CMMC Level 1

Get up to speed on CMMC 2.0 Level 1. Everything you need to know to get ready.

CMMC Level 1 is the basic level of the Cybersecurity Maturity Model Certification, important for managing Federal Contract Information (FCI). This level ensures simple cybersecurity practices, helping organizations in the Defense Industrial Base to keep sensitive information safe within their information systems. Unlike the original model, CMMC 2.0 simplifies the framework by reducing it from five to three levels but keeps Level 1’s basic practices.

Key Takeaways

  • CMMC 2.0 Level 1 ensures basic cybersecurity practices to protect Federal Contract Information (FCI).
  • CMMC was created to combat cyber threats in the Defense Industrial Base, based on FAR 52.204-21 and NIST SP 800-171.
  • Level 1 includes 17 basic cybersecurity practices across six domains.
  • As of this writing, contractors must be CMMC 2.0 Level 1 certified by October 1, 2025 in order to bid on contracts.
  • Annual self-assessments are required to verify CMMC 2.0 Level 1 compliance.
  • Level 1 includes 17 basic cybersecurity practices across six domains.

Impact on the Government Contracting Process

Meeting CMMC 2.0 Level 1 will be a requirement to work with the Federal Government in the near future.  Specifically, the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 states that the requirement will take full effect by October 1, 2025, meaning contractors will need to have the necessary CMMC certification by that date. (DoDCIO) (DoDCIO) (

Historical Context

The CMMC framework was created to address increasing cyber threats and information breaches within the U.S. Defense Industrial Base. It’s a joint effort aimed at improving security in defense contracting, specifically through securing organizational information systems.

The origins of CMMC 2.0 Level 1 come from 2 main sets of regulations:

  • Federal Acquisition Regulation (FAR) 52.204-21: This regulation outlines the basic safeguarding of Covered Contractor Information Systems. It specifies minimum security controls that contractors must implement to protect Federal Contract Information (FCI). ( (LII / Legal Information Institute)(additional info).
  • NIST SP 800-171 Rev. 2: While CMMC Level 1 does not require full compliance with NIST SP 800-171, it does draw from its guidelines. Specifically, CMMC Level 1 includes a subset of the security requirements from NIST SP 800-171, focusing on basic safeguarding practices. (

Empower your compliance journey

Get early access to the only compliance tool that truly simplifies the process.

Key Features of CMMC 2.0 Level 1 to protect FCI

There are 17 basic cybersecurity practices across 6 domains that need to be satisfied.  

Access Control (AC)

Implement measures to restrict system access to authorized users and devices. This includes ensuring that only personnel with the necessary clearance can access sensitive information and systems.

  • AC.L1-3.1.1: Limit system access to authorized users.
  • AC.L1-3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
  • AC.L1-3.1.20: Verify and control/limit connections to and use of external information systems.

Identifications of Authentication (IA)

Verify the identities of users and devices before granting access to systems. This helps ensure that only legitimate entities can interact with sensitive data.

  • IA.L1-3.5.1: Identify information system users, processes acting on behalf of users, or devices.
  • IA.L1-3.5.2: Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems.

Media Protection (MP)

Secure and properly dispose of media containing FCI to prevent unauthorized access. This involves encryption, secure storage, and destruction protocols for physical and digital media.

  • MP.L1-3.8.3: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Physical Protection (PE)

Control physical access to systems and locations housing sensitive information. Implementing physical security measures such as locks, surveillance, and access controls helps protect against physical breaches.

  • PE.L1-3.10.1: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  • PE.L1-3.10.3: Escort visitors and monitor visitor activity.
  • PE.L1-3.10.4: Maintain audit logs of physical access.
  • PE.L1-3.10.5: Control and manage physical access devices.

System and Communications Protection (SC)

Monitor and protect communication channels and system boundaries to prevent unauthorized access and data breaches. This includes firewalls, intrusion detection systems, and secure communication protocols.

  • SC.L1-3.13.1: Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information system.
  • SC.L1-3.13.5: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

System and Information Integrity (SI)

Identify and address system flaws, protect against malicious code, and conduct regular system scans to maintain the integrity of information systems. This involves regular updates, patches, and antivirus measures.

  • SI.L1-3.14.1: Identify, report, and correct information and information system flaws in a timely manner.
  • SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems.
  • SI.L1-3.14.4: Update malicious code protection mechanisms when new releases are available.
  • SI.L1-3.14.5: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Empower your compliance journey

Get early access to the only compliance tool that truly simplifies the process.

Assessment and Certification Process

Organizations must perform an annual self-assessment to verify compliance with CMMC 2.0 Level 1.

For more information on the annual self-assessment process required for CMMC 2.0 Level 1 compliance, you can visit the Department of Defense’s page on CMMC Assessments.This page explains that contractors who do not deal with highly sensitive information must do yearly self-checks to make sure they meet cybersecurity rules. It offers detailed guidance on maintaining compliance and improving cybersecurity approaches.

You can access the full details through this link: CMMC Assessments

Key Certification Requirements

  • Documented Self-Assessment: Keep records of compliance checks done internally.
  • Implementation of Practices: Make sure all 17 practices are in place and functional.

Steps Involved in Obtaining Certification

  1. Understand Requirements: Know the specific practices required, including those needed to protect organizational communications.
  2. Conduct Self-Assessment: Regularly perform and document self-assessments.
  3. Submit Compliance Documentation: Provide proof of compliance when bidding for contracts.

Common Mistakes and How to Prevent Them

  • Inadequate Documentation: Maintain complete records of all cybersecurity practices.
  • Neglecting Updates: Regularly update cybersecurity measures to address new threats.

Keeping CMMC 2.0 Level 1 compliance means knowing the requirements and making sure they are correctly applied.

Common Challenges and Solutions

  • Resource Allocation: Prioritize cybersecurity to manage resource challenges.
  • Adapting to Threats: Stay updated on new threats and continuously improve cybersecurity practices.

Upcoming Changes

Changes to the CMMC framework may introduce stricter requirements to better protect against advanced threats and ensure key internal boundaries, external information systems, internal networks systems, and respective operating environments are secure.

How to Prepare for Changes        

  • Stay Informed: Keep up with updates from the CMMC Accreditation Body.
  • Continuous Improvement: Aim for continuous improvement in cybersecurity practices.

Future Outlook

Staying updated with changes in CMMC regulations is crucial because the cybersecurity environment is constantly changing. Please see the Further Research section on this page for links to official documentation and other information.


Understanding and applying CMMC Level 1 is essential for defense contractors. This level helps protect Federal Contract Information (FCI) and keeps contractors qualified for DoD contracts. It’s important for any organization in the defense supply chain to follow these rules to protect against cyber threats and to identify information system users effectively.


What are publicly accessible system components and how do we handle them?

These are parts of our network that can be accessed from outside, requiring strict rules and continuous checks to ensure data safety.

What does a physical access device system do for security?

It controls who can enter secure areas, using tools like card readers and biometric scanners to protect sensitive information.

Why are malicious code protection mechanisms important?

These mechanisms protect against viruses and hacking by detecting and stopping threats before they harm our systems.

Why should we properly destroy information system media?

Proper destruction ensures that no one can retrieve sensitive data from it once discarded, preventing data leaks.

What should we consider when setting up a physical access devices system to protect sensitive areas?

Effective setup requires multiple security layers, regular checks to ensure everything functions correctly, and updates to handle new security challenges.

How does CMMC Level 1 help manage internal networks systems?

CMMC Level 1 ensures basic cybersecurity practices to protect internal networks systems from unauthorized access.

Why is it important to limit physical access under CMMC 2.0?

It is vital to limit physical access to prevent unauthorized entry and protect sensitive information in compliance with CMMC 2.0 standards.

What should be considered when selecting appropriate locations for sensitive data storage?

Appropriate locations for sensitive data storage should have robust security measures and restricted access to comply with CMMC Level 1.

Why is choosing appropriate locations important for internal networks systems?

Selecting appropriate locations is crucial for ensuring that your internal networks system are secure and protected from unauthorized access.

Picture of Relevant Compliance

Relevant Compliance

Apply for Beta

Please fill in your details below to get early access to Relevant Compliance.  

Contact Us