The Cybersecurity Maturity Model Certification (CMMC) is designed to ensure the protection of sensitive national security information such as controlled unclassified information (CUI) and federal contract information (FCI). The certification applies to all DoD contractors and subcontractors, and a contractor that fails to maintain compliance will be unable to bid for DoD contracts. CMMC 2.0 is an update to the CMMC 1.0 that was initially released in January 2021. The new version includes updates to the protection of FCI and CUI.

Under DFARS and DoD rules and policies, the DoD implemented cybersecurity controls in the CMMC standard to protect CUI and FCI. Thus, the CMMC measures an organization’s ability to protect FCI and CUI. FCI is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. CUI is information that requires safeguarding or dissemination controls according to and consistent with federal laws, regulations, and government-wide policies.

CMMC 2.0 consists of three distinct maturity levels. Organizations can choose from the three maturity levels, Foundational, Advanced, and Expert, to better assess and improve their cybersecurity posture. This article looks at everything you need to know about CMMC 2.0 Level 1, its controls, and requirements.

CMMC 2.0 Level 1: Everything You Need to Know

What Determines My CMMC Level Requirement?

The required CMMC certification level is determined by the specific kind of information a company handles and the type of work it does. The specific level of certification will be spelled out in all new DoD contracts. If a supplier is not certified at the specified level, the company cannot bid on the DoD business.

Companies that have a FAR 52.204-21 (which is a subset of DFARS requirements) in their contract and handle only FCI will need to achieve CMMC Level 1. This level does not require a certified third-party assessment provider for certification. It requires an annual self-assessment that has attestation from a corporate executive.

What Is CMMC 2.0 Level 1?

The Foundational level is the first of the three levels, and it consists of basic cybersecurity risk management practices. This level encompasses the most basic of cyber protection measures and is intended to address the most common cyber threats. It focuses on basic measures of security and risk management, such as authentication and access control, which is the ability to control who can access what information.

The requirements of this level are divided into 17 different practices, including, but not limited to, Asset Management, Media Protection, Identification & Authentication, Security Assessment & Authorization, and System & Communication Protection. Organizations must demonstrate that all of the required practices have been implemented, as well as demonstrate effective cybersecurity risk management processes.

Who Needs CMMC 2.0 Level 1?

CMMC 2.0 Level 1 applies to DoD contractors and subcontractors that handle FCI that is provided by or generated for the government under a contract to develop or deliver a product or service to the government.

The Foundational level requires organizations to perform basic cybersecurity practices. They are allowed to reach certification through an annual self-assessment. CMMC Third Party Assessor Organizations (C3PAOs) are not involved with Level 1 certification. 

CMMC 2.0 Level 1 Domains and Controls

CMMC Maturity Level 1 is the first and foundational level of CMMC certification. Its requirements consist of basic cybersecurity practices of 17 security controls extracted from these six domains:


Number of Controls

Access Control (AC)

4 controls

Identification and Authentication (IA)

2 controls

Media Protection (MP)

1 control

Physical Protection (PE)

4 controls

System and Communications Protection (SC)

2 controls

System and Information Integrity (SI)

4 controls

The controls and security requirements in each domain include:

Access Control (AC)

The Access Control domain focuses on the tracking and understanding of who has access to your systems and network. This includes user privileges, remote access, and internal system access. The specific controls include:

  • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
  • Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
  • Verify and control/limit connections to and use of external information systems
  • Control information posted or processed on publicly accessible information systems

Identification and Authentication (IA)

The Identification and Authentication domain focuses on the roles within an organization. It synergizes with the access control domain by ensuring that access to all systems and networks is traceable for reporting and accountability. The controls include:

  • Identify information system users, processes acting on behalf of users, or devices
  • Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems

Media Protection (MP)

Media Protection focuses on identifying, tracking, and ongoing maintenance of media. It also includes policies about protection, data sanitation, and acceptable transportation. This domain has only one requirement:

  • Sanitize or destroy information system media containing federal contract information before disposal or release for reuse

Physical Protection (PE)

Many organizations implement a sign-in process, requiring card reader identification and access to certain portions of their location. Yet, not every organization supervises its visitors throughout their entire stay. This domain has the following requirements that help organizations with that:

  • Limit physical access to the organization’s information systems, equipment, and the respective operating environments to authorized individuals
  • Escort visitors and monitor visitor activity
  • Maintain audit logs of physical access devices
  • Control and manage physical access devices

System and Communications Protection (SC)

Communication between employees needs to be secure so that no bad actor may eavesdrop and record sensitive data. The System and Communications Protection domain focuses on the implementation of boundary level defense on an organizational communication level. The requirements in this domain include:

  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizations’ information systems) at the external boundaries and key internal boundaries of the information systems
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System and Information Integrity (SI)

This domain focuses on the ongoing maintenance and management of issues within information systems. It emphasizes that organizations place efforts toward identifying malicious code, placing ongoing protections on email and system monitoring. The requirements include:

  • Identify, report, and correct information and information system flaws in a timely manner
  • Provide protection from malicious code at appropriate locations within organizational information systems
  • Update malicious code protection mechanisms when new releases are available
  • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed

Frequently Asked Questions


What Is CMMC 2.0?

CMMC 2.0 is the latest version of the Cybersecurity Maturity Model Certification. It is a comprehensive set of procedures and standards developed by the Department of Defense, meant to establish a consistent approach to safeguarding CUI. The CMMC model is designed to help organizations evaluate and address their cybersecurity risks, as well as improve their overall security posture.

What Is the Purpose of CMMC 2.0 Level 1?

The primary purpose of CMMC 2.0 Level 1 is to ensure that organizations have the basic controls in place to protect CUI from unauthorized use. Level 1 defines the minimum set of cybersecurity practices that organizations must have in place to protect CUI, including standards such as identity management, asset management, and access control.

What Are the Consequences of Noncompliance With CMMC 2.0 Level 1?

The consequences of noncompliance with CMMC 2.0 Level 1 vary. Failing to comply with the minimum standards can open up an organization to potential harm, as sensitive information could be leaked or stolen. Additionally, organizations may face penalties from the Department of Defense or other regulatory bodies if they are found to be out of compliance.

How Can I Implement CMMC 2.0 Level 1 Practices?

Implementing CMMC 2.0 Level 1 practices in an organization can be done at different levels and can be tailored to the organization’s situation. A starting point is to create a risk assessment, and from there, organizations can identify the specific controls and practices needed to meet the standards. They should also establish a program for monitoring and reporting on their progress.

What Are the Benefits of Complying With CMMC 2.0 Level 1?

The benefits of complying with CMMC 2.0 Level 1 are numerous. First, organizations will be able to protect the integrity of their CUI and be confident that it is safe from unauthorized use. Additionally, by having a robust set of cybersecurity practices in place, organizations can demonstrate due diligence to customers and other stakeholders, and can help prevent costly data breaches. Finally, complying with CMMC 2.0 Level 1 can help organizations pass audits and comply with applicable laws and regulations.

Kiteworks Private Content Network Enables Compliance With CMMC 2.0 Level 1

The Kiteworks Private Content Network (PCN) simplifies and helps organizations in the Defense Industrial Base (DIB) to comply with the CMMC 2.0 Level 1 compliance process. Kiteworks unifies, tracks, controls, and secures all sensitive content communications in one platform. It also allows first parties and third parties to collaborate on confidential content. Kiteworks helps simplify and accelerate the process of achieving CMMC 2.0 Level 1 compliance by providing access control, secure file transfer, file encryption, secure file sharing, and authentication with two-factor authentication and multi-factor authentication. Organizations can set granular permissions and policies to ensure the highest levels of security of their data and content.

As part of CMMC 2.0 Level 1 compliance, Kiteworks helps organizations to create a digital audit trail on their sensitive content communications. This enables them to monitor sensitive content communications and to demonstrate adherence to data privacy and security regulations, including CMMC 2.0 Level 1.

To learn more about the Kiteworks Private Content Network and how it can accelerate your CMMC 2.0 Level 1 compliance, schedule a custom-tailored demo today. 

Back to Risk & Compliance Glossary


Get email updates with our latest blogs news

console.log ('hstc cookie not exist') "; } else { //echo ""; echo ""; } ?>