See how top teams stay future-ready for audits. 🚀
Go back to blogs

CMMC Level 1: Foundational cyber hygiene, requirements, and compliance path

Last updated on
December 17, 2025
4
min. read

For any organization bidding for or holding a Department of Defense (DoD) contract that involves Federal Contract Information (FCI), CMMC Level 1 serves as the foundational gateway to compliance. It’s the DoD’s mandated baseline for protecting non-public contract data.

It is the most critical and accessible starting point for a large portion of the Defense Industrial Base (DIB). This guide provides a clear breakdown of the CMMC Level 1 requirements, the self-assessment process, realistic costs, and how to maintain ongoing compliance.

What is CMMC Level 1?

CMMC Level 1 (Foundational) is the first of the three-tiered Cybersecurity Maturity Model Certification (CMMC) levels. It requires organizations to implement 17 basic cybersecurity practices designed to protect FCI.

It is fundamentally derived from and aligns directly with the 17 security practices outlined in Federal Acquisition Regulation (FAR) Clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

Who needs CMMC Level 1?

CMMC Level 1 compliance is mandatory for any organization within the DIB that handles, processes, or stores FCI but does not handle Controlled Unclassified Information (CUI).

FCI is information not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service. Examples include contract numbers, delivery schedules, budgets, and simple project status reports.

What is the scope of CMMC Level 1?

The scope of a CMMC Level 1 assessment is narrowly focused: it only includes the information systems (people, technology, and facilities) that process, store, or transmit FCI.

For many organizations, this enables better containment of the assessment scope. By isolating all FCI into a dedicated virtual machine, secure server, or separate network segment (an "enclave"), contractors can dramatically reduce the size and complexity of the environment that must comply with the 17 requirements. Assets that do not touch FCI are considered Out-of-Scope Assets and are not subject to the assessment.

Which cybersecurity domains are included in CMMC Level 1?

The 17 practices of CMMC Level 1 are organized across six domains of basic cyber hygiene, mirroring the structure of the FAR clause.

Domain Number of Practices Key Technical Focus Areas (FAR 52.204-21 Requirement)
Access Control (AC) 4 Limit system access to authorized users and functions; control external connections; control information on publicly accessible systems.
Identification and Authentication (IA) 2 Identify all users, processes, and devices; authenticate user identities (e.g., enforce strong passwords).
Media Protection (MP) 1 Sanitize or destroy system media containing FCI before disposal or reuse (e.g., secure drive wiping).
Physical Protection (PP) 4 Limit physical access to systems and equipment; escort visitors and maintain visitor logs; control and manage physical access devices (e.g., keys, badges).
System and Communications Protection (SC) 2 Monitor, control, and protect communications at external boundaries (e.g., firewalls); isolate publicly accessible system components via subnetworks (e.g., DMZ).
System and Information Integrity (SI) 2 Identify, report, and correct system flaws (patch management); provide and maintain protection from malicious code (antivirus/anti-malware); monitor system alerts and logs.

How to achieve CMMC Level 1 compliance: The self-assessment process

Achieving CMMC Level 1 compliance is an internal process culminating in a formal attestation to the DoD. Notably, Plans of Action & Milestones (POA&Ms) are not permitted for CMMC Level 1 self-assessments. Therefore, organizations must achieve a "MET" status for all 17 requirements before they can claim compliance.

Step Description
Step 1: Define the scoped boundary Accurately map the flow of FCI within the organization's information systems. This defines the CMMC Assessment Scope (the “enclave”) that the 17 controls will apply to.
Step 2: Conduct a comprehensive gap analysis Assess the scoped environment against the 17 practices of FAR 52.204-21. Each requirement must be evaluated using the “Examine,” “Interview,” and “Test” assessment methods outlined in CMMC guidance.
Step 3: Remediate and document everything Close all identified NOT MET gaps by implementing required technical controls (e.g., enabling firewalls, deploying antivirus). In parallel, create and maintain the necessary policies and procedures.
Step 4: Affirm and submit to SPRS Once all 17 requirements are MET, a senior official signs an Executive Affirmation attesting to compliance. The self-assessment results are then submitted to the Supplier Performance Risk System (SPRS).

What is the timeline for CMMC level 1 compliance?

For organizations with an established IT department and some pre-existing basic cybersecurity measures, CMMC Level 1 compliance can often be achieved in 3 to 6 months. This timeline includes the crucial steps of scoping, gap assessment, control implementation, policy documentation, and the final executive sign-off. Organizations starting from a lower cyber hygiene baseline may require up to 9 months.

What are the requirements needed for Level 1 compliance?

To formally claim CMMC Level 1 compliance, an organization must achieve the following:

Compliance component Description and specific documentation required
Full implementation 100% adherence to all 17 practices of FAR 52.204-21. No Plans of Action and Milestones (POA&Ms) are permitted for CMMC Level 1.
Required documentation Information Security Policy: A written policy describing how the organization implements and enforces all 17 safeguarding requirements.

Evidence artifacts: Objective proof such as physical access logs, user account management records, screenshots or reports showing active antivirus/anti-malware protection, firewall configurations, and documented media sanitization or destruction records.
Assessment & attestation Completion of an annual CMMC Level 1 self-assessment, followed by submission of an Executive Affirmation—signed by a senior company officer—to the DoD via the Supplier Performance Risk System (SPRS).

How much does CMMC Level 1 compliance cost?

The cost of CMMC Level 1 is significantly lower than higher levels due to the self-assessment model, but it is not free. Costs generally fall into three categories:

Cost Category Estimated Range Description & Hidden Costs
Internal Labor & Training $5,000 – $15,000 The largest hidden cost. Covers internal IT and management time spent on gap analysis, remediation, documentation, and assessment activities. Also includes employee training on basic cyber hygiene (e.g., strong passwords, access handling).
Remediation & Technology $1,000 – $10,000 Costs for basic security improvements such as commercial antivirus licenses, upgraded firewalls, simple log management tools, or hardware needed for basic network segmentation.
Compliance & Automation $5,000 – $15,000 (Annual) Subscription-based compliance automation platforms that continuously collect evidence, map controls, and simplify documentation and annual affirmations—often reducing internal labor costs significantly.
Total First-Year Estimate $10,000 – $30,000 Total cost varies based on initial cybersecurity maturity and the degree of reliance on external consultants or automation platforms.

What are the differences between CMMC Level 1 and higher levels?

Level 1 vs. Level 2

The technical difference between CMMC Level 1 and Level 2 is defined by the type of data protected and the complexity of the control set.

Feature CMMC Level 1 (Foundational) CMMC Level 2 (Advanced)
Data protected Federal Contract Information (FCI) Controlled Unclassified Information (CUI)
Control basis 17 practices (FAR 52.204-21) 110 practices (NIST SP 800-171)
Assessment Annual self-assessment Triennial C3PAO assessment (prioritized CUI)
OR annual self-assessment (non-prioritized CUI)
POA&Ms Not allowed Allowed in limited cases for certified assessments (C3PAO), but not for self-assessments

Level 1 vs. Level 3

CMMC Level 3 represents the highest tier, designed for organizations handling highly sensitive CUI related to critical DoD programs.

Feature CMMC Level 1 (Foundational) CMMC Level 3 (Expert)
Data protected Federal Contract Information (FCI) Highly sensitive Controlled Unclassified Information (CUI), including protection against Advanced Persistent Threats (APTs)
Control basis 17 practices (FAR 52.204-21) 134 practices
(NIST SP 800-171 + 24 enhanced controls from NIST SP 800-172)
Assessment Annual self-assessment Triennial government-led assessment (DIBCAC)
Maturity Basic cyber hygiene Expert-level, optimized, and proactive cybersecurity processes

How to maintain ongoing CMMC Level 1 compliance

Achieving Level 1 is a point-in-time assessment, but compliance must be maintained continuously, as a new self-assessment and affirmation are required annually. This is accomplished through disciplined operational security:

  • Continuous monitoring and evidence collection: Compliance is a continuous state. Organizations must ensure that processes, such as reviewing physical access logs and updating antivirus definitions, are performed and documented regularly. Automated GRC tools are invaluable here for continuous evidence capture.
  • Annual executive review: The self-assessment must be performed and the Executive Affirmation submitted to the SPRS every year. This review forces the organization to formally verify that the 17 controls are still in place and operating effectively, ensuring that personnel changes, system updates, and new contracts have not inadvertently broken the security baseline.

What are some common CMMC Level 1 challenges?

While Level 1 is the simplest CMMC tier, three major challenges often trip up small organizations:

  • Challenge 1: Defining the scope accurately: Many companies assume their entire IT environment is in scope. Incorrectly scoping the environment can lead to unnecessary remediation costs and complexity. The critical challenge is meticulously mapping the FCI data flow to isolate it into a defined, manageable enclave.
  • Challenge 2: The "All or Nothing" Requirement (No POA&Ms): There is no room for partial compliance. POA&Ms are not permitted for any CMMC self-assessment, including Level 1. If even one of the 17 practices is not fully implemented (e.g., visitor logs are not maintained), the organization cannot achieve a "MET" status and therefore cannot submit its affirmation to SPRS.
  • Challenge 3: Documentation and evidence: Even for basic controls, the DoD requires verifiable evidence. Small businesses often have the controls implemented (e.g., they use passwords) but lack the formal written policies and repeatable procedures to prove how they manage those controls, which is a major compliance gap.

Accelerate CMMC Level 1 readiness with Scrut

CMMC Level 1 compliance is straightforward but demands discipline and documented evidence. Scrut Automation empowers organizations to conquer the documentation and monitoring challenges required for the annual Executive Affirmation.

Our platform automatically maps your environment to the 17 FAR 52.204-21 requirements, centralizes evidence collection (like system logs and configuration screenshots), and streamlines the creation of the required Information Security Policy and supporting documentation. This efficiency ensures you can accurately define your scope, close gaps quickly, and maintain an audit-ready state for your annual SPRS submission, securing your eligibility for essential DoD contracts faster.

Ready to simplify your CMMC compliance journey? Book a demo with Scrut today!

FAQs

Is Level 1 self-assessment sufficient?

Yes. For all organizations that only handle Federal Contract Information (FCI), CMMC 2.0 Level 1 requires and allows only an annual self-assessment, with the compliance result formally attested to and submitted by a senior company official in the SPRS.

When is CMMC Level 1 compliance required?

CMMC Level 1 compliance is required when a specific DoD contract solicitation includes the CMMC clause (typically DFARS 252.204-7021) mandating Level 1 certification for the protection of FCI. The compliance must be achieved before contract award.

What happens if you fail to comply with CMMC Level 1?

Failure to comply or maintain the annual Executive Affirmation will render the organization ineligible to bid on or be awarded DoD contracts that require CMMC Level 1. Since POA&Ms are not allowed for self-assessments, any failure to meet one of the 17 requirements means an organization cannot claim compliance.

What are the benefits of complying with CMMC 2.0 Level 1?

The primary benefit is contract eligibility. Secondary benefits include establishing a robust baseline of basic cyber hygiene (e.g., patching, anti-malware, access control) that protects the business from common cyberattacks and provides a clear foundation for future growth into CMMC Level 2.

Which CMMC level do I need for my organization?

The required CMMC level is strictly determined by the DoD contract solicitation and the type of information you will handle:

  1. Level 1 for contracts involving FCI only.
  2. Level 2 for contracts involving CUI.
  3. Level 3 for the most critical DoD programs and CUI requiring protection against advanced persistent threats.

How often do you need to recertify for CMMC Level 1?

CMMC Level 1 requires an annual self-assessment and the submission of a new Executive Affirmation to the SPRS every year to maintain continuous eligibility. Unlike higher levels, it does not have a three-year certification.

Can I automate the CMMC Level 1?

Yes, and it is highly recommended. GRC platforms and automation tools can significantly automate the evidence collection for controls like system integrity, access logs, and patching status, simplifying the annual self-assessment and reducing the associated internal labor costs.

Liked the post? Share on:
Susmita Joseph

Susmita Joseph is a cybersecurity and compliance enthusiast with a passion for simplifying complex topics for businesses of all sizes. With a keen interest in AI, she enjoys writing about its impact on GRC and cybersecurity, focusing on how it is reshaping the industry.

Authored by
Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

No items found.
Pros and Cons of a Boutique Auditing Firm Versus Big 4
Vendor Security
9 easy steps to review a vendor's SOC 2 report
GRC Trends
7 compliance trends to look out for in 2023

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.