Quick Answer: CMMC Level 1 requirements include 15 security practices across six control families designed to protect Federal Contract Information (FCI). Organizations handling FCI for Department of Defense contracts must complete these controls and perform an annual self-assessment to maintain compliance.
CMMC Level 1 requirements cover 15 practices across six control families, focused entirely on protecting Federal Contract Information (FCI). If your company handles FCI and wants to bid on Department of Defense contracts, you need to meet these requirements and complete an annual self-assessment.
That sounds manageable on paper, but scoping your environment, documenting controls, and maintaining compliance year after year takes real time and expertise most small contractors don't have in-house. This page breaks down exactly what Level 1 requires, where companies get stuck, and what your options are for getting there.
CMMC Level 1 is the entry point of the Cybersecurity Maturity Model Certification program, established by the Department of Defense to protect the defense industrial base. At this level, you're protecting FCI - information provided by or generated for the government under a contract, but not intended for public release.
Level 1 contains 15 practices drawn from the 48 controls in FAR Clause 52.204-21. These practices span six control families:
|
Control Family |
Focus Area |
|
Access Control (AC) |
Limit system access to authorized users and devices |
|
Identification & Authentication (IA) |
Verify user and device identity before granting access |
|
Media Protection (MP) |
Sanitize or destroy media containing FCI before disposal |
|
Physical Protection (PE) |
Limit physical access to systems that store or process FCI |
|
System & Communications Protection (SC) |
Monitor and control communications at system boundaries |
|
System & Information Integrity (SI) |
Protect systems against malicious code and keep software current |
Unlike CMMC Level 2, which requires 110 practices aligned to NIST SP 800-171 and a third-party assessment every three years, Level 1 uses an annual self-assessment model. You evaluate your own controls, document the results, and submit your score to the Supplier Performance Risk System (SPRS).
That self-assessment requirement is important. It means you're responsible for accurately scoring your own compliance posture - and inaccurate self-assessments carry legal risk under the False Claims Act. The DoD expects all defense contractors to meet CMMC compliance requirements by the end of 2026, which means the clock is already running.
If you're also handling CUI, you'll need to look at CMMC Level 2 compliance requirements, which add significantly more scope and require a certified third-party assessment.
CMMC Level 1 looks straightforward from the outside. Fifteen practices, an annual self-assessment - how hard can it be? In practice, most organizations hit the same obstacles before they ever submit a score.
Getting to CMMC Level 1 compliance isn't just a checklist exercise. Each practice requires a combination of technical implementation, documented evidence, and ongoing maintenance. Here's what that work actually looks like across the key areas.
Every practice in the CMMC Level 1 requirements needs supporting documentation - policies that describe how your organization handles access control, media disposal, physical security, and system integrity. Without that documentation, you can't accurately complete your self-assessment. BEMO creates 18+ IT policies during implementation, covering the controls needed to support both your self-assessment and any future audit.
The practices in Level 1 require real technical controls, not just written policies. You need access controls enforced at the system level, antivirus and malware protection actively running, boundary protections in place, and authentication mechanisms that actually verify identity. For Microsoft 365 environments, tools like Entra ID, Intune, and Defender provide the foundation - but they need to be properly configured to meet CMMC compliance level 1 requirements, not just deployed out of the box.
A self-assessment is a point-in-time evaluation, but the controls behind it need to stay active all year. That means patch management, log monitoring, access reviews, and training tracking running continuously. BEMO's 24/7 SOC reviews 100K+ monthly logs through AI-assisted monitoring, with approximately 100 events per month escalated for human review, so gaps don't quietly develop between assessment cycles.
Your people are part of your compliance boundary. CMMC Level 1 doesn't have a formal security awareness training requirement the way Level 2 does, but your staff still needs to understand how to handle FCI, recognize phishing attempts, and follow your access control policies. BEMO uses KnowBe4 for security awareness training, which covers this gap and helps you build a documented training record.
There's no single right way to approach CMMC Level 1 compliance requirements. The right model depends on your internal resources, timeline, and risk tolerance. Here's an honest breakdown of the three main options.
|
DIY / In-House |
GRC Platform Only (Drata, Vanta) |
Managed Compliance Partner |
|
|
Implementation |
Your team builds it |
Platform guides you, you do the work |
Partner builds it for you |
|
Ongoing maintenance |
Your team |
Your team + automation |
Partner's team + automation |
|
Auditor coordination |
You manage it |
Limited support |
Managed end-to-end |
|
Tech stack |
You select and configure |
Integrations only |
Full security stack deployed |
|
Dedicated team |
Your hires ($84K-$132K+ per person) |
None |
Multi-role team assigned to your account |
|
Typical timeline |
12-18+ months |
6-12 months |
~8 months initial implementation |
DIY gives you full control but requires staff who understand both the technical and compliance sides of CMMC. A GRC platform like Drata or Vanta provides structure and automation, but someone on your team still has to do the work. A managed compliance partner handles implementation, tooling, documentation, and ongoing maintenance - you stay informed without becoming the compliance department.
If you're starting from scratch or unsure where your current posture stands, here's the practical path forward.
Getting to CMMC Level 1 compliance isn't just about checking boxes. It requires the right technical environment, accurate documentation, and a process that holds up year after year. BEMO is built specifically for that kind of outcome-focused compliance work.
BEMO assigns a dedicated compliance team to your account and owns the outcome. You don't have to figure this out alone.
Book a GAP Assessment to see exactly where you stand against CMMC Level 1 compliance requirements and what it takes to get compliant before your next contract deadline.
Questions? Contact BEMO or call us directly to talk through your situation.
CMMC Level 1 requires 15 practices across six control families: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. These practices are derived from FAR Clause 52.204-21 and focus on protecting Federal Contract Information. Level 1 uses an annual self-assessment rather than a third-party audit, but the results must be submitted to the SPRS database.
CMMC Level 1 includes 15 practices, which is significantly less than the 110 practices required at Level 2. If your work involves CUI rather than just FCI, Level 1 won't be sufficient - you'll need to meet the full CMMC compliance level 1 requirements and then build toward Level 2. A GAP assessment can help you determine which level applies to your contracts.
For most organizations, getting to a defensible Level 1 compliance posture takes several months when you account for scoping, technical implementation, policy development, and self-assessment preparation. BEMO's typical initial implementation timeline runs approximately eight months for clients across CMMC and other frameworks. Starting early gives you time to close gaps without the pressure of a contract deadline forcing shortcuts.
A GAP assessment maps your current security controls against the CMMC Level 1 requirements and identifies specific gaps in your technical configuration, policies, and documentation. It tells you what you have, what you're missing, and what needs to change before you can accurately self-assess. BEMO conducts GAP assessments as the first step in its implementation process, producing a prioritized remediation roadmap.
No. CMMC Level 1 uses an annual self-assessment model - you evaluate your own controls and submit your score to SPRS. A third-party assessment is only required starting at Level 2. That said, the self-assessment still carries legal weight, and inaccurate submissions can create False Claims Act exposure. Working with a compliance partner helps you document controls accurately and submit with confidence.
BEMO assigns a dedicated team to each client account, including a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO. That team handles implementation, ongoing monitoring, and compliance maintenance - so you're not managing CMMC level 1 requirements with a single internal hire wearing multiple hats.