Guide to CMMC Level 1:
Achieve Compliance & Secure Contracts

We understand the critical challenges small defense contractors face in achieving CMMC Level 1 compliance while focusing on their business. The requirements can feel overwhelming, trying to protect sensitive data to maintain eligibility for DoD contracts.

This guide provides a clear roadmap. We broke down CMMC Level 1 requirements into clear, actionable insights, empowering you to understand what is needed and how to implement it efficiently and effectively. Our goal is to simplify compliance, transforming it from an obstacle into a clear path forward.

While this guide can serve as your blueprint, the CMMC Resources platform is designed to accelerate and simplify this process. Leveraging our simplification and tools in our compliance manager to boost efficiency and ensure you get and stay compliant.

What is CMMC Level 1 & Why It Matters for You

CMMC Level 1 is the foundational level of the Cybersecurity Maturity Model Certification. It requires defense contractors who handle Federal Contract Information (FCI) to implement 15 basic cybersecurity practices. These practices align directly with the mandatory requirements outlined in FAR Clause 52.204-21. Think of it as the essential standard for protecting sensitive, but not classified, government contract data.

Achieving CMMC Level 1 is crucial because it is a mandatory requirement to bid on and perform work for the Department of Defense (DoD). Without this certification, you risk losing valuable contract opportunities. It demonstrates your commitment to protecting sensitive data, building trust with your partners and the government.

Understanding Key CMMC Terminology

Here are terms you'll encounter on your CMMC Level 1 journey:

  • Affirmation: The required act of formally stating in SPRS that your self-assessment is accurate and your company meets the CMMC Level 1 requirements.

  • Self-Assessment: Your internal review of your organization's systems and practices against the 15 CMMC Level 1 controls to determine your compliance status.

  • System Security Plan (SSP): A document that describes your system boundary, your security policies and practices, and how you implement the CMMC Level 1 controls. It's your roadmap for compliance.

  • Federal Contract Information (FCI): Information that is provided to you by the government or generated by you during the performance of a government contract. It is not classified, but it is sensitive enough to require basic safeguarding. Think things like project plans, reports, or other documents related to the contract work itself. Protecting FCI is the focus of CMMC Level 1.

  • Supplier Performance Risk System (SPRS): A government system where defense contractors report their cybersecurity self-assessment scores.

The 15 CMMC Level 1 Controls Explained Simply

CMMC Level 1 is built upon 15 core cybersecurity practices (also called controls or requirements). To ensure these practices are fully implemented, they are broken down into a total of 59 specific objectives. This means that for each of the 15 controls, there are several detailed checks or goals you need to meet. Below, we explain each of the 15 main controls in plain English:

AC.L1 b.1.i: Authorized Access Control

Requirement: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Plain English: Make sure only the right people, programs, and devices can get into your computer systems where you handle government contract information. Everyone should have their own login, no sharing.

Examples:

  • Ensuring each employee uses a unique username and password for their work computer and any shared drives or cloud services where FCI is stored.
  • If you use a shared computer in a common area, ensure users log out when finished so the next person must log in with their own credentials.

AC.L1 b.1.ii: Transaction & Function Control

Requirement: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Plain English: Users should only be able to do what their job requires them to do in the system. For example, someone who only needs to read files shouldn't be able to delete them.

Examples:

  • If you use cloud storage, setting permissions so that only specific individuals can delete or modify files containing FCI, while others might only have read-only access.
  • For accounting software that might contain FCI, ensuring that a bookkeeper has rights to enter financial data but not to change system configurations.

AC.L1 b.1.iii: External Connections

Requirement: Verify and control/limit connections to and use of external information systems.

Plain English: Be careful about connecting your systems to outside networks or devices. Know what connections exist and limit them to only what's necessary for business.

Examples:

  • Reviewing and approving any software that creates ongoing connections to external services.
  • Ensuring personal devices are not directly connected to the company network where FCI is stored unless specific security measures are in place and documented.

AC.L1 b.1.iv: Control Public Information

Requirement: Control information posted or processed on publicly accessible systems.

Plain English: Be careful about putting any government contract information on your website or other public media. Make sure sensitive data isn't accidentally exposed.

Examples:

  • Having a process to review any content before it's posted on your company website or social media to ensure no FCI is accidentally included.
  • If you use a shared drive for marketing materials, ensuring it's separate from drives containing FCI and that public links are not accidentally created to FCI folders.

IA.L1 b.1.v: Identification

Requirement: Identify information system users, processes acting on behalf of users, or devices.

Plain English: Know who or what is accessing your systems. This means documenting people, automated processes, and devices that are allowed to access FCI.

Examples:

  • Each employee having their own distinct username for logging into computers, email, and any system handling FCI.
  • Maintaining a spreadsheet that documents all devices with their unique identification ID, model name, and the authorized personnel who can access them if it handles FCI.

IA.L1 b.1.vi: Authentication

Requirement: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Plain English: Verify that the person, process, or device is who or what it claims to be before letting it access your systems. This usually means using passwords or other credentials.

Examples:

  • Requiring strong, unique passwords (at least 15 characters with a mix of upper/lower case, numbers, and symbols) for all user accounts that access FCI.
  • Implementing multi-factor authentication (MFA) using an app or text code for where FCI is handled.

MP.L1 b.1.vii: Media Disposal

Requirement: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Plain English: Before you throw away or reuse old hard drives, USB drives, or other storage, make sure any government contract information on them is completely erased or destroyed so it can't be accessed by others.

Examples:

  • Using built-in operating system tools or third-party software to securely wipe hard drives before disposing of old computers or servers.
  • Physically destroying old USB drives, CDs/DVDs, or backup tapes that contained FCI by using a cross-cut shredder for papers, or physically damaging devices with a hammer or drill).

PE.L1 b.1.viii: Limit Physical Access

Requirement: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

Plain English: Control who can physically get to your computers, servers, and where they are kept. Only authorized people should have access to these areas.

Examples:

  • Locking the door to the main office, server room, or any specific room where computers and servers storing FCI are located when no authorized personnel are present.
  • Ensuring laptops containing FCI are secured with a cable lock or locked away in a cabinet or drawer when not in use, especially if the office is shared or easily accessible to non-employees.

PE.L1 b.1.ix: Manage Visitors & Physical Access

Requirement: Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

Plain English: Keep track of who visits your facility, escort them, and record their visits. Manage keys, badges, or other tools that grant physical access.

Examples:

  • Having a simple paper-based or digital sign-in/sign-out log at the entrance for all visitors who enter areas where FCI might be accessible or visible.
  • Ensuring visitors are always escorted by an employee while they are in sensitive areas and not leaving them unattended near workstations displaying FCI.

SC.L1 b.1.x: Boundary Protection

Requirement: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Plain English: Watch and protect the information flowing into and out of your network and between different parts of your internal systems. Firewalls and intrusion detection systems are common tools here.

Examples:

  • Ensuring your internet router (often provided by your ISP or a purchased device) has its built-in firewall feature enabled and configured to block unsolicited incoming traffic.
  • Using reputable antivirus/anti-malware software on all computers that includes network threat protection or a personal firewall component.

SC.L1 b.1.xi: Public-Access System Separation

Requirement: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Plain English: Make sure anything people can reach from the internet (like your website) is on a different network than your work computers and files where you keep government contract information. This acts like a safety zone.

Examples:

  • If your company website is hosted by a third-party web hosting provider, this typically provides the necessary logical separation from your internal network.
  • If you offer Wi-Fi to guests or visitors, ensuring it's configured as a separate "guest network" that cannot access your internal company network, computers, or file shares where FCI resides.

SI.L1 b.1.xii: Flaw Remediation

Requirement: Identify, report, and correct information and information system flaws in a timely manner.

Plain English: Find and fix security weaknesses in your software and systems quickly. Keep everything updated and address vulnerabilities when they are found.

Examples:

  • Regularly applying operating system updates (like Windows Updates, macOS updates) to all computers and servers.
  • Updating common software applications (such as web browsers) when new versions or security patches are released by the vendors.

SI.L1 b.1.xiii: Malicious Code Protection

Requirement: Provide protection from malicious code at appropriate locations within organizational information systems.

Plain English: Use antivirus and anti-malware software on your computers and systems to prevent harmful software from causing problems or stealing data.

Examples:

  • Installing reputable antivirus/anti-malware software on all computers that handle or store FCI.
  • Ensuring the antivirus software is configured to actively scan emails for malicious attachments and to check downloaded files before they are opened.

SI.L1 b.1.xiv: Update Malicious Code Protection

Requirement: Update malicious code protection mechanisms when new releases are available from vendors.

Plain English: Keep your antivirus and anti-malware software up-to-date. Install updates regularly so your protection is effective against the latest threats.

Examples:

  • Configuring your installed antivirus/anti-malware software to automatically download and install new virus definitions (signatures) at least daily.
  • Periodically checking that the antivirus software program itself is updated to the latest version provided by the vendor, not just the definitions.

SI.L1 b.1.xv: System & File Scanning

Requirement: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Plain English: Regularly scan your computers and systems for viruses and malware. Also, automatically scan files you download or open from outside sources to catch threats before they can do damage.

Examples:

  • Setting up your antivirus/anti-malware software to perform a scheduled full system scan at least weekly, ideally during off-hours to minimize disruption.
  • Ensuring that real-time scanning is enabled in your antivirus software to automatically check files as they are downloaded, opened, or executed.

Common CMMC Level 1 Pitfalls and How to Avoid Them

Many small businesses encounter similar challenges on their CMMC journey. Understanding these common mistakes is the first step. Here's how to easily identify and avoid them:

  • Pitfall: Not knowing exactly what Federal Contract Information (FCI) is or where it is located.

    How to Avoid: Ask yourself, "What information did the government give me, or what did I create for them?" Find every place it exists (emails, documents, cloud folders, etc.).

  • Pitfall: Using shared logins for computers or systems with FCI.

    How to Avoid: Give everyone their own unique username and password. Don't let people share accounts.

  • Pitfall: Not having written documentation on security practices.

    How to Avoid: Write down how you handle FCI, manage visitors, and what to do with old devices in a simple document. Keep it easy to find.

  • Pitfall: Not controlling who can physically access computers or areas with FCI, or not tracking visitors.

    How to Avoid: Lock doors to offices/server rooms when not in use. Use a sign-in sheet or our platform's visitor logging tool for visitors and make sure they are supervised in areas with FCI.

  • Pitfall: Treating CMMC as a one-time task instead of an ongoing habit.

    How to Avoid: Set a reminder to do a quick check of your security steps. Keep security part of your routine.

  • Pitfall: Guessing you're compliant instead of checking thoroughly.

    How to Avoid: Go through the 15 CMMC Level 1 requirements and it's 59 objectives one by one. For each one, ask, "Are we actually doing this?" Document your answer.

  • Pitfall: Not listing all devices and software that handle FCI.

    How to Avoid: Make a simple list (spreadsheet, document) of every computer, phone, cloud storage service (like Microsoft 365, Google Drive, Dropbox), and key software where you store or work with FCI. Know which person uses which device.

  • Pitfall: Not having proof that your security steps are working.

    How to Avoid: Keep records! This could be a visitor sign-in log, a log of who has FCI access, a log of when antivirus was run or updated, or confirmation that an old hard drive was destroyed. These are your evidence.

  • Pitfall: Employees not knowing how to protect FCI or spot online dangers.

    How to Avoid: Give your team simple, clear training. Show them what FCI is, why it matters, how to use strong passwords, and how to recognize a fake email. Keep it short and easy to understand. Our platform can help with this training.

Maintaining CMMC Level 1 Compliance Ongoing

Achieving CMMC Level 1 is a major milestone, but compliance is an ongoing commitment, not a one-time task. To maintain your certification and ensure continued protection of Federal Contract Information (FCI), you'll need to integrate these practices into your regular operations. Here's what continuous compliance involves:

  • Annual Reviews: At least once a year, review and update your System Security Plan (SSP) and all related security documents to ensure they reflect current practices.

  • Periodic Self-Assessments: Regularly check if you are still following all 15 CMMC Level 1 steps to catch any new issues.

  • Ongoing Security Awareness: Give employees quick, regular reminders on protecting FCI and handling sensitive data correctly.

  • Stay Updated: Regularly check for and install updates for your software and systems, especially antivirus and critical programs, to fix security weaknesses.

  • User Access Reviews: Periodically check who still needs access to FCI and remove access for anyone who doesn't.

  • Physical Security Checks: Regularly check that doors are locked, visitor logs are used, and access tools (keys, badges) are managed properly.

  • Media Disposal Reinforcement: Remind employees how to securely erase or destroy old USBs or hard drives that had FCI on them.

  • SPRS Affirmation Cycle: Remember to do your full self-assessment and re-submit your score to SPRS each year, or if you make big changes to your systems.

Frequently Asked Questions (FAQ)

  • How long does it take to achieve CMMC Level 1?

    The timeline can vary depending on your current cybersecurity posture and resources. With a focused effort and tools like ours, many small businesses can become audit-ready in days/weeks, not months.

  • Do I need an expensive consultant for CMMC Level 1?

    For CMMC Level 1, many small businesses find that with clear guidance and the right tools (like CMMC Resources), they can achieve compliance without the high cost of consultants. Our platform is designed to be that affordable, expert guide.

  • What's the difference between CMMC Level 1 and NIST SP 800-171?

    CMMC Level 1 requirements are a subset of the controls found in NIST SP 800-171. Level 1 focuses on 15 basic safeguarding requirements for FCI. NIST SP 800-171 is more comprehensive and is the basis for CMMC Level 2, which primarily addresses the protection of Controlled Unclassified Information (CUI).

Conclusion: Your Path to Confident Compliance

Achieving CMMC Level 1 is a critical step for any small business in the defense supply chain. While it may seem daunting, this guide has shown that with clear understanding, a structured approach, and the right resources, compliance is well within your reach. By diligently implementing these controls, you not only protect sensitive information but also secure your ability to win and retain valuable DoD contracts.

Take the first step today towards confident compliance. Empower your business, protect your contracts, and contribute securely to the nation's defense.

Try CMMC Resources FreeAsk a Question