CMMC Level 1 Frequently Asked Questions
Your guide to understanding CMMC Level 1. Search all questions or browse by category.
General CMMC Level 1
What is CMMC Level 1?
What is Federal Contract Information (FCI) in the context of CMMC Level 1?
Who needs to comply with CMMC Level 1?
How many practices are there in CMMC Level 1?
Is Controlled Unclassified Information (CUI) part of CMMC Level 1?
How does FAR 52.204-21 relate to CMMC Level 1?
What is considered an 'Asset' in CMMC Level 1?
How does CMMC Level 1 compare to NIST SP 800-171?
Is CMMC Level 1 achievable for small businesses?
Assessment & Compliance Process
What is a CMMC Level 1 self-assessment?
What is the assessment scope for CMMC Level 1?
What is SPRS and how does it relate to CMMC Level 1?
Can I use a third party for my CMMC Level 1 self-assessment?
What do 'MET', 'NOT MET', and 'N/A' mean in a CMMC Level 1 assessment?
What kind of evidence is needed for a CMMC Level 1 self-assessment?
What are the assessment methods used in CMMC Level 1?
Is a System Security Plan (SSP) required for CMMC Level 1?
How often do I need to do a CMMC Level 1 self-assessment?
What happens if I don't meet all requirements in a CMMC Level 1 self-assessment?
How long does a CMMC Level 1 self-assessment take?
Can I use a Plan of Action & Milestones (POA&M) for CMMC Level 1?
What is the purpose of the CMMC Assessment Guide - Level 1 document?
Access Control (AC)
What is AC.L1-b.1.i - Authorized Access Control for CMMC Level 1?
Why is Authorized Access Control (AC.L1-b.1.i) important for CMMC Level 1?
How can a small business implement AC.L1-b.1.i (Authorized Access Control)?
How does AC.L1-b.1.i protect Federal Contract Information (FCI)?
What is AC.L1-b.1.ii - Transaction & Function Control for CMMC Level 1?
Why is Transaction & Function Control (AC.L1-b.1.ii) important for CMMC Level 1?
How can a small business implement AC.L1-b.1.ii (Transaction & Function Control)?
How does AC.L1-b.1.ii protect Federal Contract Information (FCI)?
What is AC.L1-b.1.iii - External Connections for CMMC Level 1?
Why is controlling External Connections (AC.L1-b.1.iii) important for CMMC Level 1?
How can a small business implement AC.L1-b.1.iii (External Connections)?
How does AC.L1-b.1.iii protect Federal Contract Information (FCI)?
What is AC.L1-b.1.iv - Control Public Information for CMMC Level 1?
Why is Controlling Public Information (AC.L1-b.1.iv) important for CMMC Level 1?
How can a small business implement AC.L1-b.1.iv (Control Public Information)?
How does AC.L1-b.1.iv protect Federal Contract Information (FCI)?
For AC.L1-b.1.i, do I need a formal list of authorized users?
Identification & Authentication (IA)
What is IA.L1-b.1.v - Identification for CMMC Level 1?
Why is Identification (IA.L1-b.1.v) important for CMMC Level 1?
How can a small business implement IA.L1-b.1.v (Identification)?
How does IA.L1-b.1.v protect Federal Contract Information (FCI)?
What is IA.L1-b.1.vi - Authentication for CMMC Level 1?
Why is Authentication (IA.L1-b.1.vi) important for CMMC Level 1?
How can a small business implement IA.L1-b.1.vi (Authentication)?
How does IA.L1-b.1.vi protect Federal Contract Information (FCI)?
Does IA.L1-b.1.vi (Authentication) specify password complexity rules for CMMC Level 1?
Media Protection (MP)
Physical Protection (PE)
What is PE.L1-b.1.viii - Limit Physical Access for CMMC Level 1?
Why is Limiting Physical Access (PE.L1-b.1.viii) important for CMMC Level 1?
How can a small business implement PE.L1-b.1.viii (Limit Physical Access)?
How does PE.L1-b.1.viii protect Federal Contract Information (FCI)?
What is PE.L1-b.1.ix - Manage Visitors & Physical Access for CMMC Level 1?
Why is Managing Visitors & Physical Access (PE.L1-b.1.ix) important for CMMC Level 1?
How can a small business implement PE.L1-b.1.ix (Manage Visitors & Physical Access)?
How does PE.L1-b.1.ix protect Federal Contract Information (FCI)?
Is locking office doors sufficient for PE.L1-b.1.viii (Limit Physical Access) in CMMC Level 1?
System & Communications Protection (SC)
What is SC.L1-b.1.x - Boundary Protection for CMMC Level 1?
Why is Boundary Protection (SC.L1-b.1.x) important for CMMC Level 1?
How can a small business implement SC.L1-b.1.x (Boundary Protection)?
How does SC.L1-b.1.x protect Federal Contract Information (FCI)?
What is SC.L1-b.1.xi - Public-Access System Separation for CMMC Level 1?
Why is Public-Access System Separation (SC.L1-b.1.xi) important for CMMC Level 1?
How can a small business implement SC.L1-b.1.xi (Public-Access System Separation)?
How does SC.L1-b.1.xi protect Federal Contract Information (FCI)?
Is a basic home router firewall enough for SC.L1-b.1.x (Boundary Protection) in CMMC Level 1?
System & Information Integrity (SI)
What is SI.L1-b.1.xii - Flaw Remediation for CMMC Level 1?
Why is Flaw Remediation (SI.L1-b.1.xii) important for CMMC Level 1?
How can a small business implement SI.L1-b.1.xii (Flaw Remediation)?
How does SI.L1-b.1.xii protect Federal Contract Information (FCI)?
What is SI.L1-b.1.xiii - Malicious Code Protection for CMMC Level 1?
Why is Malicious Code Protection (SI.L1-b.1.xiii) important for CMMC Level 1?
How can a small business implement SI.L1-b.1.xiii (Malicious Code Protection)?
How does SI.L1-b.1.xiii protect Federal Contract Information (FCI)?
What is SI.L1-b.1.xiv - Update Malicious Code Protection for CMMC Level 1?
Why is Updating Malicious Code Protection (SI.L1-b.1.xiv) important for CMMC Level 1?
How can a small business implement SI.L1-b.1.xiv (Update Malicious Code Protection)?
How does SI.L1-b.1.xiv protect Federal Contract Information (FCI)?
What is SI.L1-b.1.xv - System & File Scanning for CMMC Level 1?
Why is System & File Scanning (SI.L1-b.1.xv) important for CMMC Level 1?
How can a small business implement SI.L1-b.1.xv (System & File Scanning)?
How does SI.L1-b.1.xv protect Federal Contract Information (FCI)?
Can I use free anti-virus software for SI.L1-b.1.xiii (Malicious Code Protection) in CMMC Level 1?
Operational Considerations
How much does CMMC Level 1 compliance cost?
Are there specific training requirements for CMMC Level 1?
Does CMMC Level 1 require written policies?
How does CMMC Level 1 apply if I use cloud services to store FCI?
How does CMMC Level 1 address mobile devices (phones, tablets)?
How does CMMC Level 1 apply to remote work or telework?
Do subcontractors also need CMMC Level 1 if they handle FCI?
What documentation is typically needed to show CMMC Level 1 compliance?
Does CMMC Level 1 require encryption for FCI?
Does CMMC Level 1 apply to international companies working on DoD contracts?
What are 'Organization-Defined Parameters' in CMMC Level 1?
What is shared responsibility when using cloud services for CMMC Level 1?
Do I need to flow down CMMC Level 1 requirements to my suppliers?
Does CMMC Level 1 require an incident response plan?
Is data backup a requirement for CMMC Level 1?