CMMC Level 1 Compliance: How to Meet Requirements

The Cybersecurity Maturity Model Certification (CMMC) represents a shift in how the U.S. Department of Defense (DoD) expects its contractors to manage security. With the CMMC final rule approved, every contractor in the Defense Industrial Base must prove they need DoD security requirements to be eligible for DoD contracts.

CMMC Level 1 is the entry point to the framework and if your business handles Federal Contract Information (FCI), you’re in scope.

In this guide, we’ll explain what CMMC Level 1 requires and how to meet those requirements.

What is CMMC Level 1

CMMC Level 1 is the foundational cybersecurity standard required for any company that handles FCI (basic information related to a government contract that is not intended for public release). Level 1 is the minimum standard of cyber hygiene the DoD now demands from every single partner in its supply chain, both prime contractors and subcontractors.

Here’s what that means in practice:

• It’s Aligned with Federal Rules: Level 1 (also called "Foundational") maps directly to the 15 basic safeguarding requirements found in Federal Acquisition Regulation (FAR) 52.204-21.
• It Applies to FCI Only: This is a critical distinction. FCI is information not intended for public release that is provided by or generated for the government under a contract.
• It’s a Self-Assessment (With a Catch): You don't need to hire a third-party assessor (a C3PAO) for Level 1. Compliance is verified through an annual self-assessment, followed by an affirmation from a senior company official. However, your results must be uploaded to the DoD's Supplier Performance Risk System (SPRS), and you are making a formal attestation to the U.S. government. False attestations can have serious contractual and even legal consequences.

How Level 1 Compares to Levels 2 and 3

CMMC Level 1 is the entry point to the CMMC 2.0 framework. The primary difference between the levels comes down to the sensitivity of the information you handle.

• CMMC Level 1 (Foundational) focuses on basic cyber hygiene. As mentioned above, it applies only to companies that handle Federal Contract Information (FCI).
• CMMC Level 2 (Advanced) is designed to protect the more sensitive Controlled Unclassified Information (CUI). It aligns with the 110 controls found in NIST SP 800-171. Depending on the contract, compliance is generally verified through third-party assessment.
• CMMC Level 3 (Expert) is the highest tier, reserved for companies handling the most critical CUI and protecting data against Advanced Persistent Threats (APTs). It builds on Level 2 by adding practices from NIST SP 800-172 and requires a rigorous, government-led assessment.

The 15 Foundational Practices

The 15 security controls for CMMC Level 1 are the essential building blocks of a sound cybersecurity program. The controls are broken down into six domains:

Access Control (AC): This domain is about limiting access to systems and information, answering the question: Who can access what? In practice, you must limit system access to authorized users by having a clear process for creating accounts and ensuring people only have the access they absolutely need. This principle of control also extends externally; you must manage what information is publicly accessible and ensure no FCI is ever posted on public-facing sites.

Identification & Authentication (IA): This is about verifying that users are who they say they are. To comply, you must be able to identify every user and process on your systems and then authenticate their identities before granting them access.

Media Protection (MP): This domain covers how you handle and dispose of sensitive information on physical and digital media. This means you must properly sanitize or destroy any media containing FCI before its disposal or reuse. Simply dragging files to the trash bin isn't enough, you need to use a drive-wiping tool to ensure the data is irrecoverable.

Physical Protection (PE): This is about securing your physical locations and answers the question: How do you keep unauthorized people out of your office and away from your equipment? You are required to limit physical access to your systems and facilities to authorized individuals. This includes practical, common-sense actions like escorting visitors, monitoring access points, and generally controlling who can walk up to a server or workstation.

System and Communications Protection (SC): This domain focuses on securing your network and protecting data as it moves. It requires you to actively monitor, control, and protect all communications. Operationally, this involves implementing boundary protection (i.e., firewalls) and ensuring your systems are configured to prevent unauthorized data transfers.

System and Information Integrity (SI): This is about protecting your systems from malware and ensuring they remain in a known, good state. It’s a continuous process that means you need to identify, report, and correct system flaws in a timely manner (patch management). Furthermore, you must provide active protection from malicious code with antivirus and anti-malware tools, and keep those protection mechanisms updated whenever new releases are available.

Your Roadmap to Compliance: The Self-Assessment Process

We’ve helped guide a number of companies through the CMMC certification process and it generally boils down to four key steps: scope, assess, remediate, and attest.

Step 1: Assessment Scope

If you can define your boundaries well, you can dramatically reduce your compliance footprint. When it comes to CMMC Level 1 requirements, you don’t have to lock down your entire network, just the parts that handle contract data. Scoping will help you to narrow down your focus.

• Identify FCI Assets: Your first task is to map out exactly where FCI lives and which systems, applications, people, and external services touch Federal Contract Information.
• Consider an Enclave: For many businesses, creating an "enclave" to isolate FCI can shrink your compliance boundary. This means isolating all FCI into a specific, contained environment (e.g., a secure folder on a server).

Step 2: Conduct the Gap Analysis

Once you know your scope, the next step is a gap analysis against the 15 controls. Go through each requirement one by one and determine your status: MET or NOT MET.

Unlike CMMC Level 2, there is no in-between. You cannot have a Plan of Action & Milestones (POA&M) for a missing control at Level 1. You either meet the requirement, or you don't. This binary nature makes remediation straightforward.

Step 3: Document Everything

Even though CMMC Level 1 compliance requires a self-assessment, you must be prepared to produce evidence if asked. So you need to document your policies, procedures, and configurations.

• Create an Information Security Policy: For Level 1, we often advise clients to create a single, consolidated Information Security Policy. This document can address all 15 controls in one place, with clear traceability from the policy statement to the control it satisfies.
• Gather Evidence: Your evidence can include screenshots of system configurations, firewall rules, access control lists, visitor logs, and records of media destruction. The goal is to be able to prove, not just assert, that you are meeting each requirement.

Step 4: Affirm and Submit to SPRS

Once you have met all 15 requirements, a senior official in your company must formally sign off on the self-assessment. This "affirming official" is attesting to the DoD that your assessment is accurate. You will then enter your score (which should be 15 out of 15) into the Supplier Performance Risk System (SPRS).

A Note on Getting Help: Using an RPO

A Registered Practitioner Organization (RPO) is a firm authorized by the Cyber AB to provide CMMC consulting services.

While hiring an RPO like Workstreet is not required for a Level 1 self-assessment, you may still find value in working with outside support who can act as a guide to help you accurately scope your environment, conduct your gap analysis, and prepare your documentation.

Implementation Tips and Common Pitfalls to Avoid

Quick Wins and Best Practices:

• Start with Low-Hanging Fruit: You're probably already doing some of this. Most companies have an antivirus solution and some form of password policy. Start there, document what you have, and build momentum.
• Automate Where Possible: Manually collecting evidence is a drag. Look for ways to automate it. For example, your firewall and endpoint security tools can generate logs that serve as evidence for access control and system integrity and compliance automation software like Vanta can utomate evidence collection for CMMC Level 1 controls and well as store your documentation. (Though if you’re implementing Vanta, you might want to bring in a vCISO for expert help.)
• Train Your People: The most secure system in the world can be defeated by a user who clicks on a phishing link or uses "Password123" for everything. Basic security awareness training is crucial for maintaining compliance and is an implicit part of several controls.

Common Pitfalls to Avoid:

• The "Template Trap": Downloading a generic security policy and slapping your logo on it is a recipe for failure. Your documentation must reflect your actual environment and operations. Use templates as scaffolding, not as a finished product.
• The "One and Done" Mindset: CMMC is self-assessment is an annual requirement. You need to maintain your security posture, periodically review your controls, and ensure your documentation stays current as your systems evolve.
• Ignoring the Supply Chain: Remember, CMMC requirements flow down. If you're a subcontractor, your prime contractor will require you to be compliant. Not having your Level 1 attestation in SPRS could mean you're ineligible for work.

Get CMMC Level 1 Certified

CMMC Level 1 is table stakes for defense contractors doing business with the DoD. But achieving it early and efficiently can become a powerful differentiator.

At Workstreet, we help companies build defense-grade security programs that meet CMMC Level 1 and Level 2 requirements. As an AI-enabled RPO, we can help your organization automate your CMMC compliance, protect FCI, and win more contracts.