CMMC Level 1 Guide

Q: Do I need Level 1 or Level 2?

If your contracts only involve FCI, Level 1 is sufficient. If you handle CUI, you need Level 2.

Q: Can Level 1 be a stepping stone to Level 2?

Yes. Level 1 practices are a subset of Level 2 requirements.

What Is CMMC Level 1

CMMC Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification. It requires implementation of 15 basic safeguarding practices from FAR 52.204-21. Level 1 applies to contractors that handle Federal Contract Information (FCI) but do not process, store, or transmit Controlled Unclassified Information (CUI).

Level 1 allows annual self-assessment — no C3PAO is required. Organizations that also handle CUI must pursue Level 2 — see our CMMC Level 2 Guide at quzara.com/cmmc/level-2 and CMMC Certification Guide at quzara.com/cmmc/certification for the full process. Explore all CMMC resources at quzara.com/cmmc/hub.

The 15 Basic Safeguarding Practices

The 15 Level 1 practices cover six domains: Access Control (4 practices — limit system access to authorized users, limit system access to authorized transactions and functions, verify and control remote access, control information posted on publicly accessible systems), Identification and Authentication (2 practices — identify system users and authenticate identities before allowing access), Media Protection (1 practice — sanitize or destroy media containing FCI before disposal), Physical Protection (4 practices — limit physical access, escort visitors, maintain audit logs of physical access, control physical access devices), System and Communications Protection (2 practices — monitor and protect communications at system boundaries, implement subnetworks for publicly accessible components), and System and Information Integrity (2 practices — identify and remediate flaws in a timely manner, provide protection from malicious code).

Self-Assessment Process

Level 1 self-assessment is straightforward. Evaluate your implementation of all 15 practices, document your findings, submit results through the SPRS portal, and have a senior company official affirm the results annually. No third-party assessor is required. NISTCompliance.ai can automate even this simpler assessment. Many organizations start with Level 1 as a stepping stone toward Level 2.

Implementing Level 1

A practical guide to achieving CMMC Level 1 compliance quickly and efficiently.

Inventory Systems & Data

Identify all systems that process FCI. Determine if any also handle CUI — those require Level 2.

Assess Current Practices

Evaluate implementation of all 15 practices. Most organizations already have many in place.

Close Gaps

Implement missing practices. Common gaps: visitor escort procedures, media sanitization, and access control documentation.

Document Everything

Create documentation showing how each practice is implemented. NISTCompliance.ai generates artifacts automatically.

Submit SPRS Score

Self-assess and submit results to the DoD SPRS portal. A senior official must affirm accuracy.

Annual Affirmation

Maintain compliance through annual self-assessment and senior official affirmation.

CMMC Level 1 FAQ

Do I need Level 1 or Level 2? If your contracts only involve FCI (no CUI), Level 1 is sufficient. If you handle CUI, you need Level 2. Check DFARS 252.204-7012.

Is a C3PAO required? No. Level 1 requires only annual self-assessment and senior official affirmation.

How long does it take? Most organizations can achieve Level 1 in weeks to a few months.

What is the cost? Minimal compared to Level 2. No C3PAO fees. Primary costs are staff time and documentation.

Stepping stone to Level 2? Absolutely. Level 1 practices are a subset of Level 2 requirements. Start here, then tackle all 110 NIST 800-171 controls.

What are they based on? The 15 practices come from FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.