The Cybersecurity Maturity Model Certification (CMMC) Level 1 represents the Foundational level of cybersecurity maturity under the Department of Defense (DoD) framework. It focuses on safeguarding Federal Contract Information (FCI)—data not intended for public release that is provided by or generated for the government under a contract.

Level 1 aligns directly with the Federal Acquisition Regulation (FAR) 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” It requires contractors to implement 15 basic cybersecurity practices to protect FCI.

Overview of Level 1

• Who it applies to: Any contractor or subcontractor that stores, processes, or transmits FCI.

• Assessment type: Annual self-assessment and executive affirmation submitted to the Supplier Performance Risk System (SPRS).

• Plan of Action & Milestones (POA&Ms): Not allowed. All 15 practices must be fully implemented at the time of assessment.

• Objective: Establish a foundation of cybersecurity hygiene and protect FCI from common cyber threats.

The 15 CMMC Level 1 Requirements

Below are the 15 safeguarding requirements every organization must meet to achieve CMMC Level 1 compliance.

1. Limit system access to authorized users, processes, or devices.
   Ensure only approved individuals, applications, and systems can access your networks and data.

2. Restrict system access to authorized transactions and functions.
   Grant users the least privilege necessary—only what they need to perform their job duties.

3. Verify and control connections to external systems.
   Monitor and limit remote connections or integrations with outside networks and vendors.

4. Control information on publicly accessible systems.
   Ensure FCI is never accidentally posted or exposed on websites or public platforms.

5. Identify users, processes, and devices before granting access.
   Maintain accurate records of who or what connects to your systems, including devices and automated services.

6. Authenticate identities of users, processes, or devices.
   Verify credentials before access is granted—use passwords, tokens, or certificates to confirm identity.

7. Sanitize or destroy media containing FCI before disposal or reuse.
   Securely erase or physically destroy hard drives, USBs, and storage media before discarding or repurposing them.

8. Limit physical access to systems and equipment.
   Protect servers, routers, and workstations with locks, badges, or restricted areas.

9. Escort and monitor visitors, and maintain visitor logs.
   Visitors must be accompanied in secure areas and their entry and exit times documented.

10. Monitor, control, and protect communications at system boundaries.
    Use firewalls, encryption, and intrusion detection to secure traffic inside and outside your network.

11. Implement subnetworks for publicly accessible systems.
    Segregate public-facing systems (like web servers) from internal networks to limit exposure.

12. Identify, report, and correct system flaws promptly.
    Maintain a patch management process to detect vulnerabilities and install updates quickly.

13. Protect systems from malicious code.
    Use antivirus or anti-malware tools to detect and block known threats.

14. Update malicious code protection mechanisms.
    Keep antivirus signatures and software current with the latest releases.

15. Perform periodic and real-time scans of files from external sources.
    Automatically scan attachments, downloads, and removable media for malware before use.

Compliance Tips for Level 1 Organizations

• Define your scope carefully. Only include systems that store, process, or transmit FCI in your assessment.

• Document everything. Maintain written policies, configurations, and logs to demonstrate compliance.

• Conduct annual reviews. Perform and record your self-assessment every year and update security measures as needed.

• Affirmation submission. A senior official must affirm compliance in SPRS after completing the assessment.

• No exceptions. All 15 practices must be met before you can claim compliance—partial credit or future remediation is not accepted.

Why Level 1 Matters

Even though Level 1 is the entry point of the CMMC program, it plays a critical role in protecting the DoD supply chain. Every organization that handles Federal Contract Information must meet these standards to maintain eligibility for defense contracts.

Level 1 helps your organization:

• Strengthen basic cyber hygiene

• Prevent common cyber incidents like phishing and data leaks

• Build a compliance foundation to advance to higher CMMC levels in the future

Official .gov Reference Sources

• CMMC 2.0 Overview – Department of Defense CIO

• CMMC Level 1 Assessment Guide (V2.0)

• FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems

• CISA Cybersecurity Resources for Small Businesses and Contractors

• CMMC Scope Level 1 Guide

REGISTER FOR OUR WEBINAR ON NOV 6:

How to Meet New CMMC Requirements Webinar 11/6 @ 11 AM EST

Click on the link: Join event

👉 Request your customized cyber vulnerability report today and stay ahead of threats.
👉 Gain insights into your unique cybersecurity vulnerabilities with a custom report.
👉 Train your team to be your first line of defense

📞 Schedule a call today or 📧 contact us for a consultation.