Since the phased rollout of new CMMC contractual requirements, starting with Level 1 and 2, begins on November 10, 2025, businesses across the Defense Industrial Base are racing to align with these cybersecurity requirements to continue working with the Department of Defense.

For many, especially smaller defense contractors and subcontractors, CMMC can feel overwhelming, with the clock ticking and resources stretched thin. 

We've created this guide to help you understand and meet these requirements for Level 1 before the CMMC deadline so you stay eligible for existing and new contracts. Let’s get started.

If you’re new to CMMC, check out our on-demand webinar that explains what this framework requires at different levels, who it applies to, and how to get certified.

What is CMMC Level 1 compliance?

CMMC Level 1 is the foundational level of cybersecurity requirements set by the Department of Defense (DoD) in 32 CFR 170.14(c)(2) for contractors working with federal contract information (FCI). 

As the lowest level of security controls required for a defense contractor or subcontractor to earn CMMC certification, Level 1 is comprised of 15 basic cyber hygiene practices specified in Federal Acquisition Regulation (FAR) Clause 52.204-21(b)(1) for protecting FCI.

Note: Some earlier CMMC materials from the DoD (like this guide) reference 17 requirements for Level 1. The Department of Defense has since updated and consolidated these into 15 requirements under FAR 52.204-21, as confirmed in the official 32 CFR rule.

Who needs CMMC Level 1 certification?

Any organization that processes, stores, or transmits FCI only under a Department of Defense (DoD) contract or subcontract must comply with CMMC Level 1 requirements. If they don’t, they won’t be eligible for DoD contracts involving FCI.

According to DoD estimates in the 32 CFR rule, 63% of the Defense Industrial Base (DIB) will ultimately fall into this category and need to achieve CMMC Level 1 certification.

That includes:

• Prime contractors that work directly with the DoD and handle FCI.
• Subcontractors that process, store, or transmit FCI in performance of a subcontract.
• Managed service providers (MSPs) and other vendors that manage IT systems or perform services where FCI may be accessed or stored.

In short, if your work touches FCI in any way, you’re in scope for Level 1 certification.

Let’s take a closer look at what FCI is —and what it isn’t—before diving deeper into Level 1 requirements.

What is Federal Contract Information (FCI)?

Federal contract information is information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government that is not intended for public release, as defined in 48 CFR 4.1901.

Examples of FCI are:

• Technical specifications
• Proposals and bids
• Project schedules or progress reports
• General Supplier information
• Non-sensitive internal communications

Examples that aren’t considered FCI are:

• Information provided by the Government on public websites
• Simple transactional information that’s needed to process payments
• Controlled unclassified information (CUI)

Let’s take a closer look at the difference between the two major categories of information CMMC is designed to protect below.

FCI vs CUI

Both FCI and CUI are types of sensitive, unclassified data created or owned by the government or on behalf of the government. Any organization that handles FCI or CUI must achieve one of the three CMMC certification levels, as specified in their contract, to be eligible to do defense-related work.

However, unlike FCI, CUI is designated by the federal government as sensitive enough to require safeguarding and may also be subject to dissemination controls in accordance with laws, regulations, or government-wide policies, as defined in 32 CFR 2002.4(h).

If an organization handles CUI, they must comply with CMMC Level 2 or Level 3. That means organizations handling CUI must achieve a more advanced level of cyber hygiene than Level 1 contractors.

Examples of CUI are:

• Personally identifiable information
• HIPAA-protected data
• Law enforcement records
• Export controlled information
• Critical infrastructure and defense information

Let’s take a closer look at the different levels of CMMC certification below. 

CMMC Level 1 vs Level 2 vs Level 3

The CMMC 2.0 model is structured in three levels, with each representing an increasing degree of cybersecurity maturity.

Level 1 (Foundational)

• Who: Required for any defense contractor and subcontractor that handles FCI. DoD estimates this will be 63% of the DIB.
• What: Basic cyber hygiene practices focused on protecting FCI, such as access control.
• Based on existing regulation: Based on 15 requirements in FAR 52.204-21.
• Assessment: Annual self-assessment and affirmation of compliance by a senior company official is required.

Level 2 (Advanced)

• Who: Required for most defense contractors and subcontractors that handle CUI.DoD estimates this will be 37% of the DIB.
• What: Practices aligned with higher data protection requirements, suitable for those handling CUI.
• Based on existing regulation: Based on 110 requirements in NIST 800-171.
• Assessment: Triennial assessment performed by a C3PAO and annual affirmation is required for most Level 2 contractors. However, if the contractor handles non-critical national security information, then annual self-assessments and affirmations are required.

Level 3 (Expert)

• Who: Required for defense contractors that handle the most sensitive CUI and face advanced persistent threats (APTs). DoD estimates this will be less than 1% of defense contractors. 
• What: Practices aligned with advanced security requirements designed to protect critical national security information and address APTs.
• Based on existing regulation: Based on 110 requirements in NIST 800-171 and 24 from NIST 800-172.
• Assessment: Triennial assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center and annual affirmation of compliance with the 24 NIST 800-172 requirements is required. Must achieve CMMC Level 2 certification first. 

The DoD contracts you’re bidding on or currently involved with will likely specify the required CMMC level. If they don’t, understanding the distinctions between levels can help you determine which you need. You can also use the decision tree below as an aid.

CMMC Level 1 compliance requirements

CMMC Level 1 presents a baseline of 15 cybersecurity requirements that all contractors must meet to win or continue working on DoD contracts involving federal contract information (FCI). These requirements are organized around six core areas or domains. They are as follows:

To ensure organizations are fully implementing these necessary safeguards to protect FCI, they must meet all assessment objectives for each requirement. The 15 requirements in Level 1 have between 1 and 8 assessment objectives each, for a total of 58 assessment objectives. 

For a more detailed overview of Level 1 requirements and their assessment objectives, download our checklist below or refer to the DoD’s CMMC Level 1 Self-Assessment Guide for an even more comprehensive overview.

CMMC Level 1 Compliance Checklist

For some organizations in the DIB, CMMC Level 1 compliance will involve re-evaluating existing practices, while others will need to establish entirely new security measures. 

To help contractors meet Level 1 requirements no matter where they are in the readiness process, we created this checklist to cover all 15 requirements and 58 assessment objectives. Use it as a streamlined way to track that you’ve implemented each requirement fully and monitor ongoing compliance.

How to get CMMC Level 1 certification by Phase 1 of enforcement

With CMMC enforcement of Level 1 and 2 requirements starting November 10, 2025, contractors and subcontractors handling FCI must act quickly to complete their CMMC self-assessments and affirmations. Here’s an overview of the steps to take immediately to get certified before losing contract eligibility. 

Step 1: Determine if you handle FCI.

Review your contracts and environment to identify if and where Federal Contract Information exists. If any employees, systems, vendors, or other assets handle FCI, you’re required to get CMMC Level 1 certification and must conduct a self-assessment.  

Step 2: Scope your assessment.

Before you actually conduct a Level 1 self-assessment, you must specify scope. Scope is the set of all assets—including the people, technology, facilities, and external service providers—that store, process, or transmit FCI and therefore must be assessed against the Level 1 security requirements.

Clearly scoping your environment prevents unnecessary work and costs. To ensure you get this step right, consult the DoD’s CMMC Level 1 Scoping Guidance or  check out our on-demand webinar led by an expert with actual experience scoping for a CMMC assessment. 

Step 3: Conduct a gap assessment.

Compare your existing security practices to the 15 Level 1 requirements. Identify any gaps—such as missing access controls, outdated antivirus software, or lack of audit logs—and prioritize remediation.

While you can do this step manually with spreadsheets, automation can significantly speed up the control mapping process and reduce the chance of human error. 

Step 4: Implement missing controls and document your practices.

Put CMMC controls in place to meet each requirement and provide evidence that demonstrates how you’re meeting them. 

Once controls and tests are in place, document your implementation of all Level 1 requirements and assessment objectives in your System Security Plan (SSP). You’ll likely have to provide other documentation as well, such as:

• policy, process, and procedure documents
• training materials
• plans and planning documents
• system, network, and data flow diagrams

Step 5: Perform your self-assessment.

To conduct the self-assessment, you must assess each of the 15 requirements and 58 assessment objectives and determine whether each has been MET, NOT MET, or is NOT APPLICABLE. 

For Level 1, no requirements can be unmet and included on a Plan of Action and Milestones (POA&M) to be remediated later. So you have to score the self-assessment as MET or NOT MET in its entirety, rather than using a numerical value. 

Step 6: Submit results and affirmation.

Once you’ve completed your CMMC assessment, upload your results and score to the Supplier Performance Risk System (SPRS) and submit an executive affirmation of compliance to achieve a CMMC Status of Final Level 1 (Self). 

You must have a current CMMC status to be eligible for contract awards that involve FCI starting November 10 (if not sooner if you’re a subcontractor). 

Step 7: Maintain certification.

To maintain certification, you must assess your controls and submit these results, along with an affirmation of compliance, in the SPRS at least annually to prove you’re still meeting all CMMC Level 1 requirements.

This brief step-by-step overview shows that CMMC certification is a rigorous and ongoing process. The right tool can automate much of this process—from scoping and gap analysis to evidence collection and continuous monitoring—so you can get assessment-ready faster and stay compliant year-round.

CMMC Level 1 Compliance Software

Compliance management software simplifies the path to Level 1 certification by automating evidence collection, policy management, continuous monitoring, and other compliance tasks. Look for solutions that include the following key features and capabilities:

• Gap analysis: Identifies gaps in your current security practices against Level 1 requirements.
• Evidence collection: Automate evidence collection for CMMC Level 1 controls.
• Documentation management: Stores and organizes necessary compliance documentation, including a System Security Plan (SSP) and necessary policies and procedures.
• Automated risk assessments: Automates the risk assessment workflow for risks associated with FCI.
• Continuous monitoring: Continuously monitors your controls and tech stack to proactively detect and remediate any issues.

Secureframe is an example of a compliance automation platform that’s purpose-built to address CMMC requirements. Let’s dive into some of its key features below.

Why choose Secureframe to simplify CMMC Level 1 compliance

Secureframe reduces the cost and complexity of CMMC Level 1 compliance, offering an all-in-one solution for defense contractors, subcontractors, and suppliers. 

With Secureframe, you’ll gain access to the tools and expertise you need to fast-track CMMC certification:

• Out-of-the-box support for Level 1: Secureframe offers all CMMC levels as out-of-the-box frameworks. With automated gap assessments mapped directly to CMMC Level 1 requirements and controls, you can see exactly what you need to do to get and stay compliant.
• Federal compliance expertise: Our team of compliance experts includes former CMMC, FISMA, and FedRAMP auditors and consultants to support you at every step. Our platform is always kept up-to-date on the latest changes to federal compliance requirements, simplifying regulatory change management. 
• Deep integrations for automated evidence collection: Secureframe integrates with your existing tech stack, including AWS GovCloud, to automatically collect evidence and continuously monitor your CMMC Level 1 controls.
• Continuous monitoring: Secureframe continuously monitors your security controls, automatically identifying compliance gaps, misconfigurations, and failing controls. This enables you to maintain a strong security posture and continuous CMMC Level 1 compliance without the need for constant manual checks.
• Easier document and policy management: Templated policies and procedures written by former federal auditors can be fully customized to meet your needs and requirements for Level 1. Our enterprise policy management capabilities include templates, impact assessments, and readiness reports. 
• Asset, vendor, and risk management: Secureframe integrates with your infrastructure to automatically discover in-scope assets and link them to required CMMC Level 1 practices. You can also inventory and track vendors to ensure they meet flowdown requirements. And you can assess, manage, and remediate risk to those assets and vendors using our automation and AI workflows. 
• Trust Center: Showcase your CMMC Level 1 certification and continuous monitoring controls  in real-time through a fully customized Trust Center to establish transparency and trust and differentiate yourself from competitors. Check out ours as an example.
• In-platform training: Proprietary employee training that meets CMMC Level 1 requirements including insider threat and role-based training, and is reviewed and updated annually by compliance experts.
• Multi-framework compliance: Intelligent cross-mapping makes it easier to quickly achieve compliance with higher CMMC levels and other federal frameworks, such as NIST 800-53 and FedRAMP, so you don’t have to start from scratch.

Talk to an expert to learn how Secureframe can help you navigate CMMC Level 1 requirements efficiently, stay ahead of deadlines, and ensure your organization is always assessment-ready.

This post was originally published in November 2024 and has been updated for accuracy and comprehensiveness based on updates across the CMMC ecosystem, like the CyberAB's August Town Hall.