CMMC Level 1 Basics: What You Need to Know
CMMC level 1 is the lowest level of security controls required for a defense contractor to earn Cybersecurity Maturity Model Certification. This is considered the basic cybersecurity hygiene needed to safeguard Federal Contract Information (FCI).
Level 1 is the foundation for the Defense Industrial Base, including those contractors looking to achieve a higher level of certification.
Have a question already in mind? Skip to a particular section at the jumplinks below, or contact our experts for additional support on achieving Level 1 Compliance.
- What is CMMC Level 1?
- Why It’s Important To Start With Level 1
- What Are The Requirements of Level 1?
- How Do I Achieve Level 1?
- Get CMMC Level 1 Certified
What is CMMC Level 1?
Simply put, to achieve CMMC level 1 certification, defense contractors must demonstrate basic cyber hygiene, as defined in 48 CFR 52.204-21. The Level 1 practices establish a security foundation for the higher levels of the model and must be completed by all certified organizations.
Level 1 is achievable for smaller companies and includes a subset of universally accepted common security practices. FCI is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does NOT include information provided by the Government to the public. While practices are expected to be performed, security process maturity is not addressed at CMMC Level 1. So, a CMMC Level 1 organization may have limited or inconsistent cybersecurity maturity processes. Level 1 offers limited protection against data exfiltration and malicious actions.
Why It’s Important to Start with Level 1
Regardless of which CMMC level defense contractors wish to achieve, they must begin by achieving basic cyber hygiene as defined in level 1. If achieving CMMC compliance were to be compared with building a house, then level 1 would be the concrete foundation, plumbing and electrical wiring. The other (higher) levels are unachievable until these basics are set in place. CMMC certification is a sequential process, with each level building off the one before it.
What Are the Requirements of Level 1?
There are 17 controls that must be met to achieve CMMC level 1, all of which are mapped directly to the Federal Acquisition Regulation (FAR) 52.204.21. Here is how the 17 controls are broken down:
Access Control (AC)
- Limit information system access to authorized users, process acting on behalf of authorized users, or devices (including other information systems)
- Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
- Verify and control/limit connections to and use of external information systems
- Control information posted or processed on publicly accessible information systems
Identification and Authentication (IA)
- Identify information system users, processes acting on behalf of users, or devices
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems
Media Protection (MP)
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse
Physical Protection (PP)
- Limit physical access to organization information systems, equipment, and the respective operating environments to authorized individuals
- Escort visitors and monitor visitor activity
- Maintain audit logs of physical access devices
- Control and manage physical access devices
System and Communications Protection (SC)
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
System and Information Integrity (SI)
- Identify, report, and correct information and information system flaws in a timely manner
- Provide protection from malicious code at appropriate locations within organizational information systems
- Update malicious code protection mechanisms when new releases are available
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed