7 min read

CMMC Level 1 Requirements Checklist

BEMO on Jun 14, 2026 12:00:00 PM

CMMC

Quick Answer: CMMC Level 1 requirements include 15 security practices across six control families designed to protect Federal Contract Information (FCI). Organizations handling FCI for Department of Defense contracts must complete these controls and perform an annual self-assessment to maintain compliance.

CMMC Level 1 requirements cover 15 practices across six control families, focused entirely on protecting Federal Contract Information (FCI). If your company handles FCI and wants to bid on Department of Defense contracts, you need to meet these requirements and complete an annual self-assessment.

That sounds manageable on paper, but scoping your environment, documenting controls, and maintaining compliance year after year takes real time and expertise most small contractors don't have in-house. This page breaks down exactly what Level 1 requires, where companies get stuck, and what your options are for getting there.

Key Takeaways

CMMC Level 1 includes 15 security practices across six control families focused on protecting Federal Contract Information (FCI).
Scoping is often the biggest challenge because many organizations underestimate which systems, users, and data flows fall within the compliance boundary.
Achieving CMMC Level 1 compliance can take several months when documentation, technical controls, and self-assessment preparation are included.
Building internal compliance expertise often costs $84K to $132K+ per hire before onboarding, benefits, and tooling expenses.
A managed compliance partner can handle implementation, documentation, and ongoing maintenance for a lower cost than building an internal compliance function.

What Are CMMC Level 1 Requirements?

CMMC Level 1 is the entry point of the Cybersecurity Maturity Model Certification program, established by the Department of Defense to protect the defense industrial base. At this level, you're protecting FCI - information provided by or generated for the government under a contract, but not intended for public release.

Level 1 contains 15 practices drawn from the 48 controls in FAR Clause 52.204-21. These practices span six control families:

Control Family	Focus Area
Access Control (AC)	Limit system access to authorized users and devices
Identification & Authentication (IA)	Verify user and device identity before granting access
Media Protection (MP)	Sanitize or destroy media containing FCI before disposal
Physical Protection (PE)	Limit physical access to systems that store or process FCI
System & Communications Protection (SC)	Monitor and control communications at system boundaries
System & Information Integrity (SI)	Protect systems against malicious code and keep software current

Unlike CMMC Level 2, which requires 110 practices aligned to NIST SP 800-171 and a third-party assessment every three years, Level 1 uses an annual self-assessment model. You evaluate your own controls, document the results, and submit your score to the Supplier Performance Risk System (SPRS).

That self-assessment requirement is important. It means you're responsible for accurately scoring your own compliance posture - and inaccurate self-assessments carry legal risk under the False Claims Act. The DoD expects all defense contractors to meet CMMC compliance requirements by the end of 2026, which means the clock is already running.

If you're also handling CUI, you'll need to look at CMMC Level 2 compliance requirements, which add significantly more scope and require a certified third-party assessment.

Challenges Companies Face Getting CMMC Compliant

CMMC Level 1 looks straightforward from the outside. Fifteen practices, an annual self-assessment - how hard can it be? In practice, most organizations hit the same obstacles before they ever submit a score.

Underestimating scope - defining which systems, cloud services, and users fall inside your FCI boundary is harder than it sounds, and getting it wrong means either over-scoping (expensive) or under-scoping (non-compliant).
No internal expertise - CMMC compliance spans IT configuration, policy writing, and legal risk, and most small contractors don't have staff who cover all three.
Deadline pressure - the DoD's end-of-2026 deadline creates urgency, but that timeline doesn't account for how long it actually takes to build and document controls from scratch.
Ongoing burden - Level 1 requires an annual self-assessment, which means your controls need to stay current, your documentation needs to stay accurate, and your team needs to stay trained.
Tool sprawl - selecting, configuring, and maintaining the right security tools is its own project, especially if your current environment wasn't built with compliance in mind.
Multi-framework complexity - many contractors pursuing CMMC also have SOC 2, HIPAA, or other requirements, and managing overlapping but distinct controls without a system in place gets complicated fast.

What Does It Take to Meet CMMC Level 1 Requirements?

Getting to CMMC Level 1 compliance isn't just a checklist exercise. Each practice requires a combination of technical implementation, documented evidence, and ongoing maintenance. Here's what that work actually looks like across the key areas.

Documentation and Policy Development

Every practice in the CMMC Level 1 requirements needs supporting documentation - policies that describe how your organization handles access control, media disposal, physical security, and system integrity. Without that documentation, you can't accurately complete your self-assessment. BEMO creates 18+ IT policies during implementation, covering the controls needed to support both your self-assessment and any future audit.

Technical Controls and Tooling

The practices in Level 1 require real technical controls, not just written policies. You need access controls enforced at the system level, antivirus and malware protection actively running, boundary protections in place, and authentication mechanisms that actually verify identity. For Microsoft 365 environments, tools like Entra ID, Intune, and Defender provide the foundation - but they need to be properly configured to meet CMMC compliance level 1 requirements, not just deployed out of the box.

Ongoing Monitoring and Maintenance

A self-assessment is a point-in-time evaluation, but the controls behind it need to stay active all year. That means patch management, log monitoring, access reviews, and training tracking running continuously. BEMO's 24/7 SOC reviews 100K+ monthly logs through AI-assisted monitoring, with approximately 100 events per month escalated for human review, so gaps don't quietly develop between assessment cycles.

Staff Training and Awareness

Your people are part of your compliance boundary. CMMC Level 1 doesn't have a formal security awareness training requirement the way Level 2 does, but your staff still needs to understand how to handle FCI, recognize phishing attempts, and follow your access control policies. BEMO uses KnowBe4 for security awareness training, which covers this gap and helps you build a documented training record.

In-House vs Managed: Approaches to CMMC Level 1 Compliance

There's no single right way to approach CMMC Level 1 compliance requirements. The right model depends on your internal resources, timeline, and risk tolerance. Here's an honest breakdown of the three main options.

	DIY / In-House	GRC Platform Only (Drata, Vanta)	Managed Compliance Partner
Implementation	Your team builds it	Platform guides you, you do the work	Partner builds it for you
Ongoing maintenance	Your team	Your team + automation	Partner's team + automation
Auditor coordination	You manage it	Limited support	Managed end-to-end
Tech stack	You select and configure	Integrations only	Full security stack deployed
Dedicated team	Your hires ($84K-$132K+ per person)	None	Multi-role team assigned to your account
Typical timeline	12-18+ months	6-12 months	~8 months initial implementation

DIY gives you full control but requires staff who understand both the technical and compliance sides of CMMC. A GRC platform like Drata or Vanta provides structure and automation, but someone on your team still has to do the work. A managed compliance partner handles implementation, tooling, documentation, and ongoing maintenance - you stay informed without becoming the compliance department.

Getting Started With CMMC Level 1 Compliance

If you're starting from scratch or unsure where your current posture stands, here's the practical path forward.

Book a GAP Assessment - evaluate your current security environment against the 15 CMMC Level 1 practices and identify exactly what's missing or misconfigured.
Get Your Implementation Roadmap - receive a prioritized plan covering technical controls, policy development, tooling, and a realistic timeline for your specific environment.
Deploy Controls - implement the required security configurations, set up your GRC platform, and complete the documentation needed to support your self-assessment.
Achieve and Maintain Compliance - complete your annual self-assessment, submit your SPRS score, and keep controls current with ongoing monitoring and maintenance support.

Why Choose BEMO for CMMC Level 1 Compliance

Getting to CMMC Level 1 compliance isn't just about checking boxes. It requires the right technical environment, accurate documentation, and a process that holds up year after year. BEMO is built specifically for that kind of outcome-focused compliance work.

Dedicated team on your account - CSM, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO assigned from day one.
Microsoft-native security stack - built on M365, Entra ID, Purview, Sentinel, Intune, and Defender, the same tools most defense contractors already use.
BEMO is certified themselves - SOC 2 Type 2 certified, ISO 27001 certified, and a Cyber AB Registered Practitioner Organization (RPO).
GRC automation with hands-on management - Drata platform plus compliance engineers who actively manage it, not just hand you a login.
8-month implementation timeline - bi-weekly status meetings throughout, with 72-hour SLA remediation for identified gaps.
Track record - 2023 Microsoft US Partner of the Year, Inc. 5000 four consecutive years, featured by Satya Nadella at the Microsoft Secure 2024 Summit.

Ready to Meet CMMC Level 1 Requirements?

BEMO assigns a dedicated compliance team to your account and owns the outcome. You don't have to figure this out alone.

Book a GAP Assessment to see exactly where you stand against CMMC Level 1 compliance requirements and what it takes to get compliant before your next contract deadline.

Questions? Contact BEMO or call us directly to talk through your situation.

Frequently Asked Questions About CMMC Level 1 Requirements

What Are the CMMC Level 1 Compliance Requirements?

CMMC Level 1 requires 15 practices across six control families: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. These practices are derived from FAR Clause 52.204-21 and focus on protecting Federal Contract Information. Level 1 uses an annual self-assessment rather than a third-party audit, but the results must be submitted to the SPRS database.

How Many Controls Does CMMC Level 1 Include?

CMMC Level 1 includes 15 practices, which is significantly less than the 110 practices required at Level 2. If your work involves CUI rather than just FCI, Level 1 won't be sufficient - you'll need to meet the full CMMC compliance level 1 requirements and then build toward Level 2. A GAP assessment can help you determine which level applies to your contracts.

How Long Does It Take to Become CMMC Level 1 Compliant?

For most organizations, getting to a defensible Level 1 compliance posture takes several months when you account for scoping, technical implementation, policy development, and self-assessment preparation. BEMO's typical initial implementation timeline runs approximately eight months for clients across CMMC and other frameworks. Starting early gives you time to close gaps without the pressure of a contract deadline forcing shortcuts.

What Does a CMMC GAP Assessment Include?

A GAP assessment maps your current security controls against the CMMC Level 1 requirements and identifies specific gaps in your technical configuration, policies, and documentation. It tells you what you have, what you're missing, and what needs to change before you can accurately self-assess. BEMO conducts GAP assessments as the first step in its implementation process, producing a prioritized remediation roadmap.

Do I Need a Third-Party Assessor for CMMC Level 1?

No. CMMC Level 1 uses an annual self-assessment model - you evaluate your own controls and submit your score to SPRS. A third-party assessment is only required starting at Level 2. That said, the self-assessment still carries legal weight, and inaccurate submissions can create False Claims Act exposure. Working with a compliance partner helps you document controls accurately and submit with confidence.

What Team Is Typically Assigned for CMMC Compliance?

BEMO assigns a dedicated team to each client account, including a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO. That team handles implementation, ongoing monitoring, and compliance maintenance - so you're not managing CMMC level 1 requirements with a single internal hire wearing multiple hats.