The Cybersecurity Maturity Model Certification (CMMC) program is dictating cybersecurity expectations across the defense supply chain, and as the DoD begins requiring CMMC compliance in contracts, many contractors and subcontractors must now achieve CMMC Level 1 Certification if they want to continue working with the U.S. government. CMMC Level 1 focuses on basic cybersecurity practices designed to protect Federal Contract Information (FCI). While it is the most foundational level of the framework, organizations must still implement specific safeguards and document their compliance.
What Is CMMC Level 1 Certification?
CMMC Level 1 is the entry-level certification within the CMMC framework that focuses on basic cyber hygiene. The goal of CMMC Level 1 is to protect Federal Contract Information (FCI), which includes information created for or provided by the government under a contract that is not intended for public release.
Examples of FCI may include:
- Contract performance details
- Internal communications related to federal projects
- Non-public documentation supporting contract work
CMMC Level 1 establishes a baseline set of cybersecurity protections that help prevent common threats such as unauthorized access, malware, and accidental data exposure. Unlike higher CMMC levels, Level 1 compliance is verified through an annual self-assessment rather than a third-party certification, which is required for levels 2 and 3.
Who Must Meet CMMC Level 1 Requirements?
CMMC Level 1 requirements apply to organizations that store, process, or transmit Federal Contract Information as part of a Department of Defense contract. Companies that typically fall under CMMC Level 1 are a very small set of businesses that provide a product or service that is commercially available and not exclusively produced for the DoD. These companies might include, but are not limited to:
- Law Firms
- Accounting Firms
- Commercial Off The Shelf (COTS) Manufacturers
- Employment Agencies
Organizations that handle Controlled Unclassified Information (CUI) rather than just FCI typically need to meet CMMC Level 2, which requires significantly more controls.
What Are the CMMC Level 1 Requirements?
CMMC Level 1 comprises 17 cybersecurity practices, 15 of which are derived from the federal regulation FAR 52.204-21. These practices establish the minimum safeguards required to protect Federal Contract Information.
The requirements fall into six security areas.
Access Control (AC)
- AC.L1-3.1.1 – Authorized Access Control: Limit system access to authorized users, processes, or devices.
- AC.L1-3.1.2 – Transaction & Function Control: Restrict authorized users to only the specific transactions and functions they are permitted to perform.
- AC.L1-3.1.20 – External Connections: Verify and limit connections to, and the use of, external information systems.
- AC.L1-3.1.22 – Control Public Information: Control and review all information before it is posted or processed on publicly accessible systems.
Identification and Authentication (IA)
- IA.L1-3.5.1 – Identification: Uniquely identify system users, processes acting for them, and devices.
- IA.L1-3.5.2 – Authentication: Verify the identities of users, processes, or devices as a requirement for system access.
Media Protection (MP)
- MP.L1-3.8.3 – Media Disposal: Sanitize or destroy any media containing Federal Contract Information (FCI) before it is discarded or reused.
Physical Protection (PE)
- PE.L1-3.10.1 – Limit Physical Access: Restrict physical access to systems, equipment, and operating environments to authorized personnel only.
- PE.L1-3.10.3 – Escort Visitors: Ensure all visitors are escorted and their activities are monitored.
- PE.L1-3.10.4 – Physical Access Logs: Maintain records of physical access to the facility or sensitive areas.
- PE.L1-3.10.5 – Manage Physical Access: Properly identify, control, and manage physical access devices like keys and badges.
System and Communications Protection (SC)
- SC.L1-3.13.1 – Boundary Protection: Monitor and protect communications at the external and key internal boundaries of the network.
- SC.L1-3.13.5 – Public-Access System Separation: Physically or logically separate publicly accessible system components from internal networks.
System and Information Integrity (SI)
- SI.L1-3.14.1 – Flaw Remediation: Identify, report, and fix system flaws (like software vulnerabilities) within defined timeframes.
- SI.L1-3.14.2 – Malicious Code Protection: Protect against malware at all necessary system locations.
- SI.L1-3.14.4 – Update Malicious Code Protection: Update anti-malware mechanisms automatically or frequently when new releases are available.
- SI.L1-3.14.5 – System & File Scanning: Perform regular system scans and real-time scans of files from external sources.
Together, these 17 practices form the requirements necessary to pass a CMMC Level 1 self-assessment.
How to Meet CMMC Level 1 Requirementsle
In order to meet CMMC Level 1 requirements, the contractor must implement the necessary cybersecurity practices and then perform and pass a CMMC Level 1 self-assessment. First, they define their CMMC Self-Assessment Scope by identifying all assets, such as devices and software, that process, store, or transmit Federal Contract Information (FCI).
The assessment process then requires evaluating the 17 security practices using a combination of three defined methods:
- Examining document-based artifacts like policies and audit logs
- Interviewing personnel with security responsibilities
- Testing system mechanisms to verify they function as intended.
For each practice, the contractor must determine a finding of MET, NOT MET, or NOT APPLICABLE. A finding of MET can also be achieved through inheritance, where the contractor provides evidence that a practice is being successfully performed by an External Service Provider (ESP), such as a cloud or managed service provider. To successfully pass the assessment, the contractor must achieve a finding of MET or NOT APPLICABLE for every single Level 1 practice; a single “NOT MET” finding will fail to demonstrate compliance.
The primary result of this effort is a self-assessment report that contains the findings and the supporting evidence for each objective. Once the internal review is complete and compliance is confirmed, a senior company official must submit an affirmation in the Supplier Performance Risk System (SPRS) to assert that the contractor meets all basic safeguarding requirements. This self-assessment is not a one-time event but must be conducted annually to maintain compliance.
How NeQter Labs Helps Organizations Meet CMMC Level 1 Requirements
Without centralized tools, companies often rely on spreadsheets, manual documentation, and disconnected security systems. At NeQter Labs, we simplify how organizations meet and maintain CMMC Level 1 requirements by combining control implementation and compliance tracking into one platform.
The tools within NeQter Core deliver the technical foundation needed for Level 1 through a set of integrated tools. Its SIEM capabilities provide centralized logging and monitoring to support system integrity (SI) and help detect suspicious activity. The vulnerability scanner continuously identifies and helps remediate system weaknesses, supporting ongoing patching and risk reduction. The asset inventory tracker ensures you have full visibility into devices and users in your environment, critical for enforcing access control (AC) and maintaining secure configurations. Together, these capabilities help implement and maintain key controls across access management, authentication (IA), network protection (SC), and system integrity (SI).
NeQter Comply (included in NeQter Core) then connects those controls directly to all CMMC Level 1 practices, giving you real-time insight into your compliance posture. It highlights gaps, tracks progress, and organizes the evidence needed for annual self-assessments and SPRS reporting.
Together, NeQter Core and NeQter Comply provide a centralized, automated approach to achieving CMMC Level 1—helping you stay compliant, maintain proof, and avoid the complexity of manual processes.
Interested in learning more? Schedule a meeting with us here.
