CMMC Level 1 Compliance Guide for Small Business Government Contractors
Learn what CMMC Level 1 means, who needs it, the basic cybersecurity requirements, self-assessment steps, and how small DoD contractors can prepare.
CMMC can sound intimidating, especially if you are a small business contractor without a dedicated cybersecurity team. But CMMC Level 1 is not meant to be a complicated technical audit. It is the foundational cybersecurity requirement for many Department of Defense contractors and subcontractors that handle basic federal contract information.
This guide explains what CMMC Level 1 is, why it matters, what you must protect, which cybersecurity requirements apply, and how your business can begin preparing with a practical step-by-step approach.
What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense framework for verifying whether defense contractors have the proper cybersecurity safeguards in place to protect sensitive government contract information.
FCI
Federal Contract Information
FCI is non-public information provided by or generated for the government under a contract. It may include contract documents, project instructions, delivery details, and internal contract communications.
CUI
Controlled Unclassified Information
CUI is more sensitive unclassified information that requires additional protection. Examples may include technical data, engineering drawings, export-controlled information, or security-related information.
Purpose
Defense Supply Chain Security
CMMC is designed to reduce cybersecurity risk across the Defense Industrial Base and help ensure contractors are protecting federal contract information and controlled unclassified information.
Plain-English takeaway: If your company works with the DoD, supports a DoD prime contractor, or plans to bid on DoD contracts, CMMC may affect your ability to win or keep certain contract opportunities.
What Is CMMC Level 1?
CMMC Level 1 is the foundational level of CMMC compliance. It focuses on protecting Federal Contract Information, or FCI. It is meant to confirm that a contractor has basic cybersecurity hygiene in place.
CMMC Level 1 Applies to FCI
Level 1 generally applies when a contractor or subcontractor processes, stores, or transmits Federal Contract Information on contractor information systems.
CMMC Level 2 Applies to CUI
If your company handles Controlled Unclassified Information, Level 1 may not be enough. CUI typically moves contractors into CMMC Level 2, which is much more involved and aligned with NIST SP 800-171.
Important note: Older CMMC materials may refer to Level 1 as 17 practices. Current DoD CMMC 2.0 guidance organizes Level 1 around 15 basic safeguarding requirements from FAR 52.204-21.
Why CMMC Level 1 Matters for DoD Contractors
CMMC is not only an IT issue. It is a contract readiness issue. As CMMC requirements appear in DoD solicitations and contracts, contractors may need the required CMMC status before award, option exercise, or contract extension.
Bid Eligibility
CMMC may affect whether your company can compete for certain DoD opportunities.
Prime Contractor Flow-Downs
Subcontractors may need to meet CMMC requirements passed down by prime contractors.
Contract Protection
Basic cybersecurity helps protect non-public contract information from exposure or misuse.
Future Readiness
Level 1 readiness can help prepare your business for more advanced requirements later.
CMMC Level 1 vs. CMMC Level 2
The most important distinction is the type of information your company handles. FCI points to Level 1. CUI may point to Level 2.
| Category | CMMC Level 1 | CMMC Level 2 |
|---|---|---|
| Primary Focus | Basic safeguarding of FCI | Protection of CUI |
| Core Requirement Source | FAR 52.204-21 | NIST SP 800-171 |
| Assessment Type | Annual self-assessment and affirmation | Self-assessment or third-party assessment, depending on contract requirements |
| Best Fit | Contractors handling FCI only | Contractors handling CUI |
The 15 CMMC Level 1 Cybersecurity Requirements
CMMC Level 1 is built around basic safeguarding. These are not advanced cybersecurity requirements. They are the minimum safeguards a contractor should have in place to protect FCI.
Limit System Access
Only authorized users, systems, and devices should be able to access company information systems.
Limit User Functions
Authorized users should only be able to perform the actions they are permitted to perform.
Control External Connections
Manage and verify connections between your systems and outside systems or tools.
Control Public Information
Prevent FCI from being posted or exposed on public-facing websites or systems.
Identify Users and Devices
Use unique accounts and identify users, processes, and devices before allowing access.
Authenticate Access
Verify that users, processes, or devices are who they claim to be before granting access.
Sanitize or Destroy Media
Remove or destroy FCI before reusing, selling, discarding, or releasing devices and storage media.
Limit Physical Access
Control physical access to systems, equipment, and areas where FCI may be stored or accessed.
Escort and Monitor Visitors
Escort visitors, monitor physical access, and control keys, badges, and other access devices.
Protect Communications
Protect information transmitted or received by company systems, especially at external boundaries.
Separate Public Systems
Separate public-facing systems from internal systems that handle contract or business information.
Correct System Flaws
Identify, report, and correct system vulnerabilities through patching and maintenance.
Protect Against Malware
Use anti-malware protection to help defend against viruses, ransomware, and other malicious code.
Update Malware Protection
Keep security tools and malware protection current with updates and definitions.
Perform Security Scans
Scan systems periodically and scan files from external sources when downloaded, opened, or executed.
How CMMC Level 1 Self-Assessments Work
CMMC Level 1 does not require a C3PAO assessment. Instead, contractors complete an annual self-assessment and submit the required affirmation through the appropriate DoD reporting process.
Self-assessment does not mean casual. A Level 1 self-assessment should be documented, evidence-based, and accurate. Your company should be able to show how each requirement is implemented.
What You Assess
- Systems that process FCI
- Systems that store FCI
- Systems that transmit FCI
- Users, devices, software, and vendors connected to that environment
What You Document
- Assessment scope
- Requirement status
- Evidence reviewed
- Gaps and corrective actions
- Annual affirmation readiness
What Does “Assessment Scope” Mean?
Assessment scope means identifying the systems, people, facilities, devices, and processes included in your CMMC self-assessment. For Level 1, the scope should focus on where FCI is processed, stored, or transmitted.
Technology
Employee laptops, desktops, email systems, cloud storage, shared drives, servers, mobile devices, and network equipment.
People
Employees, managers, administrators, subcontractors, vendors, and outside IT providers who may access FCI.
Facilities
Offices, storage areas, visitor access points, file storage locations, and any physical location where FCI may be handled.
Small business tip: The more places FCI lives, the harder it is to protect. Keeping FCI in approved systems can make CMMC Level 1 readiness more manageable.
What Evidence Should You Keep for CMMC Level 1?
Your company should be able to show how Level 1 requirements are implemented. Evidence does not need to be overly complicated, but it should be organized and accurate.
Administrative Evidence
- Access control policies
- User account lists
- Employee onboarding and offboarding procedures
- Visitor logs
- Physical access procedures
- Media disposal or destruction records
Technical Evidence
- Password and authentication settings
- Device inventory
- Firewall or network configuration records
- Anti-malware settings and scan logs
- Patch management records
- Screenshots of relevant system settings
CMMC Level 1 Timeline: What Small Businesses Should Know
CMMC implementation began in 2025 and is being phased into DoD contracting requirements over time. Contractors should review current and upcoming opportunities for CMMC language instead of waiting until a proposal deadline.
Now
Identify Contract Exposure
Review current DoD contracts, target opportunities, recompetes, and subcontract relationships.
Next
Determine FCI or CUI
Identify whether your company handles FCI only or whether CUI may be involved.
Ongoing
Maintain Readiness
Document your self-assessment, correct gaps, and maintain annual compliance practices.
How to Prepare for CMMC Level 1
CMMC Level 1 readiness becomes easier when you break the process into clear steps.
1
Identify Your DoD Contract Exposure
Review current contracts, subcontract work, future DoD targets, and solicitations that mention CMMC or FAR 52.204-21.
2
Determine Whether You Handle FCI or CUI
If you handle FCI only, Level 1 may apply. If you handle CUI, you should evaluate CMMC Level 2 requirements.
3
Map Where FCI Lives
Document where FCI is received, stored, shared, accessed, and transmitted. Include cloud platforms, email, devices, and vendors.
4
Compare Current Practices Against Level 1 Requirements
Mark each requirement as met, not met, or not applicable. Keep evidence for each decision.
5
Fix the Gaps
Prioritize access control, malware protection, patching, device management, physical access, and public exposure risks.
6
Document and Maintain Your Self-Assessment
Create a clear record of the assessment date, scope, people involved, evidence reviewed, findings, and corrective actions.
CMMC Level 1 Readiness Checklist
Use this checklist as a practical starting point for your organization.
- Identify whether your company works on DoD contracts or subcontracts.
- Review whether your company handles FCI or CUI.
- Map where FCI is processed, stored, or transmitted.
- Identify all systems, devices, users, and vendors in scope.
- Review the 15 CMMC Level 1 requirements.
- Collect evidence for each requirement.
- Correct gaps before submitting any affirmation.
- Document the self-assessment process.
- Submit required results and affirmations when applicable.
- Review subcontractor and vendor involvement.
- Repeat the process annually.
Common CMMC Level 1 Mistakes to Avoid
Assuming Subcontractors Are Exempt
CMMC requirements can flow down when subcontractors handle FCI or CUI connected to DoD contract performance.
Confusing FCI With CUI
Level 1 focuses on FCI. If your company handles CUI, you may need to prepare for Level 2.
Skipping Evidence
A self-assessment still needs documentation. You should be able to show how each requirement is met.
Waiting Until a Solicitation Requires CMMC
Once CMMC appears in a solicitation, there may not be enough time to assess, fix gaps, and document compliance.
Frequently Asked Questions About CMMC Level 1
Is CMMC Level 1 required for all DoD contractors?
CMMC requirements apply when they are included in the solicitation or contract and when contractor systems process, store, or transmit FCI or CUI. Many DoD contractors and subcontractors should expect at least Level 1 if they handle FCI.
Can small businesses self-assess for CMMC Level 1?
Yes. CMMC Level 1 is completed through an annual self-assessment and affirmation. A company may use outside help to prepare, but Level 1 does not require a third-party C3PAO certification assessment.
Does CMMC Level 1 cover CUI?
No. CMMC Level 1 focuses on protecting Federal Contract Information. If your company handles Controlled Unclassified Information, CMMC Level 2 may apply.
Is CMMC Level 1 the same as NIST SP 800-171?
No. Level 1 is based on the basic safeguarding requirements in FAR 52.204-21. CMMC Level 2 is where the broader NIST SP 800-171 requirements become central.
What happens if my company is not ready?
If a solicitation or contract requires a specific CMMC level and your company does not have the required status and affirmation, you may be ineligible for award, option exercise, or contract extension.
Do subcontractors need CMMC Level 1?
Subcontractors may need CMMC if they process, store, or transmit FCI or CUI as part of DoD contract performance. Prime contractors should understand what information is flowing to subcontractors and what level is required.
Need Help Understanding Your CMMC Readiness?
CMMC Level 1 does not have to be overwhelming, but it does need to be taken seriously. FedBiz Access can help small business contractors understand where CMMC fits into their DoD contracting strategy, identify potential readiness gaps, and prepare for upcoming contract requirements.
Call 844-628-8914 Book a Complimentary ReviewThis guide is for general educational purposes and should not be treated as a formal cybersecurity assessment or legal determination of contract compliance.