CMMC Level 1

CMMC Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification. It requires implementing 15 basic cybersecurity practices drawn from FAR 52.204-21, covering fundamental protections like using passwords, installing antivirus software, and limiting physical access to systems.

Level 1 applies to contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It can be satisfied through an annual self-assessment — no third-party assessor is required. The practices are basic security hygiene that most businesses should already follow.

Why It Matters

If your contracts only involve FCI, Level 1 is your target. The self-assessment path keeps costs low, but you must still document compliance and submit your results to SPRS annually.