CMMC Level 1 Requirements

What Is CMMC Level 1?

CMMC Level 1 represents the baseline cybersecurity expectations under the Department of Defense (DoD) CMMC 2.0 model.

It is focused on protecting Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

Level 1 requires:

• Implementation of 15 basic cybersecurity practices

• Annual self-assessment (no third-party certification required)

• Affirmation of compliance by organizational leadership

Organizations pursuing broader cybersecurity maturity often align Level 1 implementation with structured frameworks such as CMMC 2.0 Compliance Consulting to ensure scalability toward Level 2.

What Is Federal Contract Information (FCI)?

FCI is information:

• Provided by the government under a contract

• Not intended for public release

• Not classified as CUI

Examples include:

• Contract performance details

• Technical instructions

• Operational schedules

• Internal communications tied to government work

If your organization handles FCI—even indirectly—you are expected to meet Level 1 requirements.

The 15 CMMC Level 1 Requirements

CMMC Level 1 aligns directly with FAR 52.204-21. The requirements are grouped into six control families.

Access Control (AC)

• Limit system access to authorized users, processes, and devices

• Limit system access to authorized transactions and functions

Identification and Authentication (IA)

• Identify users, processes, and devices

• Authenticate users before granting access

Media Protection (MP)

• Sanitize or destroy media before disposal or reuse

Physical Protection (PE)

• Limit physical access to systems and facilities

• Escort visitors and monitor physical access

• Maintain physical access logs

System and Communications Protection (SC)

• Monitor, control, and protect communications at system boundaries

• Implement subnetworks or segmentation where appropriate

System and Information Integrity (SI)

• Identify, report, and correct system flaws

• Provide protection from malicious code

• Update malicious code protection mechanisms

• Perform periodic scans

These requirements are intentionally basic—but they must be implemented consistently and demonstrably.

For organizations that want a structured validation approach, a CMMC Compliance Checklist can help map each requirement to evidence and controls.

What “Implementation” Actually Means

A common mistake is assuming Level 1 is informal. It is not.

You are expected to demonstrate:

• Defined access controls across systems

• Controlled user provisioning and deprovisioning

• Active antivirus or endpoint protection

• Patch management practices

• Physical access controls (even in small environments)

• Logging and monitoring where applicable

This is where organizations often benefit from alignment with a NIST Compliance Consultant perspective—ensuring controls are not only present but defensible.

Required Evidence for Level 1

Even though Level 1 is self-assessed, evidence is still expected.

Typical evidence includes:

• Access control policies or system configurations

• User access lists and account management records

• Antivirus deployment screenshots or reports

• Patch/update logs

• Physical access procedures or badge logs

• Network diagrams or segmentation descriptions

Evidence does not need to be overly formal—but it must be:

• Consistent

• Repeatable

• Available upon request

Self-Assessment Requirements

Under CMMC 2.0:

• Level 1 requires annual self-assessment

• Results must be submitted into the Supplier Performance Risk System (SPRS)

• Leadership must formally attest to accuracy

This is not a passive checkbox. False attestation carries legal and contractual risk.

Organizations often formalize this process within broader governance structures supported by ISO Compliance Services to ensure consistency and accountability.

Common Misunderstandings About Level 1

“Level 1 Is Just IT Hygiene”

Incorrect.

Level 1 includes:

• Organizational accountability

• Defined access control processes

• Physical security expectations

• Evidence-based validation

It is a management system problem—not just an IT configuration task.

“We Don’t Need Documentation”

Also incorrect.

While formal documentation is not explicitly required, you still need:

• Defined practices

• Repeatable processes

• Evidence of implementation

Without this, self-assessment becomes unverifiable.

“We Can Ignore It Until Required”

Risky.

Many contracts already include FAR 52.204-21 clauses. Waiting introduces:

• Contract eligibility risk

• Delays in bidding or onboarding

• Increased remediation cost under pressure

Relationship to CMMC Level 2

CMMC Level 1 and Level 2 are not incremental in a simple sense—they are structurally different.

Level 1:

• Focuses on FCI

• Requires 15 basic controls

• Allows self-assessment

Level 2:

• Focuses on CUI

• Requires 110 controls (aligned with NIST 800-171)

• Often requires third-party certification

Organizations planning long-term DoD engagement typically design Level 1 with forward alignment to Level 2.

This is where integration with ISO 27001 Consultant frameworks becomes valuable—ensuring scalability of security controls.

How to Implement CMMC Level 1 Effectively

A disciplined approach follows a structured sequence.

Step 1 – Define Scope

• Identify systems handling FCI

• Map data flows and user access

• Establish system boundaries

Step 2 – Map Requirements to Controls

• Align each of the 15 practices to existing controls

• Identify gaps in access control, patching, or monitoring

Step 3 – Implement Missing Controls

• Configure user access restrictions

• Deploy endpoint protection

• Establish patching cadence

• Implement basic network protections

Step 4 – Define Operational Processes

• User onboarding and offboarding

• Incident reporting and response

• Media handling and disposal

• Physical access control

Step 5 – Collect Evidence

• Screenshots, logs, configurations

• Policies or procedures where needed

• Records of control execution

Step 6 – Perform Self-Assessment

• Validate each requirement against evidence

• Document results clearly

• Submit to SPRS

Organizations often embed this within broader governance models supported by Enterprise Risk Management Consultant frameworks to ensure ongoing oversight.

Timeline for Level 1 Implementation

Typical timelines vary based on maturity:

• Small organizations with basic controls: 2–4 weeks

• Organizations with limited structure: 1–3 months

• Multi-system environments: 2–4 months

The biggest driver is not technical complexity—it is organizational clarity and discipline.

Cost Considerations

Level 1 costs are relatively low compared to higher maturity frameworks, but still include:

• Internal time and resources

• Potential tool upgrades (endpoint protection, patch management)

• Advisory or consulting support

Organizations often use Level 1 as a low-cost entry point into structured compliance programs.

Common Implementation Risks

Organizations frequently struggle with:

• Undefined system scope

• Inconsistent access control practices

• Lack of evidence for implemented controls

• Over-reliance on IT without governance oversight

• No repeatable process for annual reassessment

These are not technical failures—they are system design failures.

Integrating CMMC Level 1 Into a Broader System

High-performing organizations do not treat Level 1 as a standalone requirement.

They integrate it into:

• Risk management processes

• Internal audit programs

• Management review cycles

• Continuous improvement systems

This reduces duplication and builds toward scalable compliance maturity.

Benefits of Meeting CMMC Level 1 Requirements

Even at a basic level, compliance strengthens:

• Eligibility for DoD contracts

• Customer confidence in cybersecurity practices

• Internal control over systems and data

• Operational discipline

• Readiness for higher-level certifications

For many organizations, Level 1 is the entry point into structured governance—not the end state.

Is CMMC Level 1 Worth It?

If your organization:

• Works with the Department of Defense

• Handles Federal Contract Information

• Plans to expand into government contracting

• Wants to establish baseline cybersecurity discipline

Then Level 1 is not optional—it is foundational.

It establishes the minimum standard for participation in the defense industrial base.

If You’re Also Evaluating…

• CMMC Level 1 Certification

• CMMC 2.0 Compliance Consulting

• NIST Compliance Consultant

• ISO 27001 Consultant

• Enterprise Risk Management Consultant

The most effective starting point is a structured gap assessment followed by a controlled implementation aligned directly to the 15 Level 1 practices.