Key Takeaways

1. CMMC Level 1 Is Specific to FCI: CMMC Level 1 applies to companies that handle FCI and requires implementation of 15 cybersecurity practices.

2. Defense Contractors and Subcontractors Must Self-Assess Every Year: The CMMC Level 1 self-assessment must be completed annually, with scores submitted to the SPRS.

3. Although Independent Certification Isn’t Required, the DoD Still Monitors Level 1 Compliance: While third-party certification isn’t required at this level, organizations are still responsible for maintaining compliance and audit readiness.

As the Department of Defense (DoD) works to strengthen the cybersecurity posture of its defense industrial base (DIB), Cybersecurity Maturity Model Certification (CMMC) Level 1 has become a critical benchmark for defense contractors and subcontractors handling Federal Contract Information (FCI). CMMC Level 1 serves as the foundation of the DoD’s effort to protect sensitive unclassified data and ensures that basic cybersecurity hygiene practices are in place.

In this blog, we’ll explore the core CMMC Level 1 requirements, explain how the self-assessment process works, and offer insight into how your organization can maintain compliance as cybersecurity expectations evolve.

Check Your Compliance Status Now!

Don’t know where to start? Answer a few questions and get free, personalized framework recommendations in 1 minute.

CHECK COMPLIANCE REQUIREMENTS HERE

What Is CMMC Level 1?

CMMC Level 1 is the first of three conformity levels under CMMC 2.0, the latest version of the DoD’s cybersecurity compliance program. It is designed for organizations that process, store, or transmit FCI—information provided by or generated for the government that is not intended for public release.

At this level, organizations must demonstrate the ability to safeguard FCI by implementing basic cyber hygiene practices. CMMC Level 1 is based on 15 controls derived directly from FAR 52.204-21, a Federal Acquisition Regulation clause that has long required defense contractors to protect covered contractor information systems.

What Are the Requirements for CMMC Level 1?

CMMC Level 1 includes 15 practices across the following six domains:

  • Domain 1: Access Control (AC)
    • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
    • Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
    • Verify and control/limit connections to and use of external information systems.
    • Control information posted or processed on publicly accessible information systems.
  • Domain 2: Identification and Authentication (IA)
    • Identify information system users, processes acting on behalf of users, or devices.
    • Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  • Domain 3: Media Protection (MP)
    • Sanitize or destroy information system media containing FCI before disposal or release for reuse.
  • Domain 4: Physical Protection (PE)
    • Limit physical access to organizational information systems, equipment, and the respective operation environments to authorized individuals.
    • Escort visitors and monitor visitor activity.
  • Domain 5: System and Communications Protection (SC)
    • Monitor, control, and protect organizational communications (i.e. information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
    • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  • Domain 6: System and Information Integrity (SI)
    • Identify, report, and correct information and information system flaws in a timely manner.
    • Provide protection from malicious code at appropriate locations within organizational information systems.
    • Update malicious code protection mechanisms when new releases are available.
    • Perform periodic scans or the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These controls form the core of the CMMC Level 1 requirements and represent the minimum cybersecurity expectations for organizations participating in the DoD supply chain.

The CMMC Level 1 Self-Assessment Process

Unlike CMMC Level 2 and Level 3, CMMC Level 1 only requires an annual self-assessment rather than a third-party certification. However, that doesn’t mean organizations should take it lightly.

Cover image for a blog post about CMMC Level 1 requirements. Image features a picture of the author against a purple and white background.

Here’s how the self-assessment process works:

  1. Review CMMC Level 1 Requirements: Familiarize yourself with the 15 required practices and confirm they are implemented and operational in your environment.
  2. Complete the CMMC Self-Assessment Guide: The DoD has published a Level 1 Assessment Guide that outlines how each control should be evaluated. This includes objectives, assessment procedures, and examples.
  3. Document Findings in SPRS: Once the self-assessment is complete, organizations must upload their assessment score and supporting information into the Supplier Performance Risk System (SPRS), the DoD’s repository for contractor cyber risk data.
  4. Develop a Plan of Action: If there are any gaps, document a plan of action and milestones (POA&M) to address them. Although POA&Ms aren’t officially recognized under Level 1, they can guide internal remediation efforts.
  5. Retain Evidence: Even though a third-party assessor isn’t involved, organizations must keep documentation that supports their self-assessment results in case of a DoD audit or spot check.

The Time Is Now to Comply With CMMC Level 1

Compliance with CMMC Level 1 requirements isn’t just a regulatory checkbox—it’s a baseline for protecting sensitive government data and reducing the attack surface across the defense industrial base (DIB). Failing to meet these basic security standards could lead to lost contract opportunities or worse—security breaches that impact national security.

If your organization is new to the defense contracting space or hasn’t reviewed its cybersecurity practices in a while, now is the time to act. IS Partners is an Authorized Certified Third-Party Assessor Organization (C3PAO), meaning we’ve been accredited by The Cybersecurity Maturity Model Certification Accreditation Body, Inc. (The Cyber AB) to perform CMMC Level 2 Assessments. Our team of experts has more than 20 years of experience in compliance services across a variety of industries and we boast a 95% client retention rate. While not necessary for CMMC Level 1, we can deliver tailored CMMC compliance services to help organizations identify their gaps, refine policies, and align processes to meet DoD cybersecurity requirements.

Want to learn more? Explore our CMMC compliance services today to learn how we can help your organization take their first steps toward aligning with CMMC Level 1 standards.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

SPEAK TO AN EXPERT

What Should You Do Next?

  1. Identify Current Security Weaknesses: Download the CMMC Level 1 Assessment Guide from the DoD website and perform a gap analysis.

  2. Assess Your Organization and Document Findings: Conduct your self-assessment and document all evidence thoroughly.

  3. Engage Expert Help As Needed: Work with a CMMC compliance consultant or Authorized C3PAO like IS Partners if you need help interpreting requirements or closing gaps before submitting your SPRS score.

FAQs

Get a Quote Try our Compliance Checker

About The Author

Jena Andrews IS Partners consultant
Jena is a senior auditor and security consultant since 2021. She is specialized in compliance management, cybersecurity, IT security, and risk management. Jena is a certified information systems auditor (CISA) and project manager.

With a decade-long history in Project Management, Jena has focused the past five years on Compliance, IT and Operations auditing, Information Security, and Cybersecurity. She has conducted a plethora of compliance audits and security assessments in accordance with standards including SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST 800-53, 800-171.

Jena is a proud B.S. graduate in Criminal Justice from West Chester University and holds esteemed CISA, PMP, and CCP certifications, further highlighting her expertise and commitment to professionalism.

Related Content

Gain Deeper Insights

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Benefit from:

ioc-checkAnalysis of your compliance needs
ioc-checkTimeline, cost, and pricing breakdown
ioc-checkA strategy to keep pace with evolving regulations

Want to speak to us now?

Call us at (866) 642-2230

or

Start a live chat

Great companies think alike.

Join hundreds of other companies that trust IS Partners for their compliance, attestation and security needs.

vrs-veraclaim-logonlex-logoVision_Link_report_Logonolan logoSpecialty_Capital_LogoAGM logo

Scroll to Top