CMMC Level 1: The 15 Requirements in Plain English

If your company handles Federal Contract Information but no CUI, CMMC Level 1 is your lane — and it is deliberately achievable. Level 1 consists of the 15 basic safeguarding requirements of FAR 52.204-21, verified by an annual self-assessment and an affirmation from a senior company official. No C3PAO, no third-party audit. This guide walks through all 15 requirements in plain English, shows how the self-assessment and affirmation work, and flags the places where small contractors most often slip.

One housekeeping note first: if you have seen CMMC Level 1 described as "17 practices," that was the CMMC 1.0 framing. The final CMMC rule (32 CFR Part 170, in effect since December 2024) defines Level 1 as exactly the 15 requirements of FAR 52.204-21 — nothing more.

Who Needs CMMC Level 1

FCI is information, not intended for public release, that is provided by or generated for the government under a contract — statements of work, schedules, contract correspondence. Nearly every DoD contractor holds it, which means nearly every DoD contractor needs at least Level 1.

Level 1 applies when you hold FCI only. The moment Controlled Unclassified Information enters your environment — technical drawings, export-controlled data, anything your contract identifies as CUI — you are a CMMC Level 2 shop, with all 110 NIST SP 800-171 requirements in play.

The 15 Requirements at a Glance

The 15 requirements span six domains. Here is each one in plain English — phrased the way a self-assessor should actually test it.

Access Control and Authentication (6 requirements)

  • Limit access to authorized users. Only people you have approved can log in — unique accounts, no shared logins.
  • Limit access to permitted transactions and functions. Users can do only what their job requires; ordinary users are not administrators.
  • Verify and control connections to external systems. Know and approve where your systems connect — including personal devices and outside services.
  • Control information posted on public systems. Someone reviews what goes on the public website before FCI can leak onto it.
  • Identify users and devices. Every user and system on your network is known and accounted for.
  • Authenticate before granting access. Real passwords (or better) checked before anyone gets in — no default credentials.

Media, Physical, and Facility Protections (3 requirements)

  • Sanitize or destroy media containing FCI before disposal or reuse. Old laptops, drives, and office copiers get wiped or shredded — not donated with data intact.
  • Limit physical access to authorized individuals. Server closets and work areas are not open to whoever wanders in.
  • Escort visitors, log physical access, and control access devices. Visitors are escorted, entries are logged, and keys and badges are tracked and recovered.

Boundary Protection and System Integrity (6 requirements)

  • Monitor and control communications at system boundaries. A real firewall, configured on purpose, between your network and the internet.
  • Separate public-facing systems from internal networks. Your web server does not live on the same network segment as your file server.
  • Correct flaws in a timely manner. Patches get applied on a cadence, not whenever someone remembers.
  • Run malicious-code protection. Antivirus/antimalware on the systems that need it.
  • Keep protection mechanisms updated. Definitions and engines update automatically.
  • Scan periodically and in real time. Scheduled scans plus on-access scanning of files from outside.

The Annual Self-Assessment and Affirmation

Level 1 is self-assessed — every year. You assess your environment against all 15 requirements, record the result in SPRS (the DoD's Supplier Performance Risk System), and a senior company official affirms continuing compliance annually.

The key rule: there are no POA&Ms at Level 1. The final rule permits no conditional status and no open items — all 15 requirements must be fully met when you self-assess. If one is not, the honest answer is to fix it before you assess, not to paper over it: your SPRS entry and affirmation are representations to the federal government, with real legal exposure for getting them wrong.

Common Failure Points

The gaps we see most often are process, not technology: shared admin accounts; former employees whose access was never removed; firewalls still running default configurations; no visitor process at all; and patching that happens "when things break." Most fixes are hygiene and documentation — not new spending.

Watch for CUI Creep

The most expensive Level 1 mistake is being a Level 2 shop without realizing it. Warning signs: technical drawings or specifications in your possession, export-controlled data, or DFARS 252.204-7012 appearing in your contracts. Any of those means CUI — and CUI means Level 2. For the full level-determination walkthrough, start with our plain-English overview of CMMC 2.0.

How Essendis Helps

Essendis helps FCI-handling contractors get Level 1 compliant and properly documented — without overbuilding for requirements you do not have. And if the review turns up CUI, we will tell you honestly and map the efficient path to Level 2. Connect with an expert to get your self-assessment on solid ground.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.