As the Cybersecurity Maturity Model Certification (CMMC) compliance deadline draws near, businesses across the Defense Industrial Base are racing to align with the Department of Defense’s cybersecurity standards. For many, especially smaller defense contractors and subcontractors, achieving CMMC compliance can feel overwhelming, with the clock ticking and resources stretched thin. 

CMMC Level 1, the foundational stage of the certification, presents a baseline of cybersecurity requirements that all contractors must meet to win or continue working on DoD contracts involving federal contract information (FCI). For some, CMMC Level 1 compliance involves re-evaluating existing practices, while others need to establish entirely new security measures. 

To help you navigate these new requirements no matter where you are in the readiness process, we’ve created this guide breaking down what’s required for CMMC Level 1 and how a compliance automation solution can help businesses meet the CMMC deadline with greater confidence and ease. Let’s get started.

What is CMMC Level 1 compliance?

CMMC Level 1 is the foundational level of cybersecurity requirements set by the Department of Defense (DoD) for contractors working with federal contract information (FCI). 

As the lowest level of security controls required for a defense contractor to earn CMMC certification, Level 1 focuses on implementing basic cyber hygiene practices to protect FCI. These practices align with the basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21.

What is Federal Contract Information (FCI)?

Federal contract information is information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government that is not intended for public release, as defined in FAR Clause 52.204-21.

Examples of FCI are:

• Technical specifications
• Proposals and bids
• Project schedules or progress reports
• General Supplier information
• Non-sensitive internal communications

Examples that aren’t considered FCI are:

• Information provided by the Government on public websites
• Simple transactional information that’s needed to process payments

FCI vs CUI

Both FCI and Controlled Unclassified Information (CUI) are types of sensitive, unclassified data created or owned by the government. Any organization that handles FCI or CUI must achieve one of the three CMMC certification levels, as specified in their contract, to be eligible to do defense-related work.

However, unlike FCI, CUI is designated by the federal government as sensitive enough to require safeguarding and may also be subject to dissemination controls in accordance with laws, regulations, or government-wide policies. If an organization handles CUI, they must comply with CMMC Level 2 or higher. That means organizations handling CUI must achieve a more advanced level of cyber hygiene than Level 1 contractors.

Examples of CUI are:

• Personally identifiable information
• HIPAA-protected data
• Law enforcement records
• Critical infrastructure and defense information
• Export control information. 

While CMMC Level 1 compliance is the lowest level, it’s still critical as it ensures contractors are implementing necessary safeguards to protect FCI.

Let’s take a closer look at the different levels of CMMC certification below. 

CMMC Level 1 vs Level 2 vs Level 3

The CMMC 2.0 model is structured in three levels, with each representing an increasing degree of cybersecurity maturity.

Level 1 (Foundational)

• Who: Required for any defense contractor that handles FCI.
• What: Basic cyber hygiene practices focused on protecting FCI, such as access control.
• Based on existing regulation: Based on 17 requirements in FAR 52.204-21.
• Assessment: Annual self-assessment and affirmation of compliance by a senior company official is required.

Level 2 (Advanced)

• Who: Required for most defense contractors that handle CUI.
• What: Practices aligned with higher data protection requirements, suitable for those handling CUI.
• Based on existing regulation: Based on 110 requirements in NIST 800-171.
• Assessment: Triennial assessment performed by a C3PAO and annual affirmation is required for most Level 2 contractors. However, if the contractor handles non-critical national security information, then annual self-assessments and affirmations are required.

Level 3 (Expert)

• Who: Required for defense contractors that handle the most sensitive CUI and face advanced persistent threats (APTs). DoD estimates this will be less than 1% of defense contractors. 
• What: Practices aligned with advanced security requirements designed to protect critical national security information and address APTs.
• Based on existing regulation: Based on 110 requirements in NIST 800-171 and 24 from NIST 800-172.
• Assessment: Triennial assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center and annual affirmation of compliance with the 24 NIST 800-172 requirements is required. Must achieve CMMC Level 2 certification first. 

The DoD contracts you’re bidding on or currently involved with will likely specify the required CMMC level. If they don’t, understanding the distinctions between levels can help you determine which you need. You can also use the decision tree below as an aid.

CMMC Level 1 compliance requirements

CMMC Level 1 compliance includes 17 practices organized around six core areas:

1. Access Control: Control who can access FCI, ensuring employees use unique login credentials and strong password management.
2. Identification and Authentication: Verify the identities of users accessing FCI through authentication measures.
3. Media Protection: Protect both physical and digital media used to store FCI, with rules around handling, storage, and disposal.
4. Physical Protection: Limit physical access to locations storing FCI, implementing badge systems or secured entry points.
5. System and Communications Protection: Protect the edges of a system and ensure that devices that work together are managed safely, using secure communication protocols and network segmentation techniques.
6. System and Information Integrity: Ensure systems are secure and up-to-date, using antivirus software and security patches.

These practices provide a foundation for meeting CMMC Level 1 requirements and safeguarding FCI.

For a more detailed overview of Level 1 requirements, download our free checklist below.

CMMC Level 1 Compliance Checklist

To help contractors meet CMMC Level 1 requirements, we created a checklist to cover each practice area. Use it as a streamlined way to address each area and monitor ongoing compliance.

CMMC Level 1 Compliance Software

Compliance automation software simplifies the path to Level 1 certification by automating evidence collection, policy management, continuous monitoring, and other compliance tasks. Look for solutions that include the following key features and capabilities:

• Gap analysis: Identifies gaps in your current security practices against Level 1 requirements.
• Evidence collection: Automate evidence collection for CMMC Level 1 controls.
• Documentation management: Stores and organizes necessary compliance documentation, including a System Security Plan (SSP) and necessary policies and procedures.
• Automated risk assessments: Automates the risk assessment workflow for risks associated with FCI.
• Continuous monitoring: Continuously monitors your controls and tech stack to proactively detect and remediate any issues.

Secureframe is an example of a compliance automation platform that’s purpose-built to address CMMC requirements.

Why choose Secureframe to simplify CMMC Level 1 compliance

Secureframe is designed to make CMMC Level 1 compliance seamless, offering an all-in-one solution to guide you through every step of the process. 

With Secureframe, you’ll gain access to a suite of resources and support that streamline compliance management, including:

• Federal compliance expertise: Our team of compliance experts includes former CMMC, FISMA, and FedRAMP auditors and consultants to support you at every step. Our platform is always kept up-to-date on the latest changes to federal compliance requirements, simplifying regulatory change management. 
• Deep integrations for automated evidence collection: Secureframe integrates with your existing tech stack, including AWS GovCloud, to automatically collect evidence and continuously monitor your CMMC Level 1 controls.
• Continuous monitoring: Secureframe continuously monitors your security controls, automatically identifying compliance gaps, misconfigurations, and failing controls. This enables you to maintain a strong security posture and continuous CMMC compliance without the need for constant manual checks.
• AI-powered remediation: Over time, changes in your environment or organization may result in tests failing. Comply AI for Remediation automatically generates fixes as infrastructure-as-code, allowing users to effortlessly implement these solutions in their cloud environments. This not only makes the remediation process more efficient, it also can help enhance your organization’s overall security and compliance posture.
• Easier document and policy management: Templated policies, procedures, and SSPs written by former federal auditors can be fully customized to meet your needs. Our enterprise policy management capabilities include SSP templates, impact assessments, and readiness reports. 
• In-platform training: Proprietary employee training that meets CMMC requirements including insider threat and role-based training, and is reviewed and updated annually by compliance experts.
• Multi-framework compliance: Intelligent cross-mapping makes it easier to quickly achieve compliance with multiple federal standards, such as NIST 800-53, NIST 800-171, FedRAMP, NIST CSF, TX-RAMP, and CJIS. Instead of starting from scratch, Secureframe applies the controls you already have in place for CMMC to multiple frameworks, accelerating time to compliance and eliminating duplicate work.  

By partnering with Secureframe, you’ll have the expertise and tools to navigate CMMC Level 1 requirements efficiently, stay ahead of framework updates, and ensure your organization is always assessment-ready. This holistic approach saves time, reduces costs, and helps build a strong cybersecurity foundation that meets DoD standards.

To see why Secureframe is an invaluable resource for any organization pursuing CMMC Level 1 compliance, schedule a demo with one of our product experts.