CMMC Level 1 Compliance: The 15 Basic Safeguarding Requirements Explained

In our experience advising defense contractors, CMMC Level 1 is the most approachable entry point into the CMMC framework — but that does not mean it should be taken lightly. The 15 basic safeguarding requirements represent the minimum cybersecurity hygiene every organization handling Federal Contract Information should already have in place.

CMMC Level 1, also called the Foundational level, applies to organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires implementation of 15 basic safeguarding requirements derived from FAR 52.204-21, with an annual self-assessment submitted to the Supplier Performance Risk System (SPRS). No third-party assessment is required, which makes Level 1 the most accessible certification tier — but the requirements still demand genuine implementation and documentation.

This guide covers each of the 15 requirements in detail, explains how they map to broader security practices, and provides practical implementation guidance for organizations approaching CMMC Level 1 for the first time.

Understanding CMMC Level 1 in Context

Before diving into the specific requirements, it helps to understand where Level 1 sits within the broader CMMC framework.

Aspect	CMMC Level 1	CMMC Level 2
Information protected	FCI	CUI
Number of requirements	15	110 (NIST 800-171)
Assessment type	Annual self-assessment	Third-party (C3PAO)
Reporting	SPRS submission	SPRS + DIBCAC review
Senior official affirmation	Required	Required
POA&M allowed	No	Limited

Level 1 is not a stepping stone to Level 2 — it is a distinct certification for a distinct use case. If your contracts only involve FCI and your DFARS clauses do not reference CUI, Level 1 may be all you need. However, if you handle any CUI, Level 1 is insufficient and you must pursue Level 2.

What Is Federal Contract Information?

FCI is defined as information not intended for public release that is provided by or generated for the government under a contract. This is a broad definition that covers most non-public contract-related data, including:

• Contract specifications and requirements
• Deliverable drafts and working documents
• Pricing and cost information
• Technical data generated during contract performance
• Communications with government contracting officers

If your organization performs any work under a federal contract, you almost certainly handle FCI. The question is whether you also handle CUI, which triggers the more rigorous Level 2 requirements.

The 15 Basic Safeguarding Requirements

The 15 requirements are organized across six security domains. Each requirement from FAR 52.204-21 maps to one or more NIST 800-171 practices, though Level 1 only requires the basic implementation — not the full depth of NIST 800-171.

Access Control (4 Requirements)

Access control is the largest domain at Level 1, with four of the fifteen requirements focused on who can access your systems and information.

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.

This is the foundational access control requirement. Every system that stores or processes FCI must restrict access to only those users and devices that are authorized. In practice, this means:

• Maintaining user accounts with unique credentials for each individual
• Disabling or removing accounts for departed employees promptly
• Using access control lists or role-based access on systems containing FCI
• Ensuring automated processes (scripts, service accounts) are authorized and documented

2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Beyond simply having access, users should only be able to perform actions appropriate to their role. A user who needs read access to contract documents should not have write or delete permissions unless their role requires it. Implementation typically involves:

• Defining user roles with specific permission levels
• Applying the principle of least privilege — grant the minimum access necessary
• Reviewing and adjusting permissions when employees change roles

3. Verify and control/limit connections to and use of external information systems.

This requirement addresses how your organization manages connections to external systems — cloud services, partner networks, personal devices, and public internet access points. Practical steps include:

• Establishing policies for use of external systems (personal devices, public Wi-Fi)
• Controlling which cloud services can be used to store or process FCI
• Implementing VPN or secure access for remote connections
• Restricting USB and removable media connections where appropriate

4. Control information posted or processed on publicly accessible information systems.

Any information system accessible to the public (websites, public file shares, open repositories) must be controlled to prevent inadvertent disclosure of FCI. This means:

• Reviewing content before it is posted to public-facing systems
• Implementing approval workflows for public website content
• Ensuring development repositories are not inadvertently public
• Training employees on what information can and cannot be shared publicly

Identification and Authentication (2 Requirements)

5. Identify information system users, processes acting on behalf of users, or devices.

Every user, automated process, and device accessing systems with FCI must be uniquely identified. Shared accounts and generic logins are not acceptable. Implementation includes:

• Unique user IDs for every individual
• Service accounts identified and documented for automated processes
• Device identification through certificates, MAC addresses, or device management
• Prohibition of shared or generic accounts

6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Identification tells you who someone claims to be; authentication verifies that claim. This requirement mandates that all users prove their identity before accessing FCI systems. Practical implementation:

• Password-based authentication at minimum, with complexity and length requirements
• Multi-factor authentication (MFA) where feasible — while not strictly required at Level 1, it is strongly recommended
• Certificate-based authentication for device and service account verification
• Account lockout after failed authentication attempts

Media Protection (1 Requirement)

7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

When storage media (hard drives, USB drives, SSDs, printed documents) reaches end of life or is reassigned, FCI must be securely removed. Methods include:

• Degaussing or physical destruction for magnetic media
• Cryptographic erasure or secure wipe for SSDs using NIST-approved methods
• Cross-cut shredding for paper documents containing FCI
• Maintaining destruction logs with dates, media descriptions, and destruction methods

This is a requirement many organizations overlook. Old laptops sitting in a closet, hard drives in a recycling bin, and printed documents in a standard trash can are all potential violations.

Physical Protection (4 Requirements)

Physical protection receives significant attention at Level 1, reflecting the reality that physical access often enables digital compromise.

8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

Physical access to servers, workstations, and networking equipment must be restricted. This includes:

• Locked server rooms and network closets with access limited to authorized personnel
• Secure workstation placement in areas not accessible to visitors
• Badge or key-based access controls for facilities housing FCI systems
• Visitor escort policies for areas containing FCI systems

9. Escort visitors and monitor visitor activity.

When unauthorized individuals are present in areas where FCI systems reside, they must be escorted and monitored. Implementation involves:

• Visitor sign-in/sign-out logs
• Escort requirements for all non-employees in secure areas
• Visitor badges that are clearly distinguishable from employee badges
• Monitoring visitor activity through escorts or surveillance

10. Maintain audit logs of physical access.

Organizations must maintain records of who accesses physical areas containing FCI systems. This provides accountability and supports incident investigation:

• Electronic access logs from badge readers or keypads
• Manual sign-in/sign-out logs for areas without electronic access control
• Retention of physical access logs for a defined period (typically at least one year)
• Regular review of physical access logs for anomalies

11. Control and manage physical access devices.

Keys, badges, access cards, and combinations must be managed throughout their lifecycle:

• Inventory of all physical access devices (keys, badges, cards)
• Prompt deactivation or collection when an employee departs
• Periodic re-keying or combination changes
• Reporting and response procedures for lost or stolen access devices

System and Communications Protection (2 Requirements)

12. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

This requirement addresses network boundary protection — ensuring that data flowing in and out of your environment is monitored and controlled:

• Firewall deployment at the network perimeter
• Intrusion detection or prevention capabilities at boundary points
• Network segmentation separating FCI systems from general-purpose networks
• Monitoring of inbound and outbound traffic for suspicious activity

13. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

If your organization operates public-facing systems (web servers, email gateways), those systems must be in a DMZ or separate network segment, isolated from internal systems containing FCI:

• DMZ architecture for public-facing services
• Firewall rules restricting traffic between public and internal segments
• Separate VLANs or subnets for public-facing versus internal systems
• Monitoring of traffic crossing segment boundaries

System and Information Integrity (2 Requirements)

14. Identify, report, and correct information and information system flaws in a timely manner.

Vulnerability management is essential even at Level 1. Organizations must identify and remediate system flaws:

• Regular vulnerability scanning or monitoring vendor advisories
• Timely application of security patches (within 30 days for critical vulnerabilities is a common benchmark)
• Bug tracking and remediation workflow for identified flaws
• Testing patches before deployment to production systems

15. Provide protection from malicious code at appropriate locations within organizational information systems.

Anti-malware protection must be deployed across systems handling FCI:

• Antivirus or endpoint detection and response (EDR) on all endpoints
• Regular signature and definition updates
• Real-time scanning enabled for file access and downloads
• Malware scanning for email attachments and web downloads

The Self-Assessment Process

CMMC Level 1 assessment is conducted by the organization itself — there is no external assessor. However, the self-assessment must be systematic and honest, because a senior official must affirm the results.

Conducting the Assessment

For each of the 15 requirements, evaluate whether the control is:

• MET: The requirement is fully implemented and operating as intended
• NOT MET: The requirement is partially implemented or not implemented

There is no partial credit at Level 1. Each requirement is either met or not met. To achieve Level 1 certification, all 15 requirements must be MET. Unlike Level 2, there are no POA&M provisions for Level 1 — you either meet all requirements or you do not.

SPRS Submission

Assessment results must be submitted to the Supplier Performance Risk System (SPRS). The SPRS submission includes:

• The date of the assessment
• The scope of the assessment (which contracts and systems)
• The result (all 15 requirements MET or identification of gaps)
• Affirmation by a senior company official

The senior official affirmation is a legal declaration. The person signing affirms that the assessment was conducted accurately and that the organization meets the stated requirements. False affirmations can result in False Claims Act liability, which carries significant civil penalties.

Annual Reassessment

Level 1 self-assessments must be conducted annually and submitted to SPRS each year. This is not a one-time exercise. Your organization must maintain compliance continuously and re-verify annually.

Practical Implementation Guidance

For many organizations, CMMC Level 1 requirements align with basic cybersecurity hygiene practices that should already be in place. Here is a practical approach to implementation:

Quick Wins

Several Level 1 requirements can be addressed rapidly if not already in place:

• Antivirus/EDR deployment: If you do not already have endpoint protection on every workstation and server, deploy it immediately. Modern EDR solutions are affordable and straightforward to manage.
• Unique user accounts: Eliminate shared accounts and ensure every user has a unique login.
• Firewall configuration: Verify that your perimeter firewall is properly configured and that rules are reviewed regularly.
• Media destruction policy: Create a simple policy for secure disposal of media and begin maintaining destruction logs.

Areas Requiring More Effort

Some requirements require more organizational change:

• Physical access controls: If your office lacks badge readers or locked server rooms, physical security improvements may require facility modifications and budget allocation.
• Visitor management: Implementing a visitor escort program requires process changes, training, and consistent enforcement.
• Patch management: Establishing a reliable vulnerability identification and patching process requires tooling, testing procedures, and defined timelines.

Documentation Requirements

While Level 1 does not require the extensive documentation of Level 2, you still need evidence to support your self-assessment. At minimum, maintain:

• A simple policy document covering each of the six domains
• Configuration evidence (screenshots, reports) demonstrating technical controls
• Physical access logs and visitor records
• Media destruction logs
• Vulnerability scan results and patching records
• Training records showing employee awareness of security responsibilities

Common Mistakes in Level 1 Compliance

In working with small businesses pursuing CMMC, we see several recurring mistakes:

Treating it as a checkbox exercise: The self-assessment requires honest evaluation. Checking "MET" for a requirement you have not actually implemented exposes your organization to False Claims Act liability.

Ignoring physical security: Many technology-focused organizations neglect the four physical protection requirements. Locked doors, visitor logs, and badge management are just as important as firewalls.

Overlooking media sanitization: Old hard drives, decommissioned laptops, and printed documents are frequently forgotten. Establish a media lifecycle management process.

Not maintaining continuous compliance: Passing the self-assessment in January does not help if your antivirus subscriptions lapse in March. Level 1 requires ongoing compliance, not point-in-time achievement.

Confusing FCI and CUI scope: Some organizations that handle CUI mistakenly pursue Level 1 instead of Level 2. If any of your contracts involve CUI, Level 1 is insufficient regardless of how well you implement the 15 requirements.

Level 1 as a Foundation for Level 2

While Level 1 and Level 2 serve different purposes, the 15 Level 1 requirements are a subset of the 110 Level 2 requirements. Organizations that anticipate eventually needing Level 2 certification can use Level 1 compliance as a starting point:

• The access control, identification and authentication, and boundary protection controls at Level 1 establish foundations that Level 2 builds upon
• Documentation habits developed for Level 1 translate directly to the more extensive SSP required at Level 2
• The self-assessment discipline prepares your team for the rigor of a third-party assessment

If your organization currently handles only FCI but may pursue CUI contracts in the future, achieving Level 1 now builds organizational muscle for Level 2 later.

Moving Forward

CMMC Level 1 compliance is achievable for virtually any organization willing to invest in basic cybersecurity hygiene. The 15 requirements are practical, well-defined, and aligned with security practices that protect your organization beyond just compliance. Start by honestly assessing where you stand against each requirement, address the gaps, document your implementation, and submit your results to SPRS.

For organizations that need help identifying gaps or implementing controls, consider engaging a CMMC Registered Provider Organization (RPO) for guidance. RPOs can provide advisory services tailored to your size and budget without the formality of a third-party assessment.