3 Ways to Know If You Should Worry about CMMC Level 1

April 15, 2021

Table of Contents

Last Updated on May 9, 2025

The Cybersecurity Maturity Model Certification (CMMC) standard from the US Department of Defense (DoD) will impact hundreds of thousands of organizations over the next several years—not just within the US defense industrial base (DIB), but across a big slice of the US government supply chain, including the IT and Human Resources sectors.

CMMC defines three levels of cyber maturity. The level a business must achieve depends on what information it gets from the government. CMMC Level 1 is referred to as “foundational.” It mandates a minimum set of 15 information security controls that establish basic cyber hygiene practices to protect federal contract information (FCI).

Since every company with a federal contract has FCI, CMMC Level 1 or above (or an equivalent standard) could eventually apply to nearly every company doing business with the US government.

Does your business need to achieve CMMC Level 1 compliance? This article will help you decide.

Key takeaways

CMMC Level 1 mandates 15 basic cybersecurity practices to protect federal contract information (FCI) on a contractor’s systems.
Like the FAR clause 52.204-21 that has been in effect, CMMC Level 1 requires an annual self-assessment of compliance coupled with a senior executive’s affirmation of compliance.
CMMC Level 1 compliance is “pass/fail” with no provisions for Plans of Action & Milestones (POA&Ms).
60 days after the final 48 CFR Part 204 CMMC Acquisition rule is published in the Federal Register, Phase 1 of the CMMC 2.0 rollout can begin. At that point, the DoD will start to include CMMC Level 1 requirements in solicitations and contracts. Only firms that have completed their CMMC Level 1 self-assessment and affirmation of compliance can compete for these contracts.
Your business needs to comply with CMMC Level 1 if: a) It appears in your contract; b) Your prime “flows down” the requirement because you are receiving FCI; and/or c) You have a contract with a US government agency other than DoD that adopts CMMC-like requirements, such as the Department of Homeland Security or the General Services Administration (GSA).

What is CMMC 2.0?

The CMMC 2.0 program/framework seeks to ensure that organizations across the DIB can adequately protect sensitive unclassified data that the government shares with its contractors, especially FCI and controlled unclassified information (CUI).

Key CMMC features include:

A three-tiered compliance model. CMMC requires contractors to implement progressively more advanced cybersecurity controls depending on the sensitivity of data involved in their contract. This includes requirements “flowdown” to protect data that flows down to subcontractors and vendors.

Audit requirements. CMMC requires nearly all contractors seeking to achieve CMMC Level 2 or Level 3 compliance to undergo a third-party audit to validate their cybersecurity posture. A successful audit confers a certification, which demonstrates “provable security and compliance” to stakeholders. CMMC Level 1 requires only a self-assessment with executive affirmation and does not entail a certification.
Contract-based implementation. Companies handling sensitive unclassified US government data will need to achieve certification at the contractually mandated CMMC level as a precondition for contract award.

CMMC assessment requirements will be implemented using a four-phase plan over three years, starting with self-assessments at CMMC Level 1 and (in rare cases) CMMC Level 2. This incremental rollout will allow more time to train Certified Third-Party Assessment Organizations (C3PAOs) and for DIB orgs to meet the CMMC requirements.

What is CMMC Level 1?

CMMC Level 1 defines a “foundational” level of cybersecurity maturity. It focuses on basic cyber hygiene capabilities to protect FCI and other less sensitive data from the most common cyber threats. These controls are universally regarded as essential for any business in any industry to reduce what would otherwise be unacceptable cyber risk.

DIB orgs can demonstrate CMMC Level 1 compliance through an annual self-assessment accompanied by a senior executive’s attestation of compliance. Executive attestation is intended to stimulate greater management involvement in cybersecurity and ensure accurate self-reports. Penalties for misrepresentations of compliance can and do include contract cancellation and prosecution of both corporations and individuals under the False Claims Act.

CMMC Level 1 mandates 15 controls in 6 domains, as described in 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. These 15 controls map to 17 controls in the NIST 800-171 cybersecurity standard, as covered here.

Important domains at CMMC Level 1 include Access Control, Identification and Authentication, and System and Information Integrity. To achieve compliance a company must show it meets all the requirements, as there are no allowances for POA&Ms or other remediation.

Unlike higher CMMC levels, Level 1 does not require firms to document their cybersecurity practices, such as in a system security plan (SSP). There is no requirement to assess process maturity at this level beyond basic risk management. Likewise, there is no third-party/C3PAO audit requirement for CMMC Level 1 compliance.

What is FCI?

FCI is defined in FAR clause 52.204-21 as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”

Examples of FCI include:

Contracts, proposals, and related agreements
Emails
Reports and charts
Process documentation
Financial data pertaining to program costs, budgets, etc.

CUI, in contrast, is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Handling CUI requires a significantly more robust cybersecurity posture than FCI. CUI may also be subject to distribution controls, such as International Traffic in Arms Regulation (ITAR) export control requirements. For more information see the CUI Registry.

Does my business need to comply with CMMC Level 1?

CMMC Level 1 applies almost universally to DIB orgs of all sizes that handle FCI that is provided by or generated for the DoD or other US government entity in accordance with a contract to provide a product or service. This includes:

DIB SMBs and other subcontractors or vendors that receive FCI from a prime contractor.
Cloud service providers (CSPs) and other vendors that store, transmit, or otherwise handle FCI on behalf of a DIB contractor or subcontractor.

Commercial Off-the-Shelf (COTS) products are generally not required to comply with CMMC Level 1.

How can you tell if your business needs to comply with CMMC Level 1? Here are three top reasons:

It is specified in your government contract. Often this is through inclusion of FAR clause 52.204-21 in existing contracts. This contract language will change to reference CMMC 2.0 once the rollout begins.
Your prime contractor flows down the requirement. Most likely if your business has a contract through a DoD prime contractor like Boeing, Raytheon, or Huntington Ingalls, the prime will flow down a requirement to comply with CMMC Level 1 if not a higher CMMC level. The general rule is that contractors must validate that their subcontractors conform to the requirements that match their information—making a CMMC Level 1 self-attested compliance score in the DoD’s Supplier Performance Risk System (SPRS) a prerequisite for doing business in the DIB.
You are a supplier to another US government agency that starts using CMMC 2.0 or equivalent. For example, Department of Homeland Security (DHS) and General Services Administration are implementing cybersecurity requirements that mirror CMMC, with Level 1 equivalent capabilities to protect FCI as a likely starting point for cybersecurity compliance.

What do CMMC Level 1 self-assessments look like?

To comply with CMMC Level 1, a DIB org must conduct a self-assessment using the assessment objectives defined in the CMMC Assessment Guide for Level 1. Unlike a NIST 800-171 self-assessment, for example, there are no scoring calculations in SPRS for CMMC Level 1 self-assessments—the results are “MET” or “NOT MET,” with no POA&Ms permitted.

DIB orgs can conduct Level 1 self-assessments as often as needed, and can leverage a consulting partner for that purpose as desired. The DoD requires new assessments anytime a supplier makes significant architectural or scope changes to its CMMC environment. This could include enlarging a network that carries FCI, or addressing a merger/acquisition through changes to in-scope IT systems. Operational changes alone do not automatically trigger a self-assessment.

The annual executive affirmation required for CMMC Level 1 must state that:

The organization has fully implemented all the Level 1 controls within its CMMC assessment scope.
The organization plans to operate the controls in a manner that maintains compliance.
The Affirming Official is a senior representative who has responsibility for ensuring CMMC compliance.

When do we need to be ready for CMMC Level 1?

While CMMC 2.0 is being rolled out gradually, CMMC Level 1 language will start appearing in contracts in the initial phase. Notwithstanding DOGE-related concerns, CMMC is still anticipated to launch in mid-2025 after the 48 CFR rule is published, initiating the phased rollout. 48 CFR covers how CMMC requirements are incorporated into DoD contracts, per the DFARS 7021 clause.

As noted above, CMMC Level 1 compliance requires a yearly self-assessment and affirmation in SPRS prior to contract award—and these requirements could begin appearing in DoD contracts by mid-2025. Therefore, DIB orgs that anticipate they will need to demonstrate CMMC Level 1 compliance should complete a self-assessment and submit the results to SPRS as soon as possible. Otherwise you may lose the opportunity to bid on upcoming contracts.