CMMC Level 1 Compliance: The Complete Guide to Foundational Certification

CMMC Level 1 Compliance: The Complete Guide to Foundational Certification

CMMC Level 1 requires 15 security requirements across dozens of assessment objectives. Learn who needs it, the self-assessment process, costs, and pitfalls.

Deep Fathom
CMMC

CMMC Level 1 is the entry point for doing business with the Department of Defense. If your company handles Federal Contract Information (and tens of thousands of small businesses in the defense industrial base do), Level 1 is your compliance requirement. Not optional. Not aspirational. Required.

The word “foundational” in the level name leads many contractors to assume Level 1 is simple. It’s 15 security requirements. How hard can it be?

Harder than you’d expect. Those 15 requirements expand into dozens of assessment objectives. Each objective demands specific evidence. A senior official at your company must sign an annual affirmation that every requirement is met. That signature carries legal weight under the False Claims Act.

This guide covers everything you need to know about CMMC Level 1: who needs it, what the 15 requirements actually ask for, how the self-assessment works, what it costs, and where contractors consistently get tripped up.

Who Needs CMMC Level 1

Level 1 applies to contractors who handle Federal Contract Information but do not process, store, or transmit Controlled Unclassified Information.

FCI is information provided by or generated for the government under a contract that isn’t publicly available. Think contract terms, procurement specifications, delivery schedules, performance reports, and internal communications about contract work. It’s not classified, and it doesn’t carry a CUI marking. But it’s also not meant for public release.

In early scoping conversations with contractors, roughly half initially misclassify their information type. They assume everything is FCI when CUI is present, or they assume everything is CUI when they’re actually handling only FCI. Getting this classification right is the single most important step in determining your CMMC level.

If your contracts involve only FCI, Level 1 is your target. If any CUI enters your environment (technical drawings, export-controlled data, vulnerability assessments, certain personnel records), Level 1 is not sufficient. You need Level 2, which requires all 110 NIST 800-171 controls. The distinction matters. The wrong classification means either over-investing in controls you don’t need or, worse, under-investing and signing a false affirmation.

Who Typically Falls Under Level 1

  • Office supply and commodity vendors who fulfill basic procurement orders for DoD agencies
  • Facility maintenance and janitorial services contractors with building access but no CUI exposure
  • Small manufacturers producing non-sensitive components where technical data packages stay with the prime
  • Professional services firms providing HR, accounting, or administrative support under DoD contracts
  • IT service providers managing general-purpose systems that never touch CUI

The common thread: these companies do work for the DoD, receive contract-related information, but don’t handle the technically sensitive or controlled data that triggers Level 2 requirements.

When Level 1 Isn’t Enough

Don’t assume Level 1 applies without checking. CUI categories are broader than most contractors realize. The CUI Registry maintained by the National Archives lists over 100 categories across 20 groupings. If you receive technical data, engineering drawings, test results, vulnerability scans, or export-controlled information from a prime or the government, CUI is likely present in your environment. Review your contracts for DFARS clause 252.204-7012. If it’s there, CUI is in play and you need Level 2.

For a deeper look at identifying CUI in your environment, see our CUI boundary scoping guide.

The 15 Security Requirements

CMMC Level 1 draws its requirements directly from FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” These 15 requirements map to 6 of the 14 NIST 800-171 control families. They cover the basics, but “basic” doesn’t mean “obvious” or “already done.”

Access Control (4 Requirements)

AC.L1-3.1.1 — Limit system access to authorized users, processes, and devices. Only people and systems that need access should have it. This means maintaining user account lists, disabling accounts when employees leave, and restricting system access to business need. If everyone in your company has admin access to every system, this requirement isn’t met.

AC.L1-3.1.2 — Limit system access to the types of transactions and functions that authorized users are permitted to execute. Authorization isn’t binary. Different users should have different permissions based on their role. Your accounting staff doesn’t need write access to engineering file shares. Your shop floor operators don’t need access to the contract management system. Role-based access controls or equivalent permission structures satisfy this requirement.

AC.L1-3.1.20 — Verify and control connections to external systems. Any connection between your systems and external networks or systems must be identified and managed. This covers VPN connections, cloud service integrations, file sharing with primes or subcontractors, and remote access tools. You need to know what’s connected and control how those connections work.

AC.L1-3.1.22 — Control information posted on publicly accessible systems. If your organization operates public-facing systems (a website, a public file server, public repositories), you must have a process to review content before it’s posted. FCI shouldn’t appear on publicly accessible systems. This seems obvious, but contractors have posted contract-related documents to public SharePoint sites, unprotected cloud storage, and company websites.

Identification and Authentication (2 Requirements)

IA.L1-3.5.1 — Identify system users, processes, or devices. Every user, automated process, and device accessing your systems must be uniquely identifiable. Shared accounts violate this requirement. “Admin” as a login used by three different people violates this requirement. Each user gets a unique identifier.

IA.L1-3.5.2 — Authenticate users, processes, or devices before granting access. Identification says who you are. Authentication proves it. Passwords, PINs, tokens, or biometrics: users must prove their identity before accessing systems. This requirement doesn’t mandate multi-factor authentication (that’s a Level 2 control), but it does require that authentication happens. Systems accessible without a login fail this requirement.

Media Protection (1 Requirement)

MP.L1-3.8.3 — Sanitize or destroy media containing FCI before disposal or reuse. Hard drives, USB drives, SSDs, printed documents: any media that has held FCI must be sanitized before you dispose of it, donate it, or repurpose it. Deleting files isn’t sanitizing. Reformatting a drive isn’t sanitizing. NIST 800-88 guidelines define acceptable methods: clearing, purging, or physical destruction depending on the media type. Keep disposal records.

Physical Protection (2 Requirements)

PE.L1-b.1.viii (NIST 3.10.1) — Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. Servers, network equipment, and workstations that process FCI must be in controlled spaces. “Controlled” means not everyone can walk up to them. Server rooms should be locked. Network closets should not be accessible to visitors. Workstations in open areas need screen locks and physical security appropriate to the environment. This also covers monitoring and protecting the physical facility and its support infrastructure (heating, ventilation, power, cabling).

PE.L1-b.1.ix (FAR item ix, combining concepts from NIST 3.10.3, 3.10.4, 3.10.5) — Escort visitors and maintain visitor activity logs; monitor and control physical access; and safeguard physical access devices. Visitors in areas where FCI systems operate must be escorted or monitored, and you must maintain logs of visitor activity. You need records of who accessed physical spaces where FCI systems reside (badge reader logs, sign-in sheets, visitor logs). Keys, badges, access cards, and combinations must be inventoried and managed. When someone leaves the company, their badge is deactivated. When a key is lost, locks are rekeyed or the risk is assessed. This single requirement consolidates escorting, logging, and access-device management into one control.

System and Communications Protection (2 Requirements)

SC.L1-3.13.1 — Monitor, control, and protect communications at system boundaries. Your network boundary (the point where your internal network meets the internet or other external networks) must be protected. Firewalls, routers with access control lists, or equivalent boundary protection devices must be in place and configured. This isn’t asking for a sophisticated security operations center. It’s asking that you don’t connect to the internet without a firewall.

SC.L1-3.13.5 — Implement subnetworks for publicly accessible system components. If you operate public-facing systems (a web server, a public email relay), those systems must be separated from your internal network. A DMZ or equivalent network segment keeps public-facing components isolated so that a compromise of the public system doesn’t give an attacker direct access to your internal FCI environment.

System and Information Integrity (4 Requirements)

SI.L1-3.14.1 — Identify, report, and correct system flaws in a timely manner. Patching. When vendors release security updates for your operating systems, applications, and firmware, you apply them. “Timely” means you have a defined process, not that you update when you get around to it. Critical patches should be applied within days or weeks, not months. You need a documented patching process and evidence that it’s followed.

SI.L1-3.14.2 — Provide protection from malicious code at designated locations within organizational systems. Antivirus, anti-malware, endpoint detection: whatever term your vendor uses, your systems must have protection against malicious software. It must be installed, active, and configured at appropriate system entry and exit points (email gateways, web proxies, endpoints). If an employee can disable the antivirus on their workstation, this requirement has a gap.

SI.L1-3.14.4 — Update malicious code protection mechanisms when new releases are available. It is not enough to have antivirus installed. The protection must stay current. When your vendor releases new signature definitions, engine updates, or detection logic, those updates must be applied. Automatic updates satisfy this requirement; manual updates satisfy it too, as long as they happen promptly and consistently. Stale definitions leave you exposed to threats your tool already knows how to stop.

SI.L1-3.14.5 — Perform periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed. Your malware protection must operate in two modes. First, scheduled full-system scans (weekly or daily, depending on risk). Second, real-time scanning of files arriving from outside your network: email attachments, web downloads, USB transfers, and file-sharing services. If your tool only scans on a schedule but ignores files as they arrive, or only scans in real time but never does a full sweep, you have a gap.

Fifteen requirements. Dozens of objectives. Zero shortcuts.

The Assessment Objectives

Each of the 15 requirements maps to multiple assessment objectives defined in 32 CFR Part 170. These objectives break each requirement into specific, testable conditions. An assessor (even in a self-assessment) evaluates compliance at the objective level, not the requirement level.

For example, AC.L1-3.1.1 (limit system access to authorized users) breaks into six objectives:

  1. Authorized users are identified
  2. Processes acting on behalf of authorized users are identified
  3. Devices (and other systems) authorized to connect are identified
  4. System access is limited to authorized users
  5. System access is limited to processes acting on behalf of authorized users
  6. System access is limited to authorized devices (including other systems)

If you’ve identified authorized users (objective 1) but haven’t inventoried authorized devices (objective 3), or you’ve identified everyone but haven’t actually restricted access (objectives 4-6), the requirement isn’t fully met. Partial credit doesn’t exist at Level 1. Every objective for every requirement must be satisfied.

This is where contractors underestimate Level 1. Reading 15 requirements feels manageable. Working through every specific objective, gathering evidence for each, and documenting your implementation: that’s real work.

The Self-Assessment Process

Level 1 doesn’t require a third-party assessment. No C3PAO audit. No external assessor. Your organization conducts its own annual self-assessment and reports the results. For a detailed comparison of self-assessment versus C3PAO paths, see our breakdown of assessment types.

Here’s how the process works.

Step 1: Identify Your FCI Scope

Before assessing anything, define which systems, people, and processes handle FCI. Map where FCI enters your environment, where it’s stored, where it’s processed, and where it exits. Every system in that data flow is in scope for your Level 1 assessment.

Step 2: Evaluate Each Objective

Work through all assessment objectives. For each one, determine whether your organization meets the objective with documented evidence. “We probably do this” isn’t sufficient. You need to point to a specific policy, configuration, log, or record that demonstrates compliance.

Step 3: Document Your Results

Record the status of each objective: MET or NOT MET. Level 1 does not allow Plans of Action and Milestones. Every requirement must be fully implemented at the time of assessment. If any objective is NOT MET, you cannot submit a passing self-assessment.

That’s a critical distinction from Level 2. At Level 2, you can place some requirements on a POA&M and achieve conditional status. At Level 1, there’s no conditional path. All in or not at all.

Step 4: Submit to SPRS

Enter your assessment results into the Supplier Performance Risk System. SPRS is the DoD’s portal for tracking contractor compliance. Your results become visible to contracting officers evaluating your eligibility for awards.

Step 5: Senior Official Affirmation

A senior official (someone with authority to bind the company) must sign an affirmation that the self-assessment results are accurate. This affirmation is submitted through SPRS and renewed annually.

The affirmation step is where we see the most anxiety from small business owners. They understand, correctly, that they’re personally attesting to the accuracy of the assessment. When we walk contractors through what each objective actually requires and what evidence supports it, the anxiety usually drops. It’s not the signature that’s scary. It’s signing without knowing exactly what you’re affirming.

Annual Renewal

This isn’t a one-time exercise. Every year, you must:

  • Reassess all objectives
  • Update your SPRS submission
  • Have a senior official sign a new affirmation

If your security posture changes during the year (new systems, personnel changes, infrastructure modifications), those changes should be reflected in your next assessment. Maintaining compliance continuously is easier than rebuilding it annually from scratch.

Phase 1 Enforcement: This Is Happening Now

CMMC Phase 1 enforcement began when the 48 CFR rule took effect. Select DoD solicitations now include CMMC Level 1 or Level 2 as a contract requirement. This isn’t a future-state discussion. Solicitations with CMMC clauses are appearing in the market.

For more on the enforcement timeline and what Phase 1 means for active contracts, see our coverage of the CMMC start date.

During Phase 1, the DoD is incorporating CMMC requirements into new solicitations on a rolling basis. Not every solicitation will include a CMMC requirement immediately, but the volume is increasing. If you bid on DoD contracts and haven’t completed your Level 1 self-assessment, you risk being ineligible for an award when a CMMC clause appears in a solicitation you’re pursuing.

The practical implication: waiting for a specific solicitation to trigger your compliance work means you’re already behind. The self-assessment process takes weeks to months depending on your starting point. Starting after you see a CMMC clause in a solicitation you want to bid on may not leave enough time.

Common Mistakes

Mistake 1: Treating Level 1 as a Checkbox Exercise

The 15 requirements are written in plain language. That simplicity creates a false sense of ease. Contractors read “limit system access to authorized users” and think, “We have passwords. Done.”

Not done. The assessment objectives ask whether you’ve identified all authorized users, whether processes acting on behalf of users are identified, whether authorized devices are inventoried, and whether access is actually limited to only those entities. A password on a workstation doesn’t address device inventory or process authorization.

Each requirement needs documented implementation, not just a general sense that you’re doing it.

Mistake 2: Not Identifying All Systems That Touch FCI

FCI doesn’t stay in one place. It flows through email, file shares, collaboration tools, cloud storage, mobile devices, and printed documents. Contractors who scope their assessment to their ERP system but ignore the email server where contract documents are discussed have an incomplete assessment.

Map the full data flow. Every system that receives, stores, processes, or transmits FCI is in scope.

Mistake 3: Confusing FCI with CUI

This mistake runs in both directions. Some contractors assume all their data is CUI and over-prepare for Level 2 when Level 1 applies. Others assume everything is FCI when CUI is actually present, leaving them with an inadequate compliance posture.

The distinction: CUI is information the government has determined requires safeguarding controls specified by law, regulation, or government-wide policy. It carries specific markings. FCI is contract information that’s not public but doesn’t meet the CUI threshold. If you’re uncertain, check your contracts for DFARS 252.204-7012. If that clause is present, CUI is in play and Level 1 won’t be sufficient.

Mistake 4: No Evidence Trail

A self-assessment isn’t a survey where you answer “yes” or “no” and move on. Each MET determination should be backed by evidence: screenshots of access control configurations, copies of policies, visitor logs, patching records, antivirus status reports, media disposal certificates.

When your senior official signs the affirmation, they’re attesting based on this evidence. If the DoD ever questions the accuracy of your self-assessment (and the False Claims Act creates a mechanism for exactly that), “we believed we were compliant” without supporting documentation is a weak position.

Mistake 5: Forgetting the Annual Cycle

Completing your first self-assessment is the starting line, not the finish line. The annual affirmation requirement means your compliance posture must be maintained continuously. Employee turnover, system changes, new software deployments, and office moves can all affect whether specific objectives remain met.

Build compliance maintenance into your operations. Don’t treat it as an annual project.

Level 1 vs Level 2: When Do You Need to Move Up

The decision between Level 1 and Level 2 isn’t about ambition. It’s about what data you handle.

FactorLevel 1Level 2
Data typeFCI onlyCUI (and FCI)
Requirements15 (FAR 52.204-21)110 (NIST 800-171 Rev 2)
Assessment objectives~60320
Assessment methodAnnual self-assessmentSelf-assessment or C3PAO
POA&Ms allowedNoYes, with conditions
SPRS submissionYesYes
Senior affirmationAnnualAnnual
Typical timeline2-4 months6-18 months
Typical cost$5,000-$30,000$50,000-$300,000+

Decision Criteria

Stay at Level 1 if:

  • Your contracts contain only FAR 52.204-21, not DFARS 252.204-7012
  • No CUI markings appear on any information you receive from primes or the government
  • Your work doesn’t involve technical data, engineering drawings, vulnerability assessments, or export-controlled information
  • You’ve confirmed with your contracting officer that CUI is not present in your scope

Move to Level 2 if:

  • Any contract includes DFARS 252.204-7012
  • You receive, store, or process information marked as CUI
  • You handle technical data packages, engineering specifications, or test results from the government or a prime
  • Your prime contractor requires Level 2 as a flow-down requirement
  • You’re uncertain whether CUI is present (uncertainty should resolve toward Level 2, not Level 1)

For a full breakdown of compliance costs across both levels, see our cost guide.

When in doubt, scope up. Discovering CUI in a Level 1 environment after your affirmation is signed is a problem you don’t want.

Cost and Timeline

Level 1 is the most affordable CMMC compliance tier by a wide margin. The primary costs are internal labor, not external services.

Timeline

Most small businesses can achieve Level 1 readiness in 2 to 4 months. The work breaks down roughly as follows:

Weeks 1-2: Scoping and gap assessment. Identify all FCI-touching systems. Walk through the objectives against your current state. Catalog what’s met, what’s partially met, and what’s missing.

Weeks 3-6: Remediation. Close the gaps. This typically involves tightening access controls, implementing or enforcing password policies, documenting visitor procedures, confirming patching processes, verifying antivirus coverage, and establishing media disposal procedures. Some fixes are configuration changes (hours of work). Others require policy development and process implementation (days to weeks).

Weeks 7-10: Documentation and evidence collection. Compile evidence for each objective. Write or update policies that support your implementation. Create the documentation package that backs your self-assessment.

Weeks 11-12: Self-assessment and SPRS submission. Conduct the formal self-assessment. Enter results in SPRS. Obtain senior official affirmation.

This timeline assumes a contractor with basic IT infrastructure already in place: passwords on workstations, a firewall at the network boundary, antivirus installed. If you’re starting further behind, add time accordingly.

Costs

Internal labor: The largest cost for most small businesses. Plan for 80 to 160 hours of staff time across IT, management, and operations. At a loaded labor rate of $75/hour, that’s $6,000 to $12,000 in labor cost.

Policy and documentation: If you need to develop security policies from scratch, a consultant or template package can accelerate this. Budget $2,000 to $5,000 for policy development assistance, or invest the time to write policies internally using NIST-provided templates.

Technical remediation: Most Level 1 technical requirements are met by standard commercial IT practices. You may need to purchase media destruction equipment or services ($200-$1,000), upgrade firewall configurations, or deploy a visitor management system. Budget $1,000 to $5,000 for technical remediation depending on gaps.

Ongoing maintenance: The annual reassessment and affirmation process requires ongoing attention. Budget 20 to 40 hours annually for reassessment, evidence refresh, and documentation updates.

Total estimated cost: $5,000 to $30,000 for initial compliance, with $2,000 to $5,000 annually for maintenance. Compare that to Level 2 costs, which can run $50,000 to $300,000 or more.

For small businesses concerned about the cost of compliance across either level, our guide for small defense contractors covers budgeting strategies and scope reduction techniques.

The Level 1 Self-Assessment Checklist

We’ve developed a CMMC Level 1 Self-Assessment Checklist that maps each assessment objective to specific evidence types and implementation guidance. It’s designed for small businesses working through Level 1 without an internal compliance team.

The checklist covers:

  • All 15 requirements organized by domain
  • Every assessment objective in plain language
  • Evidence types that satisfy each objective
  • Common implementation approaches for small organizations
  • A tracking template for documenting your MET/NOT MET status

Use the checklist as your working document through the scoping, remediation, and assessment process.

Building Toward Level 2

Even if Level 1 is your current requirement, the contract landscape is shifting. Primes are increasingly flowing down Level 2 requirements to subcontractors. New contracts may add CUI designations where previous iterations didn’t. Building your Level 1 compliance on a foundation that can extend to Level 2 saves rework later.

Practical steps to future-proof your Level 1 work:

  • Use NIST 800-171 as your reference framework, even though Level 1 only requires FAR 52.204-21. The 15 Level 1 requirements are a subset of the 110 Level 2 requirements. If you organize your documentation and evidence around the NIST 800-171 structure, your Level 1 work feeds directly into a future Level 2 effort.

  • Start tracking your SPRS score against the full 110-point model. Even before Level 2 is required, understanding your gap gives you lead time. Many contractors discover their Level 1 work already satisfies 30 to 50 additional Level 2 objectives because standard IT practices address multiple control families.

  • Document more than the minimum. Level 1 doesn’t require an SSP (System Security Plan) in the same format as Level 2. But creating one now, even in a simplified form, establishes the documentation practice and captures institutional knowledge that erodes with staff turnover. Our SSP guide covers what a strong SSP looks like.

  • Establish a relationship with an RPO or consultant. If Level 2 is on your horizon, early engagement with a Registered Practitioner Organization gives you access to assessment readiness expertise before you’re under deadline pressure.

Frequently Asked Questions

Do I need to hire a C3PAO for Level 1? No. Level 1 requires only a self-assessment. No external assessor, no C3PAO, no government-led assessment. Your organization evaluates itself and submits results to SPRS.

Can I use a POA&M for Level 1? No. Plans of Action and Milestones are not permitted at Level 1. Every requirement must be fully met at the time of your self-assessment. If any objective is NOT MET, you cannot submit a compliant assessment.

What happens if I sign the affirmation and something isn’t actually met? The annual affirmation carries legal weight. Misrepresentation of compliance status can trigger False Claims Act liability. This isn’t theoretical. The DoD has signaled that it intends to enforce accuracy of self-assessment submissions. Ensure your evidence supports every MET determination before signing.

How often do I need to reassess? Annually. The self-assessment and senior official affirmation must be renewed each year. Your SPRS record must remain current.

Is Level 1 enough for subcontractors? It depends entirely on the data you handle. If you’re a subcontractor receiving only FCI from a prime, Level 1 applies. If the prime flows CUI to your systems, even inadvertently, you need Level 2. Confirm with your prime contractor what data types will enter your environment.

What if my company handles both FCI-only contracts and CUI contracts? Your organization needs to meet the highest applicable level. If any contract involves CUI, you need Level 2 for the systems handling that CUI. You might maintain separate enclaves (a Level 1 environment for FCI-only work and a Level 2 environment for CUI), but that adds architectural complexity. Most contractors find it simpler to implement Level 2 across the board once CUI enters any part of their environment.

Start Now

Level 1 is achievable. For most small businesses, it’s a 2 to 4 month effort that requires diligence, not a massive budget. The requirements are straightforward. The self-assessment process is within reach. The cost is a fraction of Level 2.

But “achievable” and “done” are different things. The enforcement clock is running. Solicitations with CMMC requirements are appearing now, not in some future phase. Contractors who complete their Level 1 self-assessment and submit to SPRS before they need it for a specific bid are the ones who won’t miss an opportunity.

Every contractor we’ve worked with who completed their Level 1 work proactively, before a specific solicitation forced the timeline, described the process as manageable. Every contractor who started after seeing a CMMC clause in a must-win solicitation described it as stressful. The work is the same. The experience depends entirely on when you start.

Don’t wait for a solicitation to force the issue. Map your FCI scope, work through every objective, close your gaps, and get your affirmation on file.