CMMC Level 1 Requirements: The 17 Practices in Plain English

[OUTLINE — expand before publishing]

If your company handles Federal Contract Information but no CUI, CMMC Level 1 is your lane — and it is deliberately achievable. Level 1 covers 17 basic practices drawn from the safeguarding requirements of FAR 52.204-21, verified by an annual self-assessment and an affirmation from a senior company official. No C3PAO, no third-party audit. This guide walks through all 17 practices in plain English, shows how the self-assessment and affirmation work, and flags the places where small contractors most often slip.

Who Needs CMMC Level 1

  • Define FCI per FAR 52.204-21: information not intended for public release, provided by or generated for the government under contract — nearly every DoD contractor holds it.
  • Level 1 applies when you hold FCI only. Any CUI in the environment moves you to CMMC Level 2.
  • Clarify the numbers: the 15 FAR safeguarding requirements are expressed as 17 CMMC practices.

The 17 Practices at a Glance

  • Present all 17 grouped by domain: Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, System & Information Integrity.
  • One plain-English sentence per practice (e.g., "limit system access to authorized users" becomes "only people you have approved can log in").
  • Keep every explanation testable — what a self-assessor should actually look for.

Access Control and Authentication

  • Cover: authorized-user access, limiting transactions and functions, controlling public-facing information, identifying users and devices, authenticating before granting access.
  • Practical examples: unique accounts (no shared logins), an offboarding checklist, review of who can post to the public website.

Media, Physical, and Facility Protections

  • Sanitize or destroy media containing FCI before disposal or reuse — what that means for old laptops, drives, and copiers.
  • Limit physical access to systems and facilities; escort visitors; maintain audit logs of physical access; control keys, badges, and other access devices.

Boundary Protection and System Integrity

  • Monitor and control communications at system boundaries (firewalls, routers); separate public-facing systems (e.g., web servers) from internal networks.
  • Patch in a timely way (flaw remediation); run malicious-code protection; keep it updated; scan periodically and in real time.

The Annual Self-Assessment and Affirmation

  • How to run and document the self-assessment against all 17 practices; results entered in SPRS.
  • Annual affirmation of continuing compliance by a senior company official.
  • Key rule: no POA&Ms at Level 1 — all 17 practices must be fully met.

Common Failure Points

  • Shared admin accounts, former-employee access never removed, default firewall configurations, no visitor process, no patch cadence.
  • Emphasize: most fixes are process and hygiene, not new spending.

Watch for CUI Creep

  • Signs you are actually a Level 2 shop: technical drawings, export-controlled data, or DFARS 252.204-7012 appearing in your contracts.
  • Link the CMMC 2.0 overview for the full level-determination walkthrough.

How Essendis Helps

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.