CMMC Dashboard Logo
Back to BlogCybersecurity Compliance

Understanding CMMC Level 1 Requirements for Federal Contract Information Security (Updated for Final 48 CFR Rule)

JCJim Carlson (Co-Founder & CEO)
11 minutes
CMMC Level 1 ComplianceFederal Contract Information SecurityDoD Cybersecurity Requirements
Secure digital network with cybersecurity shields protecting Federal Contract Information in a government contracting environment

What Are the Essential Requirements for CMMC Level 1 Compliance in Federal Contract Information Security?

Editor’s Note:** This article has been updated to reflect the final CMMC Program Rule (32 CFR Part 170) and the CMMC Acquisition Rule (48 CFR / DFARS 252.204-7021), finalized on September 10, 2025 and effective November 10, 2025.

Key Takeaways

  • CMMC Level 1 mandates 15 specific cybersecurity practices based on FAR 52.204-21 for protecting Federal Contract Information (FCI).

  • Full implementation of all practices is required; Plans of Action and Milestones (POA&Ms) are not allowed.

  • Contractors must perform self-assessments at least annually and maintain a current affirmation of continuous compilance in SPRS to remain eligible for Department of Defense (DoD) contracts.

Introduction

The Defense Industrial Base faces increasing cybersecurity challenges, prompting the Department of Defense (DoD) to raise the bar through the Cybersecurity Maturity Model Certification (CMMC). Level 1 of the CMMC framework establishes fundamental cybersecurity standards focused on securing Federal Contract Information (FCI). Recent updates, effective November 2025, codify these requirements into enforceable contract clauses under the final 48 CFR rule, making compliance a mandatory condition for DoD contracting eligibility.

This article walks you through the critical aspects of CMMC Level 1 requirements, who must comply, the mandatory cybersecurity practices, and the procedures contractors must follow for ongoing certification and affirmation. For more about how the 48 CFR final rule affects cybersecurity requirements, see our detailed overview.

Understanding Who Must Comply With CMMC Level 1

Any contractor or subcontractor processing, storing, or transmitting FCI in connection with a DoD contract is required to meet CMMC Level 1 standards. It is important to note that this level does not cover Controlled Unclassified Information (CUI), which requires higher CMMC levels. For distinctions between CUI and FCI, review our guide on CUI vs FCI under the Final Rule.

  • CMMC Level 1 compliance is a contractual prerequisite when specified in solicitation documents.

  • Prime contractors bear responsibility for ensuring their subcontractors also comply, a requirement known as “flow-down.”

  • Compliance status must be recorded and updated annually in the DoD’s Supplier Performance Risk System (SPRS).

This framework promotes a consistent cybersecurity baseline across the defense supply chain, safeguarding sensitive government information.

The Foundation: Fifteen Mandatory Cybersecurity Practices of CMMC Level 1

The 15 foundational practices of CMMC Level 1 align directly with FAR 52.204-21, defining essential steps that protect FCI. These controls span six vital categories:

Access Control

  • Ensure only authorized users access systems.

  • Restrict system connections to approved devices.

  • Control access to software and system resources.

Identification and Authentication

  • Authenticate users, processes, or devices before granting any access.

Media Protection

  • Sanitize or destroy media before disposal or reuse.

  • Protect FCI on physical and digital media during storage and transmission.

Physical Protection

  • Limit physical access to information systems and related environments to authorized personnel only.

System and Communications Protection

  • Monitor and control external boundary communications.

  • Segment networks to isolate publicly accessible components.

System and Information Integrity

  • Detect, report, and remediate system vulnerabilities promptly.

  • Maintain current anti-malware protections and conduct periodic/full-time scans.

"Note: At Level 1, contractors cannot rely on Plans of Action and Milestones (POA&Ms) to address gaps. Total implementation of all 15 practices is mandatory before self-affirming compliance. For practical templates and evidence management strategies, see our resources on CMMC Level 2 Templates for POA&M and Evidence Logs as some principles also benefit Level 1 documentation."

The Annual Self-Assessment and Affirmation Requirement

One significant difference at Level 1 is the absence of third-party certifications. Instead, contractors must:

  • Conduct an internal self-assessment every year, following DoD’s scoring guidelines.

  • Submit assessment results and formal affirmation in SPRS.

  • Ensure a senior executive, such as the CEO, attests to the accuracy and completeness of the self-assessment.

  • Retain supporting evidence in case of government audits or reviews.

Failure to affirm compliance annually may lead to suspension from DoD contracting opportunities, impacting business continuity.

How Prime Contractors Must Manage Flow-Down Compliance

Prime contractors take a pivotal role in enforcing CMMC Level 1 across their subcontractors who handle FCI. Responsibilities include:

  • Verifying subcontractors complete their annual self-assessments and submit affirmations.

  • Ensuring only compliant subcontractors receive DoD contracts involving FCI.

  • Monitoring and documenting compliance to meet DoD auditing requirements.

This “flow-down” approach supports a unified cybersecurity posture throughout tiered supplier networks.

Why Compliance at Level 1 Is Crucial

  • It is the baseline standard under the updated 48 CFR rule for all contracts involving FCI.

  • Achieving and maintaining compliance ensures eligibility for current and future DoD contracts.

  • It mitigates the risk of data breaches and protects government information assets.

  • It prepares organizations for possible transition to higher CMMC levels when handling Controlled Unclassified Information.

For many small and medium contractors, Level 1 compliance is the gateway to sustained participation in the defense supply ecosystem. For additional guidance tailored to small contractors, consider our post on CMMC 48 CFR Final Rule: What Small Defense Contractors Need to Know.

Staying Compliant Beyond November 2025

  • Plan and execute annual self-assessments rigorously.

  • Keep comprehensive records of cybersecurity practices and assessments.

  • Train employees to recognize and handle FCI securely.

  • Review SPRS submissions regularly for accuracy and timely reaffirmation.

  • Stay informed of updates to FAR 52.204-21 and related DoD cybersecurity guidance.

These measures will enable organizations to meet contractual obligations and reduce audit risks.

Frequently Asked Questions

What constitutes Federal Contract Information?

FCI is any information provided by or generated for the government under contract that is not meant for public release. It does not include classified or Controlled Unclassified Information (CUI).

Is third-party certification required at Level 1?

No. Contractors perform an internal self-assessment and annually affirm compliance; third-party audits are not required.

Can contractors use POA&Ms to address deficiencies at Level 1?

No. All 15 Level 1 practices must be fully implemented before contractors may affirm compliance.

How frequently must affirmations be submitted?

Assessment and affirmation must occur annually to maintain eligibility.

How does CMMC Level 1 align with other cybersecurity frameworks?

Level 1 covers basic cybersecurity hygiene comparable to controls in CIS Controls version 8 and ISO 27001 Annex A but specifically targets DoD’s requirements for safeguarding FCI.

"Fully embracing CMMC Level 1 means not only meeting foundational cybersecurity standards but also securing your position in the evolving DoD procurement landscape."

Conclusion

CMMC Level 1 now carries decisive contractual requirements for all DoD contractors managing Federal Contract Information. By committing to the full implementation of the 15 foundational cybersecurity practices and completing annual self-assessments with formal affirmations, organizations safeguard government data and preserve their bidding eligibility.

The November 2025 enforcement date is fast approaching. Taking action today prepares your business to comply seamlessly with these updated federal cybersecurity mandates.

To simplify compliance management, contractors can leverage tools like the CMMC Dashboard which streamline self-assessment tracking, documentation, and flow-down oversight.

Stay compliant, stay competitive. Get started with the CMMC Dashboard today!

← All Blog Posts