The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors and subcontractors maintain adequate cybersecurity practices.
What is CMMC Level 1?
CMMC Level 1 represents the entry point of this framework. It's designed to safeguard Federal Contract Information (FCI)—data provided by, or generated for, the government under contract that is not intended for public release.
CMMC Level 1 applies broadly across the Defense Industrial Base (DIB), including small businesses, subcontractors, commercial vendors, and service providers that handle or are exposed to FCI. Even organizations not working directly with the DoD—but receiving FCI from a prime contractor—must comply.
“CMMC Level 1 requires more than the basic approach to cybersecurity many companies assume is adequate,” says Matt Lewis, Chief Security Officer at Field Effect. “For instance, the Audit and Accountability regulation entails consistent monitoring and reporting that is a feature of more mature approaches to cybersecurity such as managed detection and response (MDR).”
What CMMC Level 1 requires
CMMC Level 1 includes 17 basic cybersecurity practices derived from the Federal Acquisition Regulation (FAR) 52.204-21. These practices establish foundational cyber hygiene and help organizations limit access, control external connections, maintain system integrity, and protect physical and digital assets.
Below are the 17 CMMC Level 1 practices, grouped by domain.
Access control (AC)
- AC.1.001 – Limit system access to authorized users, processes, or devices.
- AC.1.002 – Limit users to only the transactions and functions they are permitted to execute.
- AC.1.003 – Verify, control, and limit connections to external systems.
- AC.1.004 – Control information posted to or processed on publicly accessible systems.
Awareness and training (AT)
- AT.1.001 – Ensure users, managers, and system administrators understand security risks.
- AT.1.002 – Train personnel to carry out their assigned security responsibilities.
Audit and accountability (AU)
- AU.1.001 – Create and retain system audit logs needed for monitoring and investigating unauthorized activity.
- AU.1.002 – Ensure actions of individual system users can be uniquely traced.
Configuration management (CM)
- CM.1.001 – Establish and maintain baseline configurations and inventories of systems.
- CM.1.002 – Restrict or disable nonessential functions, ports, protocols, and services.
Identification and authentication (IA)
- IA.1.076 – Identify system users, processes, and devices.
- IA.1.077 – Authenticate the identities of those users, processes, and devices before granting system access.
Media protection (MP)
- MP.1.118 – Sanitize or destroy media containing FCI before disposal or reuse.
Physical protection (PE)
- PE.1.131 – Limit physical access to systems, equipment, and operational environments.
System and communications protection (SC)
- SC.1.175 – Monitor, control, and protect organizational communications at internal and external boundaries.
- SC.1.176 – Implement physically or logically separated subnetworks for publicly accessible system components.
System and information integrity (SI)
- SI.1.210 – Identify, report, and remediate system flaws in a timely manner.
Unlike higher levels of CMMC, Level 1 does not require third-party certification. Instead, companies must complete an annual self-assessment and affirm compliance through the Supplier Performance Risk System (SPRS).
Who needs to comply with CMMC Level 1?
Any company that handles FCI as part of a DoD contract must meet CMMC Level 1 requirements. This includes:
- Small businesses providing non-sensitive goods or services to the DoD, such as office supplies, janitorial services, or basic IT support.
- Subcontractors working under larger prime contractors, especially those involved in logistics, manufacturing, or maintenance.
- Commercial vendors supplying standard products like tools, uniforms, or vehicle parts that do not involve sensitive design specifications.
Some examples include:
- Even if they don’t work directly with the DoD, subcontractors who receive FCI from a prime contractor must comply, for example, a logistics firm transporting equipment for a prime contractor.
- Legal, accounting, or consulting firms that support DoD contractors and may access FCI such as a law firm reviewing contracts containing FCI.
- A cleaning service contracted to maintain DoD facilities must adhere to Level 1 if they receive scheduling or facility access information considered FCI.
Why CMMC Level 1 compliance matters
With over 300,000 organizations in the Defense Industrial Base, even companies without sensitive data can become entry points for cyberattacks. Level 1 sets a minimum baseline to reduce vulnerabilities and strengthen national security.
As CMMC 2.0 continues to roll out, organizations must stay informed and ensure they meet their obligations. Failure to comply can result in lost contract opportunities, making it essential for even the smallest vendors to take cybersecurity seriously.
Unlike higher levels of CMMC, Level 1 does not require third-party certification. Organizations must complete an annual self-assessment and affirm compliance through the Supplier Performance Risk System (SPRS).
How MSPs and Field Effect support CMMC Level 1
For many small DoD contractors, navigating CMMC Level 1 is overwhelming. That’s why they turn to the trusted expertise of managed service providers (MSPs). In turn, MSPs choose Field Effect to elevate their clients’ readiness.
Field Effect’s cybersecurity solution brings together advanced threat detection, continuous monitoring, and compliance-aligned protections in a single, streamlined solution. Recognized as the #1 MDR vendor, Field Effect equips MSPs with the confidence, capabilities, and clarity needed to guide clients through Level 1 requirements—without adding operational complexity.
Want to learn more? Reach out to our team!
