Then:

  1. Map each system to the 6 domains and 15 security practices.
  2. Perform an initial CMMC Level 1 self assessment using examine, interview, and test methods.
  3. Fix gaps in access control, physical access, communications protection, and information integrity.
  4. Monitor existing configurations and provide training on handling Federal Contract Information (FCI) as part of compliance verification for CMMC Level 1.
  5. Keep evidence such as screenshots, configurations, inventories, audit logs, procedures, and training records.

Maintaining a System Security Plan serves as a compliance map, while it is a formal requirement for Level 2 within the CMMC framework. For Level 1, a scaled-down SSP is good practice, not a mandatory requirement.

A laptop is positioned next to a paper checklist and a security badge on a desk, suggesting a workspace focused on managing supplier performance risk systems and ensuring compliance with CMMC Level 1 requirements. The items indicate preparation for tasks related to safeguarding federal contract information and conducting self-assessments for cybersecurity.

FAQ: CMMC Level 1 Requirements

Is CMMC Level 1 based on NIST SP 800-171?

Yes, but only partially. CMMC Level 1 requirements come directly from the FAR 52.204-21 basic safeguarding requirements. They align with a subset of NIST SP 800-171 Rev 2 and NIST SP 800-171A assessment objectives, not all 110 requirements.

CMMC Level 2 fully maps to all 110 NIST SP 800-171 Rev 2 security requirements for protecting CUI.

How often do we need to perform the CMMC Level 1 self-assessment?

At least once every 12 months. The Level 1 self-assessment and executive affirmation must both be renewed annually in SPRS. Prime contractors cannot usually view subcontractor records directly, so they may ask for confirmation of current CMMC Status and self-assessment date.

What happens if we are missing some Level 1 security requirements?

You cannot affirm Level 1 yet. Unlike CMMC Level 2, CMMC Level 1 allows no POA&Ms and has no Conditional status. Remediate gaps first, then affirm. Knowingly inaccurate self-assessment information or affirmations can create contractual and False Claims Act risk.

Do cloud services and SaaS tools affect our CMMC Level 1 scope?

Yes. Any cloud or SaaS platform storing or transmitting FCI is in scope. Unlike CMMC Level 2, CMMC Level 1 has no FedRAMP requirement for a cloud service provider. Still, review the provider’s Security Responsibility Matrix or Customer Responsibility Matrix and document how accounts, access, and data are managed.

What are the 17 CMMC Level 1 controls?

Short version: there are really 15 CMMC Level 1 security requirements, which comes straight from the existing basic FCI safeguarding rules in FAR 52.204-21. People say "17" because those 15 map to 17 requirements in NIST SP 800-171 Rev 2.

(And strictly speaking, CMMC and NIST 800-171 call them security requirements, not controls. Controls are uniquely designed by organizations to mitigate risk AND to meet CMMC Security Requirements.)

Here are the 15 CMMC Level 1 security requirements, grouped by domain, with the NIST 800-171 Rev 2 requirement each maps to:

Access Control (AC)

  • AC.L1-b.1.i — Limit system access to authorized users, processes, and devices. (3.1.1)
  • AC.L1-b.1.ii — Limit users to only the transactions and functions they're permitted to perform. (3.1.2)
  • AC.L1-b.1.iii — Verify and control/limit connections to and use of external systems. (3.1.20)
  • AC.L1-b.1.iv — Control information posted on publicly accessible systems. (3.1.22)

Identification & Authentication (IA)

  • IA.L1-b.1.v — Identify users, processes, and devices. (3.5.1)
  • IA.L1-b.1.vi — Authenticate those identities before granting access. (3.5.2)

Media Protection (MP)

  • MP.L1-b.1.vii — Sanitize or destroy media containing FCI before disposal or reuse. (3.8.3)

Physical Protection (PE)

  • PE.L1-b.1.viii — Limit physical access to systems, equipment, and facilities to authorized people. (3.10.1)
  • PE.L1-b.1.ix — Escort and monitor visitors, keep physical-access logs, and manage physical access devices. (3.10.3, 3.10.4, 3.10.5)

System & Communications Protection (SC)

  • SC.L1-b.1.x — Monitor, control, and protect communications at external and key internal boundaries. (3.13.1)
  • SC.L1-b.1.xi — Put publicly accessible components on a separate subnetwork (DMZ). (3.13.5)

System & Information Integrity (SI)

  • SI.L1-b.1.xii — Identify, report, and correct system flaws in a timely manner (patching). (3.14.1)
  • SI.L1-b.1.xiii — Provide protection from malicious code at appropriate locations (antivirus). (3.14.2)
  • SI.L1-b.1.xiv — Update malicious-code protection when new releases are available. (3.14.4)
  • SI.L1-b.1.xv — Run periodic system scans and real-time scans of files from external sources. (3.14.5)

Share this post

FAQ: CMMC Certified Professional

What happened to the Certified CMMC Professional program?

The CMMC Certified Professional (CCP) designation has replaced the previous Certified CMMC Professional program. This CMMC program change aligns with the updated CMMC 2.0 framework and reflects the evolving cybersecurity compliance requirements within the Department of Defense (DoD) supply chain.

Can I prepare for the CCP exam through self-study without taking an official course?

The CAICO requires all CCP Candidates to complete a CCP training course delivered by an Approved Training Provider (ATP), in order to be eligible for the CCP certification exam. Self-study using CMMC guidance documents and NIST publications is helpful preparation, but it does not substitute for the mandatory official training portion. You must complete the CCP training course delivered by an ATP before you’re eligible to sit for the CCP certification exam.

What happens to my CCP if CMMC requirements change again?

The Cyber AB updates exams and continuing education expectations as the CMMC program evolves. Existing CCPs remain valid but may need to meet new training or recertification milestones when major framework changes are implemented. When NIST SP 800-171 Rev. 3 is fully adopted, for example, expect updated training requirements. Stay subscribed to The Cyber AB communications to avoid surprises.

Is the CCP certification only valid in the United States?

CMMC is a U.S. DoD program, but its reach extends internationally. Foreign-owned companies that supply the DoD or work with U.S. primes also pursue CMMC readiness, making CCP relevant wherever DoD contracts are in play. Canadian, UK, Australian, and other allied nation companies working in the defense supply chain frequently need CCP-trained professionals to manage their compliance obligations.

Do I need to work for a C3PAO to benefit from the CCP credential?

No. Employment by a C3PAO is not required. Many CCPs work inside defense contractors, consulting firms, or prime contractors where they lead readiness efforts rather than formal third-party assessments. The credential is equally valuable for internal compliance roles, independent consulting, and advisory positions across the defense industrial base.

How long does it typically take to become a CMMC Certified Professional from start to finish?

Most candidates complete the process within 1–3 months. This includes scheduling and completing the 30–40 hour training course, preparing for the exam, and sitting for the CCP certification test. If you’re new to NIST SP 800-171 or defense contracting, allow additional time for foundational preparation before the course. The background investigation or suitability determination may add time depending on your situation.

Subscribe To Our Newsletter

Stay up-to-date on Govt. IT Compliance changes and getexpert compliance, audit, and security tips.