[OUTLINE — expand before publishing]
If your company handles Federal Contract Information but no CUI, CMMC Level 1 is your lane — and it is deliberately achievable. Level 1 covers 17 basic practices drawn from the safeguarding requirements of FAR 52.204-21, verified by an annual self-assessment and an affirmation from a senior company official. No C3PAO, no third-party audit. This guide walks through all 17 practices in plain English, shows how the self-assessment and affirmation work, and flags the places where small contractors most often slip.
Who Needs CMMC Level 1
- Define FCI per FAR 52.204-21: information not intended for public release, provided by or generated for the government under contract — nearly every DoD contractor holds it.
- Level 1 applies when you hold FCI only. Any CUI in the environment moves you to CMMC Level 2.
- Clarify the numbers: the 15 FAR safeguarding requirements are expressed as 17 CMMC practices.
The 17 Practices at a Glance
- Present all 17 grouped by domain: Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, System & Information Integrity.
- One plain-English sentence per practice (e.g., "limit system access to authorized users" becomes "only people you have approved can log in").
- Keep every explanation testable — what a self-assessor should actually look for.
Access Control and Authentication
- Cover: authorized-user access, limiting transactions and functions, controlling public-facing information, identifying users and devices, authenticating before granting access.
- Practical examples: unique accounts (no shared logins), an offboarding checklist, review of who can post to the public website.
Media, Physical, and Facility Protections
- Sanitize or destroy media containing FCI before disposal or reuse — what that means for old laptops, drives, and copiers.
- Limit physical access to systems and facilities; escort visitors; maintain audit logs of physical access; control keys, badges, and other access devices.
Boundary Protection and System Integrity
- Monitor and control communications at system boundaries (firewalls, routers); separate public-facing systems (e.g., web servers) from internal networks.
- Patch in a timely way (flaw remediation); run malicious-code protection; keep it updated; scan periodically and in real time.
The Annual Self-Assessment and Affirmation
- How to run and document the self-assessment against all 17 practices; results entered in SPRS.
- Annual affirmation of continuing compliance by a senior company official.
- Key rule: no POA&Ms at Level 1 — all 17 practices must be fully met.
Common Failure Points
- Shared admin accounts, former-employee access never removed, default firewall configurations, no visitor process, no patch cadence.
- Emphasize: most fixes are process and hygiene, not new spending.
Watch for CUI Creep
- Signs you are actually a Level 2 shop: technical drawings, export-controlled data, or DFARS 252.204-7012 appearing in your contracts.
- Link the CMMC 2.0 overview for the full level-determination walkthrough.
How Essendis Helps