CMMC Level 1

CMMC Level 1 Explained

In this post we explain CMMC Level 1 requirements.

Join our newsletter:
CMMC has five maturity levels. Level 1 is the lowest level. Level 1 CMMC requirements seek to ensure that a contractor can “safeguard federal contract information”. This is achieved by requiring contractors to practice “Basic Cyber Hygiene”. It is expected that most DoD contractors will only need to earn a level 1 CMMC certification.

Who does CMMC Level 1 Apply to?

CMMC applies to U.S. Department of Defense contractors who store, process or transmit Federal contract information (FCI). Every company required to earn a CMMC certification will need to implement the practices associated with CMMC level 1.
CUI Levels

CMMC Level 1 Practices

There are seventeen practices associated with CMMC level 1. An organization with a level 1 CMMC requirement is required to perform all 17 practices. The CMMC practices for level 1 were drawn from the security controls in FAR 52.204-21.
CMMC Level 1

The 17 CMMC level 1 practices are:

  • AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

  • AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

  • AC.1.003 Verify and control/limit connections to and use of external information systems.

  • AC.1.003 Verify and control/limit connections to and use of external information systems.

  • AC.1.004 Control information posted or processed on publicly accessible information systems.

  • IA.1.076 Identify information system users, processes acting on behalf of users, or devices.

  • IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

  • MP.1.118 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

  • PE.1.131 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

  • PE.1.132 Escort visitors and monitor visitor activity.

  • PE.1.133 Maintain audit logs of physical access.

  • PE.1.134 Control and manage physical access devices.

  • SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

  • SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

  • SI.1.210 Identify, report, and correct information and information system flaws in a timely manner.

  • SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.

  • SI.1.212 Update malicious code protection mechanisms when new releases are available.

  • SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Controls per CMMC level

CMMC level 1 Process Maturity

Contractors with CMMC level one are only required to “perform” the 17 practices prescribed by CMMC level 1. No documentation or written policies are required for the implementation of these practices.
CMMC Maturity Requirements

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.