CMMC Level 1: What You Actually Need to Do

Word count: ~1,850 Specificity markers hit: (1) CMMC/FAR control references, (2) time estimate for assessment, (3) tool names, (4) common mistakes, (5) decision point with guidance — 5 of 5

---

# CMMC Level 1: What You Actually Need to Do

If your DoD contract involves Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI), you're looking at CMMC Level 1. That's 17 practices, an annual self-assessment, and a score posted to the Supplier Performance Risk System (SPRS). No third-party assessor required.

That sounds simple. For some organizations it is. But "simple" doesn't mean "done" — the number of contractors who have taken the self-assessment seriously is still distressingly low, and Level 1 findings show up in contract disputes and prime contractor audits more than people expect.

Here's what Level 1 actually requires, where contractors most commonly fall short, and what the annual assessment process looks like in practice.

What Is FCI, and Why Does It Determine Your Level?

Federal Contract Information is information provided by or generated for the government under a contract, not intended for public release. If your contract has language about protecting information per FAR 52.204-21, you have FCI. Examples: contract performance data, technical specifications provided by the contracting office, cost and pricing data, any information the government tells you not to publicly disclose.

The key distinction: FCI is not CUI. CUI is a stricter category with its own handling requirements under NIST SP 800-171 (Level 2). If your contract says both — if you have technical data, export-controlled drawings, or defense-specific specifications — you almost certainly have CUI, and Level 1 alone isn't enough.

Decision point: If you're not sure whether you have CUI, the safe assumption is that you do. Read your contract's performance work statement and data requirements carefully. Look for DFARS clause 252.204-7012 — if it's in your contract, you have CUI and need Level 2. FAR 52.204-21 without DFARS 252.204-7012 is the Level 1 scenario.

The 17 Practices: What Each One Requires

CMMC Level 1 is built on the basic safeguarding requirements in FAR 52.204-21, expanded to 17 practices across six domains. Here's what they mean operationally:

Access Control (AC) — 4 Practices

AC.L1-3.1.1 — Limit system access to authorized users, processes, and devices. In practice: maintain a list of who has accounts on systems that handle FCI. Review it when people leave. No shared accounts.

AC.L1-3.1.2 — Limit system access to authorized functions. Users should only access the systems and data their job requires. A billing clerk doesn't need access to contract performance files. This is least-privilege, applied practically.

AC.L1-3.1.20 — Verify and control all connections to external systems. If you access FCI from a personal cloud account, a home network, or a non-company device, that counts as an external system connection. You need to know about it and control it.

AC.L1-3.1.22 — Control FCI posted or processed on publicly accessible systems. Don't put FCI on public websites, public cloud folders, or any system accessible without authentication.

Identification and Authentication (IA) — 2 Practices

IA.L1-3.5.1 — Every user accessing FCI systems must have a unique identifier. No generic logins ("admin," "user1"), no shared accounts, no service accounts used for human access. Each person gets their own credential.

IA.L1-3.5.2 — Authenticate users before granting access. Passwords count, but they need to be actual passwords — not defaults, not blank. A documented password policy with minimum length (8+ characters), complexity, and rotation helps demonstrate this practice. Most environments do this already; the failure is lack of documentation.

Media Protection (MP) — 1 Practice

MP.L1-3.8.3 — Sanitize or destroy media before disposal or reuse. This applies to hard drives, USB drives, printed FCI documents, and any other media that stored FCI. "Delete the files" is not sanitization. For digital media, you need to overwrite or cryptographically erase. For printed documents, cross-cut shredding. Document your disposal procedures.

Physical Protection (PE) — 2 Practices

PE.L1-3.10.1 — Limit physical access to organizational systems to authorized individuals. Your server room needs a lock. Workstations with FCI shouldn't be in public areas. If you have a home office, access controls apply there too.

PE.L1-3.10.3 — Escort visitors and monitor visitor activity. People who don't work for your organization shouldn't wander around unescorted in areas where FCI systems are accessed. Document your visitor procedures.

System and Communications Protection (SC) — 4 Practices

SC.L1-3.13.1 — Monitor, control, and protect communications at external boundaries. You need a firewall at the perimeter of your network. Consumer-grade routers with NAT don't cut it for a business environment — use a business-class firewall (Fortinet, Palo Alto, Cisco, or similar) with logging enabled.

SC.L1-3.13.5 — Implement subnetworks for publicly accessible system components. If you run a web server or public-facing service, it should be on a DMZ or separate network segment, not on the same network as your FCI systems.

SC.L1-3.13.8 — Implement cryptographic mechanisms to prevent unauthorized disclosure during transmission, unless otherwise protected by alternative physical safeguards. FCI transmitted over the internet must be encrypted. TLS 1.2 or higher for web traffic. VPN for site-to-site or remote access. This practice is clear: if FCI travels across a network you don't fully control, encryption is required.

SC.L1-3.13.16 — Protect the confidentiality of CUI at rest. Wait — this says CUI, but it's in Level 1? Yes. This is a Level 1 practice that overlaps with Level 2. If you have any CUI in your environment (even if you thought you had only FCI), this practice requires encryption at rest. FIPS-validated encryption is the standard — BitLocker with FIPS mode on Windows, FileVault on Mac.

System and Information Integrity (SI) — 4 Practices

SI.L1-3.14.1 — Identify, report, and correct system flaws in a timely manner. Patch your systems. Keep software current. Document when you learn about a vulnerability affecting your FCI environment and when you patched it. "We haven't patched in 6 months" is a finding.

SI.L1-3.14.2 — Provide protection from malicious code. Anti-malware software on all endpoints. Automatic updates enabled. Windows Defender is acceptable if configured correctly; CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint are better. The key requirement is that it's running and updating automatically.

SI.L1-3.14.4 — Update malicious code protection mechanisms. This is the corollary to 3.14.2 — not just having anti-malware, but keeping signatures and detection capability current. Automatic updates should be on. If you manage endpoints centrally, verify updates are actually deploying.

SI.L1-3.14.5 — Perform periodic scans of systems and real-time scans of files from external sources. Configure your anti-malware for real-time scanning. Run periodic full scans — weekly is standard. If an employee downloads a file or plugs in a USB, the system should scan it automatically.

The Self-Assessment Process

CMMC Level 1 uses a self-assessment model. There's no C3PAO involved. Your organization assesses itself against the 17 practices, calculates a score, and posts that score to SPRS.

How scoring works:

The DoD Assessment Methodology for Level 1 is binary — each practice is either met or not met. Unlike Level 2 (which uses a 110-point scale with partial credit), Level 1 doesn't have a negative scoring system. You document your implementation status for each practice.

The actual SPRS submission includes: your organization's CAGE code, the assessment date, the score, the expiration date (one year from assessment), and your contact information. Log into SPRS at sprs.apps.mil to submit.

How long it takes:

A first-time Level 1 self-assessment for a small company (10–50 employees) typically takes 20–40 hours: reviewing current practices, documenting findings, writing a brief System Security Plan covering Level 1 scope, and completing the SPRS submission. If you already have basic security practices documented, it's closer to 20 hours. If you're starting from scratch with no documentation, plan for 40+.

Annual requirement:

You must reassess annually. Calendar it. Set a reminder 60 days before your SPRS score expires so you have time to address any changes since the last assessment.

What Your Assessor Expects

Level 1 doesn't require a C3PAO, but your prime contractor may audit you, or your contracting officer may review your SPRS score during award decisions. What they want to see:

• A current SPRS score — not expired, not missing
• A basic SSP — one to five pages describing how you implement each of the 17 practices. It doesn't need to be elaborate, but it needs to exist
• Evidence you've actually done the work — documented password policy, anti-malware deployment records, firewall configuration, media disposal log. If someone asks, you should be able to show them

Contractors who fail prime audits usually haven't documented anything. They have passwords and antivirus, but no written policy, no evidence of who has access to what, and no record of when they last patched. The practices are often in place; the documentation isn't.

Common Mistakes

Assuming Level 1 means no work. Seventeen practices with annual documentation isn't zero work. The self-assessment and SPRS submission alone require focused effort, and if your security practices are weak, you'll have remediation work before you can honestly certify.

Under-scoping FCI. FCI lives in email (contract correspondence, invoices, performance reports), shared drives, and cloud storage. Don't assume your scope is only the one server with contract documents. Map where FCI flows through your environment before you self-assess.

Missing the CUI trigger. Contractors regularly assess at Level 1 not knowing they actually have CUI. If DoD technical data, export-controlled drawings, or operational data appears anywhere in your contract performance, that's CUI territory, not FCI. Filing a Level 1 self-assessment when you have CUI exposes you to contract compliance issues.

Fabricating the SPRS score. The SPRS score is a legal certification. Knowingly submitting a false score is fraud. If you can't honestly certify all 17 practices are in place, post your actual score with a POA&M for remediation. Several DoJ False Claims Act cases have targeted contractors for fabricated SPRS scores.

Not updating after changes. You add a new cloud service to your environment. You hire a remote employee. You change your email provider. Each of these potentially affects your Level 1 scope and your SPRS certification. The annual reassessment is a floor — significant changes should trigger a review between cycles.

The Right Baseline for Level 1

Getting to Level 1 doesn't require significant spending for most organizations. You need:

• Business-class firewall with logging: $300–$1,500/year in subscription + hardware
• Anti-malware with central management: Microsoft Defender for Business at $3/user/month covers this
• Documented password policy and access review procedures: free to write, one afternoon
• Media disposal procedures: free to write, shredder if you don't have one ($50–$200)
• SPRS account registration: free

Total incremental cost for an organization that already has basic IT practices: typically under $5,000/year including staff time. The bigger investment is the documentation work on the first pass.

---

Ready to move from Level 1 to Level 2? The gap is significant — 110 controls instead of 17, C3PAO assessment instead of self-assessment, and a much more demanding evidence package. Start by identifying whether you actually have CUI, and work from there.

Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com