CMMC 2.0 Level 1: Everything You Need to Know

The Cybersecurity Maturity Model Certification (CMMC) is designed to ensure the protection of sensitive national security information such as controlled unclassified information (CUI) and federal contract information (FCI). The certification applies to all DoD contractors and subcontractors, and a contractor that fails to maintain compliance will be unable to bid for DoD contracts. CMMC 2.0 is an update to the CMMC 1.0 that was initially released in January 2021.

Under DFARS and DoD rules and policies, the DoD implemented cybersecurity controls in the CMMC standard to protect CUI and FCI. Thus, the CMMC measures an organization’s ability to protect FCI and CUI. FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding and may also be subject to dissemination controls. FCI is defined in FAR clause 52.204-21, and CUI is defined in Title 32 CFR Part 2002. Since Level 1 focuses on safeguarding FCI, the applicable self-assessment objectives for Level 1 are modified to address FCI rather than CUI as set forth in 32 CFR § 170.15(c)(1)(i).

This article looks at everything you need to know about CMMC 2.0 Level 1, its controls, and requirements.

How to Determine if CMMC 2.0 Level 1 is Appropriate for Your Business

The required CMMC certification level is determined by the specific kind of information a company handles and the type of work it does. The specific level of certification will be spelled out in all new DoD contracts. If a supplier is not certified at the specified level, the company cannot bid on the DoD business.

Defense contractors that have a FAR 52.204-21 (which is a subset of DFARS requirements) in their contract and handle only FCI will need to achieve CMMC Level 1. This level does not require a certified third-party assessment provider for certification. It requires an annual self-assessment that has attestation from a corporate executive.

Overview of CMMC 2.0 Requirements

CMMC 2.0 represents a significant update to the Department of Defense’s (DoD) approach to cybersecurity verification for contractors within the defense industrial base (DIB). The overarching goal is to protect sensitive information, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), from cyber threats. CMMC 2.0 streamlines the original five levels into a three-tiered model, simplifying compliance while maintaining robust security standards.

• CMMC 2.0 Level 1 (Foundational) directly maps to the 15 basic safeguarding requirements found in Federal Acquisition Regulation (FAR) Clause 52.204-21. This level is intended for organizations that only handle FCI and requires an annual self-assessment with executive affirmation. It establishes fundamental cyber hygiene practices.
• CMMC 2.0 Level 2 (Advanced) aligns with the 110 security controls specified in NIST 800-171. This level applies to organizations handling CUI. Depending on the criticality of the CUI involved in the contract, compliance requires either an annual self-assessment or a triennial third-party assessment conducted by CMMC third-party assessor organizations (C3PAOs). This marks a significant step up, requiring more comprehensive cybersecurity controls and adherence to specific cmmc 2.0 level 2 requirements.
• CMMC 2.0 Level 3 (Expert) builds upon Level 2 by incorporating a subset of controls from NIST SP 800-172. This level is designed for organizations handling CUI associated with the highest priority DoD programs and focuses on protecting against advanced persistent threats (APTs). Compliance requires a triennial DIBCAC assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Understanding these levels and their associated requirements under cmmc2.0 is crucial for any organization involved in DoD contracts governed by DFARS clauses.

What Is CMMC 2.0 Level 1?

The Foundational level is the first of the three levels, and it consists of basic cybersecurity risk management practices. This level encompasses the most basic of cyber protection measures and is intended to address the most common cyber threats. It focuses on basic measures of security and risk management, such as authentication and access control, which is the ability to control who can access what information.

The requirements of this level are divided into 6 domains and 15 requirements, including, but not limited to, Access Control, Identification and Authentication, and System and Information Integrity. Organizations must demonstrate that all of the required practices have been implemented, as well as demonstrate effective cybersecurity risk management processes.

CMMC 2.0 and NIST 800‑171: Which One Do You Need?

While CMMC 2.0 heavily leverages NIST standards, particularly NIST SP 800-171, they serve different primary purposes. NIST SP 800-171 provides a set of recommended security requirements (controls) for protecting the confidentiality of CUI in nonfederal systems. It acts as a guideline. CMMC 2.0, on the other hand, is a DoD certification program designed to verify that contractors have implemented these controls appropriately.

The core difference lies in assessment and enforcement. NIST SP 800-171 compliance has historically relied on self-attestation, though DFARS Clause 252.204-7012 mandated its implementation. CMMC 2.0 introduces mandatory assessments (self-assessments for Level 1, and a mix of self and third-party/government assessments for Levels 2 and 3) with formal certification or affirmation required to bid on DoD contracts. CMMC 2.0 Level 2 directly aligns with all 110 controls of NIST SP 800-171 Rev. 2, making NIST SP 800-171 the foundation for CMMC Level 2 compliance.

CMMC 2.0 and NIST 800-171: Similarities and Differences

While CMMC 2.0 builds on the foundation laid by NIST SP 800-171, the two frameworks serve distinct purposes and have important differences in implementation and enforcement. The comparison below highlights where they align—and where they diverge:

• Overlap: CMMC Level 2 incorporates all 110 controls from NIST SP 800-171 Rev 2. Level 3 adds a subset of controls from NIST 800-172.
  Purpose: NIST SP 800-171 provides security guidelines; CMMC 2.0 is a certification framework to verify implementation.
• Assessment: NIST traditionally relied on self-assessment; CMMC mandates assessments (self, third-party, or government) depending on the level.
• Certification: NIST does not issue certifications; CMMC provides formal certification (Level 2 assessed by C3PAO, CMMC Level 3 assessed by DIBCAC) or requires affirmation (Level 1 self-assessment, Level 2 self-assessment).
• POA&Ms: CMMC 2.0 allows limited use of Plans of Action & Milestones (POA&Ms) for certain Level 2 controls (must be closed within 180 days), whereas Level 1 does not permit POA&Ms. NIST 800-171 allowed broader use of POA&Ms under previous self-attestation models.

Even though CMMC Level 1 only requires adherence to FAR 52.204-21 (which overlaps with some NIST SP 800-171 controls), understanding NIST terminology is beneficial as the CMMC framework, including its assessment guides, heavily references NIST publications like SP 800-171 and SP 800-171A (the assessment guide for 800-171).

Key Changes From CMMC 1.0 to CMMC 2.0

The release of CMMC 2.0 marked a significant shift from its predecessor, CMMC 1.0, with an emphasis on simplifying the model, aligning more closely with existing federal standards, and reducing compliance burdens—particularly for small and mid-sized contractors. Below are the most notable updates that defense contractors need to understand:

• Streamlined Levels: CMMC 2.0 reduced the number of compliance levels from five (in CMMC 1.0) to three (Foundational, Advanced, Expert). Levels 2 and 4 from CMMC 1.0 were eliminated.
• Alignment with NIST: CMMC 2.0 aligns more closely with established NIST standards. Level 1 maps to FAR 52.204-21, Level 2 aligns with NIST SP 800-171 Rev 2, and Level 3 incorporates controls from NIST SP 800-172. CMMC-unique practices and maturity processes from version 1.0 were removed.
• Assessment Requirements Modified: CMMC 1.0 mandated third-party assessments for all levels. CMMC 2.0 allows annual self-assessments for Level 1. Level 2 requires either annual self-assessments or triennial third-party assessments (by C3PAOs) depending on the contract. Level 3 requires triennial government-led assessments.
• Plans of Action & Milestones (POA&Ms): CMMC 1.0 did not allow POA&Ms for certification. CMMC 2.0 permits limited use of POA&Ms for Level 2 assessments under specific conditions (must be closed within 180 days, certain critical controls excluded). POA&Ms are not permitted for Level 1.
• Waivers Introduced: CMMC 2.0 allows for waivers to CMMC requirements under limited circumstances, which were not permitted in CMMC 1.0.

Why Changes From CMMC 1.0 to CMMC 2.0 Matter for Level 1 Contractors

The most significant change for contractors requiring only cmmc level 1 is the shift to an annual self-assessment model instead of a mandatory third-party assessment. This reduces the direct cost and complexity of achieving compliance, although diligent documentation and accurate self-assessment are still crucial. The alignment with FAR 52.204-21 remains the core requirement.

Who Needs CMMC 2.0 Level 1?

CMMC 2.0 Level 1 applies to DoD contractors and subcontractors that handle FCI that is provided by or generated for the government under a contract to develop or deliver a product or service to the government.

The Foundational level requires organizations to perform basic cybersecurity practices. They are allowed to reach certification through an annual self-assessment. CMMC Third Party Assessor Organizations (C3PAOs) are not involved with Level 1 certification. 

Implementation Timeline and Key Deadlines

CMMC 2.0 is being phased in gradually, giving defense contractors time to prepare for new assessment and certification requirements. Below is a summary of key milestones and what to expect at each stage of the rollout:

• December 16, 2024: 32 CFR Final Rule (32 CFR Part 170) Effective Date. The rule establishing the CMMC program became effective. CMMC assessments became available starting January 2, 2025.
• Early to Mid-2025 (Anticipated): 48 CFR CMMC Proposed Rule is published. This rule will detail how CMMC requirements are incorporated into DoD contracts (DFARS Clause 252.204-7021). This is the trigger for the phased rollout.
• Phase 1 (Starting Mid-2025): Initial Rollout. Once the 48 CFR rule is final, the DoD will begin including CMMC Level 1 self-assessment and Level 2 self-assessment requirements in applicable solicitations. Contractors bidding on these must have completed their self-assessment and affirmed compliance in SPRS.
• Phase 2 (Starting ~Mid-2026): Level 2 Certification Requirements Begin. DoD will start including CMMC Level 2 certification assessment requirements (conducted by C3PAOs) in applicable solicitations.
• Phase 3 (Starting ~Mid-2027): Level 3 Requirements and Option Period Conditions Begin. DoD will introduce CMMC Level 3 assessment requirements in applicable solicitations. Additionally, CMMC Level 2 certification may become a condition for exercising option periods on contracts awarded after the CMMC rule’s effective date.
• Phase 4 (Starting ~Mid-2028): Full Implementation. CMMC requirements will be included in all applicable DoD solicitations and contracts, including as a condition for option periods on all relevant contracts, regardless of award date.

Advice for Level 1 Contractors: Since Level 1 requires an annual self-assessment and affirmation in SPRS, and these requirements will begin appearing in contracts during Phase 1 (starting mid-2025), organizations needing cmmc level 1 should aim to complete their initial self-assessment and SPRS submission as soon as possible in 2025. Staying ahead ensures readiness when relevant contracts are released. Remember, the self-assessment is an annual requirement.

CMMC 2.0 Level 1 Domains and Controls

CMMC Maturity Level 1 is the first and foundational level of CMMC certification. The requirements of this level are divided into these 6 domains:

Domain	Number of Controls
Access Control (AC)	4 controls
Identification and Authentication (IA)	2 controls
Media Protection (MP)	1 control
Physical Protection (PE)	2 controls
System and Communications Protection (SC)	2 controls
System and Information Integrity (SI)	4 controls

The controls and security requirements in each domain include:

Access Control (AC)

The Access Control domain focuses on the tracking and understanding of who has access to your systems and network. This includes user privileges, remote access, and internal system access. The specific controls include:

• Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
• Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
• Verify and control/limit connections to and use of external information systems
• Control information posted or processed on publicly accessible information systems

Identification and Authentication (IA)

The Identification and Authentication domain focuses on the roles within an organization. It synergizes with the access control domain by ensuring that access to all systems and networks is traceable for reporting and accountability. The controls include:

• Identify information system users, processes acting on behalf of users, or devices
• Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems

Media Protection (MP)

Media Protection focuses on identifying, tracking, and ongoing maintenance of media. It also includes policies about protection, data sanitation, and acceptable transportation. This domain has only one requirement:

• Sanitize or destroy information system media containing federal contract information before disposal or release for reuse

Physical Protection (PE)

Many organizations implement a sign-in process, requiring card reader identification and access to certain portions of their location. Yet, not every organization supervises its visitors throughout their entire stay. This domain has the following requirements that help organizations with that:

• Limit physical access to the organization’s information systems, equipment, and the respective operating environments to authorized individuals
• Escort visitors and monitor visitor activity
• Maintain audit logs of physical access devices
• Control and manage physical access devices

System and Communications Protection (SC)

Communication between employees needs to be secure so that no bad actor may eavesdrop and record sensitive data. The System and Communications Protection domain focuses on the implementation of boundary level defense on an organizational communication level. The requirements in this domain include:

• Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizations’ information systems) at the external boundaries and key internal boundaries of the information systems
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System and Information Integrity (SI)

This domain focuses on the ongoing maintenance and management of issues within information systems. It emphasizes that organizations place efforts toward identifying malicious code, placing ongoing protections on email and system monitoring. The requirements include:

• Identify, report, and correct information and information system flaws in a timely manner
• Provide protection from malicious code at appropriate locations within organizational information systems
• Update malicious code protection mechanisms when new releases are available
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed

Self‑Assessment Process and Documentation for Level 1

Achieving CMMC 2.0 Level 1 compliance involves a mandatory annual self-assessment. Organizations must evaluate their implementation of the 15 security requirements specified in FAR 52.204-21 against the assessment objectives outlined in the official DoD CMMC Level 1 Assessment Guide (which leverages NIST SP 800-171A). The process requires careful documentation and an official affirmation.

The workflow generally includes: defining the assessment scope (identifying assets processing, storing, or transmitting FCI), performing the assessment using methods like ‘examine,’ ‘interview,’ and ‘test’ for each of the 15 controls, and documenting findings. For each control, the finding must be ‘met’ or ‘not applicable’. A ‘not met’ finding means the organization does not comply with cmmc level 1. Evidence supporting each ‘met’ finding must be collected and retained. This evidence can include policies, procedures, system logs, screenshots, or interview notes.

Once the self-assessment confirms all requirements are met, a senior company official must formally affirm compliance by submitting the assessment results into the DoD’s Supplier Performance Risk System (SPRS). This affirmation must be renewed annually after completing a new self-assessment. While organizations can perform this internally, using tools or third-party assistance (though it remains a ‘self-assessment’ not a certification) is common. Key resources include the official CMMC Level 1 Self-Assessment Guide and CMMC Level 1 Scoping Guidance available on the DoD CIO website.

CMMC 2.0 Level 1 Compliance Checklist

CMMC Level 1 focuses on protecting federal contract information (FCI) through basic safeguarding measures. While the requirements are less complex than higher levels, contractors must still follow a structured approach to ensure compliance. Use this checklist to guide your organization through the key steps for achieving and maintaining CMMC Level 1 status:

1. Identify and Scope FCI: Determine where federal contract information (FCI) is processed, stored, or transmitted within your organization’s systems. Use the official CMMC Level 1 Scoping Guidance.
2. Review FAR 52.204-21 Requirements: Familiarize yourself with the 15 basic safeguarding controls outlined in FAR Clause 52.204-21. These are the core CMMC 2.0 level 1 controls.
3. Implement or Verify Safeguards: Ensure technical controls and processes are in place to meet each of the 15 requirements across the six domains (Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, System & Information Integrity).
4. Document Policies and Practices: Maintain basic documentation describing how your organization meets each requirement. While extensive policies aren’t mandated at Level 1 like higher levels, clear documentation supports the assessment.
5. Conduct Annual Self-Assessment: Using the official CMMC Level 1 Self-Assessment Guide, evaluate your implementation of each of the 15 controls against the specified assessment objectives. Determine if each control is ‘met’ or ‘not applicable’.
6. Collect and Retain Evidence: Gather proof (logs, screenshots, configuration settings, written procedures) demonstrating that each control assessed as ‘met’ is effectively implemented.
7. Remediate Gaps (If Necessary): If any controls are ‘not met’, implement corrective actions. All 15 controls must be MET (or N/A) for compliance. POA&Ms are not permitted for Level 1.
8. Submit Affirmation in SPRS: Once all controls are MET, have a senior company official log into the Supplier Performance Risk System (SPRS) and submit the self-assessment results, affirming compliance.
9. Repeat Annually: The self-assessment and SPRS affirmation must be completed and submitted every year to maintain CMMC Level 1 compliance status.

Frequently Asked Questions

 

What Is CMMC 2.0?

CMMC 2.0 is the latest version of the Cybersecurity Maturity Model Certification. It is a comprehensive set of procedures and standards developed by the Department of Defense, meant to establish a consistent approach to safeguarding CUI. The CMMC model is designed to help organizations evaluate and address their cybersecurity risks, as well as improve their overall security posture.

What Is the Purpose of CMMC 2.0 Level 1?

The primary purpose of CMMC 2.0 Level 1 is to ensure that organiations have the basic controls tin place to protect FCI from unauthorized use. Level 1 is comprised of the 15 basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21.

What Are the Consequences of Noncompliance With CMMC 2.0 Level 1?

The consequences of noncompliance with CMMC 2.0 Level 1 vary. Failing to comply with the minimum standards can open up an organization to potential harm, as sensitive information could be leaked or stolen. Additionally, organizations may face penalties from the Department of Defense or other regulatory bodies if they are found to be out of compliance.

How Can I Implement CMMC 2.0 Level 1 Practices?

Implementing CMMC 2.0 Level 1 practices in an organization can be done at different levels and can be tailored to the organization’s situation. A starting point is to create a risk assessment, and from there, organizations can identify the specific controls and practices needed to meet the standards. They should also establish a program for monitoring and reporting on their progress.

What Are the Benefits of Complying With CMMC 2.0 Level 1?

The benefits of complying with CMMC 2.0 Level 1 are numerous. First, organizations will be able to protect the integrity of their FCI and be confident that it is safe from unauthorized use. Additionally, by having a a basic set of cybersecurity practices in place, organizations can demonstrate due diligence to customers and other stakeholders, and can help prevent costly data breaches. Finally, complying with CMMC 2.0 Level 1 can help organizations qualify to bid for contracts with the DoD.

Kiteworks Private Content Network Enables Compliance With CMMC 2.0 Level 1

The Kiteworks Private Content Network (PCN) simplifies and helps organizations in the Defense Industrial Base (DIB) to comply with the CMMC 2.0 Level 1 compliance process. Kiteworks unifies, tracks, controls, and secures all sensitive content communications in one platform. It also allows first parties and third parties to collaborate on confidential content. Kiteworks helps simplify and accelerate the process of achieving CMMC 2.0 Level 1 compliance by providing access control, secure file transfer, file encryption, secure file sharing, and authentication with two-factor authentication and multi-factor authentication. Organizations can set granular permissions and policies to ensure the highest levels of security of their data and content.

As part of CMMC 2.0 Level 1 compliance, Kiteworks helps organizations to create a digital audit trail on their sensitive content communications. This enables them to monitor sensitive content communications and to demonstrate adherence to data privacy and security regulations, including CMMC 2.0 Level 1.

To learn more about the Kiteworks Private Content Network and how it can accelerate your CMMC 2.0 Level 1 compliance, schedule a custom-tailored demo today. 

Back to Risk & Compliance Glossary