The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors and subcontractors maintain adequate cybersecurity practices.
What is CMMC Level 1?
CMMC Level 1 represents the entry point of this framework. It's designed to safeguard Federal Contract Information (FCI)—data provided by, or generated for, the government under contract that is not intended for public release.
CMMC Level 1 applies to small businesses, subcontractors, and vendors in the Defense Industrial Base (DIB) who do not manage sensitive data like Controlled Unclassified Information (CUI).
Such companies often turn to managed service providers (MSPs) to help them understand the cybersecurity measures required for compliance. MSPs can, in turn, rely on Field Effect’s purpose-built products and services, which are designed to meet CMMC and other compliance standards, to support and enhance their compliance programs.
“CMMC Level 1 requires more than the basic approach to cybersecurity many companies assume is adequate,” says Matt Lewis, Chief Security Officer at Field Effect. “For instance, the Audit and Accountability regulation entails consistent monitoring and reporting that is a feature of more mature approaches to cybersecurity such as managed detection and response (MDR).”
CMMC Level 1 includes 17 basic cybersecurity practices derived from the Federal Acquisition Regulation (FAR) 52.204-21. These practices focus on foundational cyber hygiene and include requirements such as:
- Using antivirus software
- Regularly updating systems
- Limiting access to authorized users
- Protecting physical access to systems
- Monitoring and controlling connections to external systems
Unlike higher levels of CMMC, Level 1 does not require third-party certification. Instead, companies must complete an annual self-assessment and affirm compliance through the Supplier Performance Risk System (SPRS).
Who needs to comply with CMMC L1?
Any company that handles FCI as part of a DoD contract must meet CMMC Level 1 requirements. This includes:
- Small businesses providing non-sensitive goods or services to the DoD, such as office supplies, janitorial services, or basic IT support.
- Subcontractors working under larger prime contractors, especially those involved in logistics, manufacturing, or maintenance.
- Commercial vendors supplying standard products like tools, uniforms, or vehicle parts that do not involve sensitive design specifications.
Some examples include:
- Even if they don’t work directly with the DoD, subcontractors who receive FCI from a prime contractor must comply, for example, a logistics firm transporting equipment for a prime contractor.
- Legal, accounting, or consulting firms that support DoD contractors and may access FCI such as a law firm reviewing contracts containing FCI.
- A cleaning service contracted to maintain DoD facilities must adhere to Level 1 if they receive scheduling or facility access information considered FCI.
Why CMMC Level 1 compliance matters
CMMC Level 1 is critical because it sets a baseline for cybersecurity across the Defense Industrial Base, which includes over 300,000 organizations. Even companies that do not handle sensitive data can be entry points for cyber threats. By enforcing Level 1 standards, the DoD aims to reduce vulnerabilities and protect national security interests.
As CMMC 2.0 continues to roll out, businesses must ensure they understand their obligations. Failure to comply with Level 1 can result in lost contract opportunities, making it essential for even the smallest vendors to take cybersecurity seriously.
