If your company handles Federal Contract Information but no CUI, CMMC Level 1 is your lane — and it is deliberately achievable. Level 1 consists of the 15 basic safeguarding requirements of FAR 52.204-21, verified by an annual self-assessment and an affirmation from a senior company official. No C3PAO, no third-party audit. This guide walks through all 15 requirements in plain English, shows how the self-assessment and affirmation work, and flags the places where small contractors most often slip.
One housekeeping note first: if you have seen CMMC Level 1 described as "17 practices," that was the CMMC 1.0 framing. The final CMMC rule (32 CFR Part 170, in effect since December 2024) defines Level 1 as exactly the 15 requirements of FAR 52.204-21 — nothing more.
FCI is information, not intended for public release, that is provided by or generated for the government under a contract — statements of work, schedules, contract correspondence. Nearly every DoD contractor holds it, which means nearly every DoD contractor needs at least Level 1.
Level 1 applies when you hold FCI only. The moment Controlled Unclassified Information enters your environment — technical drawings, export-controlled data, anything your contract identifies as CUI — you are a CMMC Level 2 shop, with all 110 NIST SP 800-171 requirements in play.
The 15 requirements span six domains. Here is each one in plain English — phrased the way a self-assessor should actually test it.
Level 1 is self-assessed — every year. You assess your environment against all 15 requirements, record the result in SPRS (the DoD's Supplier Performance Risk System), and a senior company official affirms continuing compliance annually.
The key rule: there are no POA&Ms at Level 1. The final rule permits no conditional status and no open items — all 15 requirements must be fully met when you self-assess. If one is not, the honest answer is to fix it before you assess, not to paper over it: your SPRS entry and affirmation are representations to the federal government, with real legal exposure for getting them wrong.
The gaps we see most often are process, not technology: shared admin accounts; former employees whose access was never removed; firewalls still running default configurations; no visitor process at all; and patching that happens "when things break." Most fixes are hygiene and documentation — not new spending.
The most expensive Level 1 mistake is being a Level 2 shop without realizing it. Warning signs: technical drawings or specifications in your possession, export-controlled data, or DFARS 252.204-7012 appearing in your contracts. Any of those means CUI — and CUI means Level 2. For the full level-determination walkthrough, start with our plain-English overview of CMMC 2.0.
Essendis helps FCI-handling contractors get Level 1 compliant and properly documented — without overbuilding for requirements you do not have. And if the review turns up CUI, we will tell you honestly and map the efficient path to Level 2. Connect with an expert to get your self-assessment on solid ground.

