THE CMMC LEVEL 1 REQUIREMENTS

What CMMC Level 1
Requires of You

Fifteen requirements. Six domains. All 15 require full implementation. Companies that handle Federal Contract Information (FCI) under a Department of Defense (DoD) contract must meet all 15 Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements before submitting their score in the Supplier Performance Risk System (SPRS).

Requirements Board
15 requirements across 6 domains [SR1.1] / Source: Federal Acquisition Regulation (FAR) 52.204-21 / All must be fully met before SPRS submission
DomainPracticesWhat It RequiresIn Plain TermsKey Point
Access Control
System Access
4 Requirements

Limit system access to authorized users and processes only. Control what each user can do and restrict connections from external systems.

Who can log in, what they can see, and how outside connections are managed. 
Undocumented user access lists are among the most frequent gaps assessors identify.
Identification and Authentication
Identity
2 Requirements

Verify the identity of all users, processes, and devices before granting access to any system that stores or transmits FCI.

Password policies and login controls. Every user requires individual identification before gaining access. 
Every user requires individual credentials. Default credentials require replacement before any system touches FCI.
Media Protection
Data Handling
1 Requirement

Sanitize or destroy media containing FCI before disposal or reuse. Applies to physical and digital media equally.

USB drives, external hard drives, and printed documents require proper disposal or wiping before leaving your control. 
All removable media containing FCI requires secure wiping or physical destruction before leaving organizational control.
Physical Protection
Facility Access
2 Requirements

Limit physical access to systems, equipment, and operating environments to authorized individuals only. Maintain visitor logs and escort procedures.

Who can physically enter the space where FCI is stored or processed, and how that access is recorded. 
Server rooms and physical access points require locks, controlled entry, and monitoring records.
System and Communications Protection
Network Boundary
2 Requirements

Monitor and control communications at their boundaries. Separate FCI from public-facing or uncontrolled network segments.

Firewall configuration and basic network segmentation between systems that touch FCI and those that do not. 
FCI systems require network segmentation from general office traffic to satisfy this domain.
System and Information Integrity
System Health
4 Requirements

Identify and correct system flaws in a timely manner. Deploy malicious code protection across all in-scope systems, keep that protection current, and run both periodic system scans and real-time scans on files from external sources.

Antivirus on every in-scope device, kept current, with an active patch management process and scheduled scans in place. 
Every in-scope device requires current AV coverage and active scanning. A single unprotected device puts the entire domain at risk.
- THE STAKES

What Delayed Compliance Costs a DoD Contractor

Contract eligibility, SPRS standing, and an affirming official's personal legal exposure all depend on getting this right.
November 10
2025
Phase 1 began. A Level 1 self-assessment is a condition of award on new DoD contracts.
32 CFR 170.3(e); 48 CFR Acquisition Rule, 2025
$0
Requires full implementation of all 15 practices before SPRS submission.
FAR 52.204-21
1%
Of DoD contractors report full CMMC readiness, per CyberSheath's 2025 State of the Defense Industrial Base report.
CyberSheath State of the Defense Industrial Base report.
1 Year
Between required SPRS affirmations. Active SPRS status depends on meeting that cycle without a gap.
CMMC Level 1 self-assessment requirements
- COMMON FIRST-TIME GAPS

Where Assessments Most Often Stall

DivIHN surfaces these gaps on almost every initial scoping call. Both resolve when addressed before submission.

MOST COMMON
Documentation That Needs to Exist Before Submission
Access control policies, media sanitization procedures, and physical access logs all require written documentation an assessor can verify. Many contractors follow the right practices informally. The self-assessment requires proof. Written documentation of good habits carries the same weight as the habits themselves.
MOST MISSED
The SPRS Submission Step
The self-assessment score requires formal submission to SPRS by a designated affirming official who affirms compliance by name. Many first-time contractors arrive at this step without Procurement Integrated Enterprise Environment (PIEE) login access or a formally designated affirming official. Completing this step correctly makes the assessment valid.
MOST OVERLOOKED
Confirming Which Systems Fall Within Scope
The self-assessment covers every system, device, and location that processes, stores, or transmits Federal Contract Information (FCI). Shared drives, email systems, and portable devices that touch contract data all carry inclusion requirements. Accurate scope mapping at this stage produces a score that reflects actual posture. DivIHN confirms the FCI boundary before assessment begins.
Back
to Top