CMMC Level 1: Requirements, Self-Assessment & How to Pass (2026)
CMMC Level 1 is the entry point for any company doing business with the Department of Defense. If your contracts involve Federal Contract Information — even something as mundane as delivery schedules — you need to meet these requirements and prove it.
The good news: Level 1 is the lightest lift in the CMMC framework. Seventeen basic cybersecurity practices. No outside auditor. No expensive assessment organization. You evaluate yourself, submit your score, and affirm annually that you still meet the standard.
The bad news: “basic” doesn’t mean “automatic.” We’ve seen companies assume they already meet Level 1 and find out they don’t when it actually matters. Undocumented practices, shared logins, a missing antivirus license on one laptop — small gaps that become real problems when you’re signing a legal affirmation that everything is in order.
This guide walks through exactly what CMMC Level 1 requires, how to complete the self-assessment, and where companies actually get tripped up.
What Is CMMC Level 1?
CMMC Level 1 — officially called “Foundational” — covers 17 cybersecurity practices drawn from FAR 52.204-21. These are basic cyber hygiene measures that the federal government considers the minimum bar for handling government data.
If you’ve been in the defense contracting space for a while, you may already be familiar with these requirements. FAR 52.204-21 has been in contracts for years. What CMMC adds is formality: you now have to assess yourself against a defined scoring methodology and submit that score to DoD through the SPRS portal.
Level 1 doesn’t require a System Security Plan (SSP). It doesn’t require a Plan of Actions and Milestones (POA&M). It doesn’t require third-party verification. You assess, you score, you submit, you affirm. That simplicity is by design — DoD wants this to be achievable for small contractors without dedicated cybersecurity staff.
Who Needs CMMC Level 1?
The distinction comes down to two types of information:
- FCI (Federal Contract Information) — information generated or provided under a government contract that isn’t intended for public release. Think contract terms, pricing, delivery schedules, performance reports. Basic operational data.
- CUI (Controlled Unclassified Information) — sensitive information that requires specific handling controls. Technical drawings, engineering specifications, test data, export-controlled information. The stuff adversaries actually want.
If you handle FCI but not CUI, you need Level 1. That’s it. You meet the 17 practices, self-assess, and you’re done.
If you handle CUI, you need Level 2. Level 1 won’t cut it — you need the full 110 requirements from NIST SP 800-171. We have a detailed CMMC compliance checklist that covers Level 2 if that’s where you land.
How to tell which one you are: Look at your contract clauses.
| Contract Clause | What It Means | CMMC Level |
|---|---|---|
| FAR 52.204-21 only | You handle FCI | Level 1 |
| DFARS 252.204-7012 | You handle CUI | Level 2 |
| Both clauses present | You handle CUI (the higher standard wins) | Level 2 |
If you’re a subcontractor and don’t see these clauses directly, ask your prime contractor. They’re required to flow down the appropriate requirements, and many primes are now explicitly telling subs which CMMC level they need.
The 17 CMMC Level 1 Controls in Plain English
Here’s every Level 1 control, stated in terms of what you actually need to do. No NIST jargon. No cross-references to other documents. Just the action.
We’ve organized them by domain — the same way an assessor would review them.
Access Control (4 controls)
AC.L1-3.1.1 — Limit system access to authorized users. Every person who uses a company computer, email, or file share has their own account. Nobody logs in with a shared “office” account. When someone leaves the company, their access is removed that day — not next week, not when IT gets around to it.
AC.L1-3.1.2 — Limit access to what people need for their jobs. The warehouse worker doesn’t have access to the accounting system. The front desk doesn’t have access to engineering files. People can reach the systems and data their role requires, and nothing else.
AC.L1-3.1.20 — Control connections to external systems. You have a firewall. It’s configured. You control what connects to your network from outside — VPN for remote access, rules for what traffic is allowed in and out. You don’t have open ports you forgot about.
AC.L1-3.1.22 — Control information posted to public-facing systems. Nothing on your public website, social media, or other internet-facing system accidentally contains FCI. Someone reviews what goes public before it goes public.
Identification and Authentication (2 controls)
IA.L1-3.5.1 — Identify every user on your systems. Each person has a unique username. You can tell who did what on any system at any time. No shared accounts, no anonymous access.
IA.L1-3.5.2 — Verify user identity before granting access. At minimum, passwords. The standard doesn’t technically require multi-factor authentication at Level 1, but MFA is such a basic security measure at this point that skipping it is asking for trouble. If you’re using Microsoft 365, it takes about 10 minutes to turn on.
Media Protection (1 control)
MP.L1-3.8.3 — Sanitize or destroy media before disposal. When a laptop, desktop, or USB drive reaches end of life, the data is wiped or the device is physically destroyed before it leaves your possession. You don’t sell old computers on eBay with contract data still on the hard drive.
Physical Protection (4 controls)
PE.L1-3.10.1 — Limit physical access to systems. Your servers, networking equipment, and any systems that store government data are in a locked area. Not everyone in the company has access.
PE.L1-3.10.3 — Escort visitors. Non-employees don’t wander your facility unattended, especially near areas where government work happens. Someone walks with them.
PE.L1-3.10.4 — Maintain visitor logs. You record who visited, when they came in, and when they left. A sign-in sheet at the front desk works.
PE.L1-3.10.5 — Manage physical access devices. Keys, badges, key cards — you know who has them. When someone leaves, you collect them. When a badge is lost, it gets deactivated.
System and Communications Protection (2 controls)
SC.L1-3.13.1 — Monitor and control communications at system boundaries. Your firewall monitors inbound and outbound network traffic. You’re not just blocking incoming threats — you’d also notice if something on your network started sending data somewhere it shouldn’t.
SC.L1-3.13.5 — Separate public-facing systems from internal systems. If you have a public website, it lives on a separate network segment from your internal systems. Compromising the web server doesn’t give an attacker a straight path to your file shares and email.
System and Information Integrity (4 controls)
SI.L1-3.14.1 — Fix known vulnerabilities promptly. When your software vendors release security patches, you install them in a reasonable timeframe. “Reasonable” means weeks, not months. Critical patches should be prioritized.
SI.L1-3.14.2 — Run malicious code protection. Every computer and server has antivirus or endpoint protection software. It’s installed, it’s active, and it’s on every machine — not just the ones you remembered.
SI.L1-3.14.4 — Keep malware definitions current. Your antivirus software updates its threat signatures automatically. Antivirus that hasn’t updated in two months is just wasting CPU cycles.
SI.L1-3.14.5 — Scan at key entry points. When files come in — email attachments, downloads, USB drives — they get scanned for malicious content before they reach your network. Real-time scanning, not just a weekly full-system sweep.
How to Complete Your Level 1 Self-Assessment
Here’s the actual process, step by step. This is what your company needs to do to be compliant, not just “aware.”
Step 1: Scope Your Environment
Before you assess anything, define what’s in scope. For Level 1, that means identifying every system that stores, processes, or transmits FCI.
This typically includes:
- Workstations and laptops used for government contract work
- Email systems where government contract data is sent or received
- File servers or cloud storage (SharePoint, OneDrive, Google Drive) containing FCI
- Network devices that connect those systems (routers, switches, firewalls)
- Any mobile devices with access to the above
The key question: If a system touches FCI in any way — even just email — it’s in scope.
Many companies make the mistake of scoping too broadly (including every system in the company) or too narrowly (forgetting about the CEO’s laptop that gets contract emails). Be thorough but intentional. The tighter your scope, the fewer systems you need to prove compliance on.
Step 2: Assess Each Control
Go through all 17 controls above and honestly evaluate each one. For every control, you’ll land in one of two places:
- MET — You do this, and you can describe how. “We use individual Microsoft 365 accounts for every employee, and we disable accounts in Entra ID when someone leaves.”
- NOT MET — You don’t do this, or you can’t prove it. “We have a shared admin account that three people use” means you haven’t met the unique identification control.
Write down the assessment for each control. This doesn’t have to be a formal document — a spreadsheet works fine. For each control, note:
- Whether it’s met or not met
- How you implement it (if met)
- What needs to change (if not met)
Be honest. You’re going to sign an annual affirmation under penalty of the False Claims Act stating that your assessment is accurate. Overstating your compliance isn’t just bad practice — it’s a legal risk.
Step 3: Fix the Gaps
If any control came back “NOT MET,” fix it before you submit your score. Unlike Level 2, Level 1 does not allow POA&Ms (plans to fix things later). All 17 controls must be fully met at the time you submit your score.
The good news: most Level 1 gaps are simple to close.
| Common Gap | Typical Fix | Time to Fix |
|---|---|---|
| Shared accounts | Create individual accounts, disable the shared one | 1-2 hours |
| No MFA | Enable MFA in Microsoft 365 or Google Workspace | 30 minutes to configure, 1 week to roll out |
| Missing antivirus on some machines | Deploy endpoint protection to all devices | 1-2 days |
| No visitor log | Put a sign-in sheet at the front desk | 5 minutes |
| Old equipment not properly wiped | Run DBAN or use BitLocker to encrypt then wipe drives | 1-2 hours per device |
| No firewall rules | Configure your firewall or upgrade from a consumer-grade router | 2-4 hours with IT support |
If the total cost to get Level 1 compliant concerns you, keep in mind that most of these fixes are inexpensive — the biggest cost is the time of whoever’s doing the work.
Step 4: Submit Your Score in SPRS
Once all 17 controls are met, submit your score through the Supplier Performance Risk System (SPRS).
For Level 1, the scoring is straightforward: you either meet all 17 practices or you don’t. There’s no partial credit and no weighted scoring. Your SPRS submission confirms that you’ve assessed yourself and meet the requirements.
To submit, you’ll need:
- A SPRS account (your company’s Contracts/IT person may already have access)
- Your company’s CAGE code
- The date of your assessment
- Confirmation that all 17 practices are met
Step 4: Submit Your Annual Affirmation
After your SPRS submission, a senior company official — typically the CEO, president, or similar executive — must submit an annual affirmation to the CMMC eMASS portal. This is a signed statement confirming that your self-assessment is accurate and that you continue to meet the requirements.
This affirmation is renewed every year. If your security posture changes — you stop using antivirus, you start sharing accounts, whatever — you’re expected to remediate before your next affirmation or update your assessment accordingly.
This carries legal weight. The affirmation is subject to the False Claims Act. Signing it when you know you don’t actually meet the requirements exposes your company to civil and criminal liability. We’re not saying this to scare you — we’re saying it because we’ve seen companies treat it casually, and that’s a risk you don’t want to take.
Level 1 vs Level 2: Do You Actually Need More?
This is a question worth sitting with, because getting the answer wrong is expensive in either direction.
| Level 1 | Level 2 | |
|---|---|---|
| What you protect | FCI (basic contract data) | CUI (sensitive technical data) |
| Number of requirements | 17 | 110 |
| Assessment type | Self-assessment only | Self-assessment or third-party (C3PAO) |
| Assessment frequency | Annual | Every 3 years |
| Typical cost | $3,000 – $15,000 | $50,000 – $300,000+ |
| SSP required? | No | Yes |
| POA&Ms allowed? | No | Yes (with conditions) |
Signs you actually need Level 2:
- Your contract includes DFARS 252.204-7012
- You receive technical drawings, specifications, or engineering data from the government or a prime
- Documents you receive are marked “CUI” or reference a CUI category
- Your prime contractor has told you that you handle CUI
Signs Level 1 is sufficient:
- You only see FAR 52.204-21 in your contract clauses
- Your government work involves administrative data — scheduling, pricing, delivery — not technical or engineering data
- You don’t receive anything marked as CUI from the government or a prime
If you’re on the fence, ask your contracting officer or your prime contractor to clarify in writing. Getting an email that says “your company only handles FCI” is worth its weight in gold if the question ever comes up during an audit or contract review.
Common Level 1 Mistakes
We’ve helped enough companies through this process to spot the patterns. Here’s what goes wrong.
1. Assuming you’re already compliant. “We use Microsoft 365 and have good passwords, so we’re fine.” Maybe. But do you have individual accounts for everyone? Is MFA actually turned on for all users or just the admins? Is the antivirus on every machine, including the old desktop in the corner that nobody uses? Assumptions create gaps. Verify.
2. Forgetting about personal devices. If employees check work email on their personal phones, those phones are arguably in scope. Either manage them with a mobile device management policy or block FCI access from personal devices entirely.
3. No documentation. Level 1 doesn’t require a formal SSP, but you still need to document your assessment. When contract renewal comes around and the contracting officer asks how you assessed yourself, “we just kind of checked” isn’t an answer. Keep a written record of each control, how you meet it, and the date you assessed it.
4. Treating it as a one-time event. The annual affirmation exists because things change. People leave and their accounts stay active. Someone installs a personal laptop on the network. A firewall rule gets modified and nobody notices. Compliance is a state you maintain, not a box you check once.
5. Signing the affirmation without actually assessing. This is the biggest risk. Some companies treat the affirmation like they treat terms of service — click agree without reading. Under the False Claims Act, an inaccurate affirmation can result in penalties up to three times the value of the contract. Don’t sign it until you’ve genuinely verified every control.
6. Confusing Level 1 with “good enough for CUI.” If you handle CUI and submit a Level 1 self-assessment, you’re not just non-compliant — you’ve misrepresented your compliance status to the DoD. If you’re not sure whether your data qualifies as CUI, figure that out before you decide which level to pursue.
Frequently Asked Questions
What are the CMMC Level 1 requirements?
CMMC Level 1 requires meeting 17 cybersecurity practices from FAR 52.204-21. They cover basic cyber hygiene: unique user accounts, access controls, antivirus, patching, physical security, and network monitoring. Every requirement is listed in plain English above.
How do I complete a CMMC Level 1 self-assessment?
Scope your environment to identify all systems that handle FCI, assess each of the 17 controls as met or not met, fix any gaps, then submit your score through the SPRS portal. A senior official at your company then submits an annual affirmation confirming the results are accurate.
How much does CMMC Level 1 cost?
Most companies spend $3,000–$15,000 on Level 1 compliance. The cost is primarily staff time spent assessing, documenting, and fixing minor gaps. If your IT practices are already solid, it could cost less. If you’re starting from scratch — no antivirus, shared accounts, no firewall — it will cost more.
Do I need a consultant for Level 1?
Probably not. Level 1 is designed to be achievable without outside help. If you have someone on staff who understands basic IT security, they can work through the 17 controls and complete the self-assessment. Where a consultant helps is if you’re genuinely unsure whether you handle FCI or CUI — getting that scoping decision wrong is the most expensive mistake you can make.
What’s the difference between CMMC Level 1 and Level 2?
Level 1 covers 17 basic practices for protecting FCI. Level 2 covers 110 security requirements from NIST SP 800-171 for protecting CUI. Level 2 is significantly more complex, more expensive, and may require a third-party assessment. See the full comparison above or our CMMC compliance checklist for a detailed Level 2 breakdown.
Is CMMC Level 1 required now?
Yes. The CMMC final rule took effect in December 2024, and DoD is phasing CMMC requirements into new contracts. Level 1 self-assessment is the first phase of implementation. If you’re bidding on contracts that include FAR 52.204-21, you should already have your self-assessment and SPRS score in place.
Can I fail a CMMC Level 1 self-assessment?
Technically, no — because you’re assessing yourself, there’s no pass/fail from an external body. But if you submit a score and sign an affirmation that doesn’t reflect reality, you risk False Claims Act liability. And if DoD ever audits your self-assessment and finds gaps, the consequences go well beyond losing one contract. Assess honestly.