What are the CMMC Level 1 Requirements?

CMMC Level 1 Requirements focus on basic cybersecurity practices to safeguard Federal Contract Information (FCI). They include 17 practices across 6 domains, such as Access Control, Identification and Authentication, Media Protection, Physical Protection, Systems and Communications Protection, and System and Information Integrity.

Who needs to comply with CMMC Level 1?

Any organization working with the Department of Defense (DoD) that handles Federal Contract Information (FCI) must comply with CMMC Level 1 Requirements to be eligible for contracts.

How is CMMC Level 1 compliance assessed?

Level 1 compliance is assessed by a Certified Third Party Assessment Organization (C3PAO). Unlike higher levels, process institutionalization is not assessed at Level 1; only implementation of the 17 required practices is verified.

What domains are included in CMMC Level 1?

CMMC Level 1 includes six domains: Access Control (AC), Identification and Authentication (IA), Media Protection (MP), Physical Protection (PE), Systems and Communications Protection (SC), and System and Information Integrity (SI). Each domain has specific practices that must be implemented.

Do I need documentation to meet Level 1 requirements?

No. At Level 1, practices only need to be implemented, not formally documented. Documentation becomes important at higher levels of CMMC.

How can RSI Security help with CMMC Level 1 compliance?

RSI Security, as a certified C3PAO, can help organizations prepare for and achieve CMMC Level 1 compliance, providing guidance on implementing the required practices and managing the certification process.

What is the difference between CMMC Level 1 and higher levels?

CMMC Level 1 focuses on basic cybersecurity practices to protect FCI, with 17 practices in 6 domains. Higher levels, such as Level 2 and Level 3, add more practices, cover Controlled Unclassified Information (CUI), and assess process institutionalization.

How do I start implementing CMMC Level 1 practices?

Organizations can start by reviewing the 17 Level 1 practices across six domains, implementing them to safeguard Federal Contract Information, and then scheduling an assessment with a certified C3PAO like RSI Security.

Is certification required for CMMC Level 1?

Yes. Even though Level 1 practices are basic, organizations must be certified by a C3PAO to demonstrate compliance with CMMC Level 1 Requirements.

Overview of CMMC Level 1 Requirements

RSI Security

2 weeks ago

If your organization works with the US Department of Defense (DoD), understanding the CMMC Level 1 Requirements is essential for meeting basic cybersecurity standards. In this guide, we’ll provide a clear overview of what Level 1 entails and what your team needs to do to stay compliant. This is the first part of our series on the Cybersecurity Maturity Model Certification (CMMC). For details on higher levels, check out our upcoming guides covering Levels 2, 3, 4, and 5.

Understanding the CMMC Level 1 Requirements is the first step toward achieving cybersecurity compliance for organizations working with the Department of Defense. This blog, part of a comprehensive series, draws directly from CMMC Volume 1.02 (March 2020) to clearly explain the practices required at each level.

Since this is the first article, we’ll start with a solid overview of the CMMC framework, including key definitions and concepts that apply across all levels. Here’s how this guide is structured:

Overall CMMC 101: Core concepts and baseline definitions
Deep Dive into Level 1: Understanding specific requirements
Guide to Level 1 Compliance: Practical steps to meet the standards

Let’s get started!

CMMC 101: The Entire Framework

The CMMC framework is published by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) in collaboration with key DoD stakeholders, including University Affiliated Research Centers (UARCs) and Federally Funded Research and Development Centers (FFRDCs). Its purpose is to help organizations comply with cybersecurity standards and protect sensitive information from cyber threats.

Understanding this framework is essential for meeting CMMC Level 1 Requirements, as it forms the foundation for all compliance practices. The CMMC primarily safeguards the Defense Industrial Base (DIB) and the broader supply chain of DoD contractors.

The main types of information the CMMC protects include:

Federal Contract Information (FCI): Data provided for or generated under government contracts that is not intended for public release.
Controlled Unclassified Information (CUI): Information not classified but restricted from public disclosure due to laws, regulations, or policies. This excludes information classified under the Atomic Energy Act or related Executive Orders.

The CMMC also integrates requirements from other key regulations, including:

Federal Acquisition Regulation (FAR) Clause 52.203-21: Safeguarding FCI
NIST Special Publication 800-171 (SP 800-171): Security requirements for CUI, aligned with DFARS Clause 252.204-7012

Through its structured system of interlocking cybersecurity domains and maturity levels, the CMMC ensures that DoD contractors meet all necessary requirements to protect stakeholders and achieve CMMC Level 1 compliance.

Core Domains and Capabilities

At the heart of the CMMC framework are 17 key cybersecurity domains, each comprising multiple capabilities that guide specific practices for each maturity level. For organizations seeking CMMC Level 1 compliance, these domains define the foundational cybersecurity practices required to protect sensitive DoD information.

The CMMC domains and capabilities are based on NIST SP 800-171 and FIPS standards, and collectively inform the 171 practices across all five maturity levels. While all domains are important, Level 1 focuses on basic safeguarding of Federal Contract Information (FCI).

Here’s a breakdown of the 17 domains and their core capabilities:

Access Control (AC): Controlling system access (4 capabilities)
- Establish requirements for system access
- Restrict internal and remote system access
- Limit access based on authorization
Asset Management (AM): Accounting and management of assets (1 capability)
- Identify and document all physical and digital assets
- Maintain an inventory of these assets
Audit and Accountability (AU): Defining audit standards (4 capabilities)
- Define audit requirements and perform audits
- Protect and regularly review audit logs
Awareness and Training (AT): Personnel training (2 capabilities)
- Conduct security awareness activities
- Provide regular security training
Configuration Management (CM): Security settings (2 capabilities)
- Establish baseline configurations for devices and software
- Manage maintenance and changes
Identification and Authentication (IA): User controls (1 capability)
- Grant access only to authenticated users
Incident Response (IR): Handling security events (5 capabilities)
- Plan, detect, respond, review, and test incident protocols
Maintenance (MA): System upkeep (1 capability)
- Manage maintenance of systems and security
Media Protection (MP): Safeguarding media (4 capabilities)
- Identify, protect, sanitize, and secure media during transport
Personnel Security (PS): Staff security measures (2 capabilities)
- Screen personnel thoroughly
- Protect CUI during personnel interactions
Physical Protection (PE): Controlling physical access (1 capability)
- Restrict access to sensitive assets
Recovery (RE): Post-incident readiness (1 capability)
- Maintain backups and ensure continuity
Risk Management (RM): Identifying and mitigating risks (2 capabilities)
- Monitor, identify, and mitigate risks, including supply chain risks
Security Assessment (CA): Reviewing security (3 capabilities)
- Manage security plans, implement controls, and perform audits
Situational Awareness (SA): Threat monitoring (1 capability)
- Implement systems for threat detection
Systems and Communications Protection (SC): Safeguards for systems and communication (2 capabilities)
- Define and monitor security requirements across communications
System and Information Integrity (SI): Maintaining system integrity (4 capabilities)
- Monitor flaws, manage malware, perform system monitoring, safeguard email

While each domain contains multiple capabilities and practices, CMMC Level 1 Requirements focus primarily on basic safeguarding practices for FCI. Higher levels add more rigorous capabilities, processes, and oversight.

Levels, Focuses, Processes, and Practices

Organizations do not implement the entire CMMC framework all at once. Instead, they progress through maturity levels, gradually increasing the scope and sophistication of their cybersecurity practices. Understanding these levels is key for achieving CMMC Level 1 Requirements and planning for higher levels of compliance.

Each CMMC maturity level has a specific focus, and it measures two things:

Processes: How institutionalized the cybersecurity practices are
Practices: How effectively the practices are implemented

Here’s a breakdown of all five CMMC maturity levels:

Level 1 – Basic Cyber Hygiene (CMMC Level 1 Requirements):
- Focus: Safeguarding Federal Contract Information (FCI)
- Processes: Performed but not formally assessed
- Practices: Basic Cyber Hygiene practices
Level 2 – Intermediate Cyber Hygiene:
- Focus: Preliminary protection of Controlled Unclassified Information (CUI)
- Processes: Documented and assessed
- Practices: Intermediate Cyber Hygiene
Level 3 – Good Cyber Hygiene:
- Focus: Cementing full control and protection of CUI
- Processes: Managed, with a maintenance plan
- Practices: Good Cyber Hygiene
Level 4 – Proactive Cybersecurity:
- Focus: Defending against Advanced Persistent Threats (APT)
- Processes: Reviewed and measured for effectiveness
- Practices: Move from hygiene to proactive cybersecurity
Level 5 – Advanced/Progressive Cybersecurity:
- Focus: Optimizing protection of FCI, CUI, and against APTs
- Processes: Continuously optimized across all systems
- Practices: Advanced or progressive cybersecurity posture

Levels are cumulative, meaning that achieving a higher level assumes the organization maintains all practices and processes from previous levels. Certification at any level requires demonstrating both the required processes and practices, which can apply organization-wide or to specific divisions.

Understanding CMMC Level 1 Controls

Understanding the CMMC Level 1 Requirements doesn’t have to be overwhelming. Level 1 is the simplest of all maturity levels, designed as an introduction to the CMMC framework.

Here’s what makes Level 1 unique:

Focus on FCI: Level 1 only addresses Federal Contract Information (FCI), leaving the more complex Controlled Unclassified Information (CUI) for higher levels.
Limited practices: Only 17 of the 171 total practices apply, spread across just 6 of the 17 domains. All practices originate from FAR Clause 52.204-21.
Minimal process assessment: Process institutionalization is not assessed at Level 1, so organizations often implement practices in an ad hoc manner without formal documentation.

Because Level 1 controls are basic, organizations implementing them for the first time typically adopt them gradually, learning as they go.

Next, we’ll take a closer look at the actual Level 1 practices, broken down by domain, as detailed in CMMC Version 1.02. Each subsection refers directly to the official text to ensure accurate guidance.

CMMC Level 1 Requirements: Domain-Specific Practices

To meet CMMC Level 1 Requirements, organizations must implement the following practices across key domains. These foundational practices focus on safeguarding Federal Contract Information (FCI).

Access Control (AC) – 4 Practices

AC.1.001: Restrict access to information systems by user—only authorized users, authorized processes, or other authorized systems may access.
AC.1.002: Restrict access by function—users may only perform functions they are authorized to execute.
AC.1.003: Verify, control, and limit connections to external information systems for all users and functions.
AC.1.004: Monitor and control information posted on publicly accessible media, including all public-facing systems.

Identification and Authentication (IA) – 2 Practices

IA.1.076: Identify all users of information systems, including processes, devices, and systems acting on behalf of users.
IA.1.077: Verify the identity of users before granting access to information systems.

Media Protection (MP) – 1 Practice

MP.1.118: Sanitize or destroy all FCI on media prior to disposal or reuse to prevent unauthorized access.

CMMC Level 1 Requirements: Remaining Domain Practices

To fully meet CMMC Level 1 Requirements, organizations must implement the following practices across the remaining key domains:

Physical Protection (PE) – 4 Practices

PE.1.131: Restrict physical access to information systems, equipment, and operating environments to authorized individuals only.
PE.1.132: Escort and monitor all visitors carefully while on site.
PE.1.133: Maintain detailed logs of all physical access to information systems.
PE.1.134: Control and manage devices used to enable physical access to systems.

Systems and Communications Protection (SC) – 2 Practices

SC.1.175: Monitor and safeguard communications at all internal and external system boundaries.
SC.1.176: Separate publicly accessible system components using independent subnetworks, either logically or physically.

System and Information Integrity (SI) – 4 Practices

SI.1.210: Routinely scan for, identify, and correct system flaws immediately.
SI.1.211: Implement protections against malicious code across appropriate system locations.
SI.1.212: Regularly update anti-malware and other protective mechanisms.
SI.1.213: Periodically scan systems and files from external sources, including during download, execution, or opening.

How to Meet CMMC Level 1 Requirements

Meeting the CMMC Level 1 Requirements is straightforward compared to higher maturity levels. Level 1 is unique because process institutionalization is not assessed, and all practices align with FAR Clause 52.204-21. Many organizations may already be compliant with some of these basic cybersecurity practices, what’s required is simple implementation, not documentation, to achieve certification.

Despite the simplicity, certification is still required. Organizations must be assessed by a Certified Third Party Assessment Organization (C3PAO), as recognized by the CMMC Accreditation Body.

At RSI Security, we offer a complete CMMC services suite to guide organizations through Level 1 compliance and certification. Our experts can help you:

Prepare your organization to implement all Level 1 practices effectively
Navigate the certification process with confidence
Achieve CMMC Level 1 certification directly through our C3PAO status

Whether you’re just starting with Level 1 or planning to progress to higher levels, RSI Security provides end-to-end support to ensure your organization meets all necessary cybersecurity requirements.

Safeguard FCI with RSI Security

At RSI Security, we understand that achieving CMMC Level 1 Requirements is just the first step in building a strong cybersecurity posture. Compliance is not the end, it’s the foundation for protecting your organization and the broader Defense Industrial Base (DIB).

Our team has over a decade of experience delivering cybersecurity solutions to businesses across industries, including DoD contractors. We provide support for:

CMMC certification, including Level 1 through Level 5
Implementation of effective cybersecurity practices across your organization
Addressing broader cybersecurity challenges to safeguard sensitive data

For DoD contractors, staying secure isn’t just about protecting your company, it helps protect the entire supply chain and, ultimately, national security. CMMC Level 1 compliance is simple to implement with the right guidance, and RSI Security is ready to help you strengthen your cyber defenses, safeguard assets, and ensure stakeholder trust.

Contact RSI Security today to see how straightforward it can be to meet CMMC Level 1 Requirements and build a robust cybersecurity foundation.