SecureSlateSecureSlate
Book a DemoLog inGet started for free
Blog / CMMC
Back to CMMC

CMMC Level 1: requirements, controls, and certification process

by SecureSlate Team in CMMC
4.9(409 reviews)

Photo: Unsplash

CMMC Level 1 is the entry tier for organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI) within the assessed scope.

This guide covers:

  • Who must meet Level 1
  • The 15 safeguarding practices and what they require in practice
  • The annual self-assessment and SPRS certification process

Related guides:

Foundational controls

GIF via GIPHY

Key takeaways

  • Level 1 aligns with FAR 52.204-21 basic safeguarding—15 practices, not the full 800-171 set.
  • Assessment is an annual self-assessment entered in SPRS—no C3PAO for Level 1.
  • Scope discipline matters: if CUI is present, Level 2 typically applies instead.
  • Annual affirmation by a senior official is required to maintain status.

Who needs CMMC Level 1?

Level 1 applies when contract data is FCI only—information provided by or generated for the government under contract, not intended for public release, but not categorized as CUI.

If your environment processes CUI, you generally need Level 2 (NIST SP 800-171), even if you previously treated data as “just sensitive.”

Level 1 controls (15 practices)

Level 1 practices cluster around foundational hygiene:

Domain Example practice themes
Access control Limit system access to authorized users
Identification Authenticate users before access
Media protection Sanitize or destroy media with FCI
Physical Limit physical access; escort visitors
System integrity Update malicious code protection; patch flaws

Each practice needs a documented approach and evidence it operates (training records, access lists, disposal logs).

Certification process

  1. Define scope for systems that store, process, or transmit FCI.
  2. Implement the 15 practices (or document N/A with justification).
  3. Collect evidence for self-assessment.
  4. Complete annual self-assessment and record in SPRS.
  5. Submit annual affirmation of continued compliance.

Level 1 is designed to be achievable for small businesses when scope stays narrow and boundaries are clear.

Simplify Level 1 with SecureSlate

SecureSlate tracks practice status, owners, and evidence—so annual self-assessments are repeatable.

Get started for free

FAQ

Do we need an SSP for Level 1?

Documentation expectations are lighter than Level 2, but you still need organized policies and evidence assessors (or contracting officers) can follow.

Can we jump straight to Level 2?

If CUI is in scope, yes—and many organizations implement 800-171 once to avoid re-work.

Disclaimer (legal note)

Level determination depends on contract data types and scope. Confirm with your contracting officer and legal counsel.

Need compliance without the complexity?

SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.

Get started for free

No credit card required

Filed under: CMMC

Author: SecureSlate Team

Related blogs

Jun 1, 2026 · CMMC

7 practical benefits of achieving CMMC certification

SecureSlate Team

Jun 1, 2026 · CMMC

All you need to know about C3PAOs

SecureSlate Team

Jun 1, 2026 · CMMC

The 5 best GRC software solutions for CMMC compliance in 2026

SecureSlate Team

View more posts
Jamie
Virtual Agent

Hi! I'm Jamie. Curious about your current compliance challenges and how automation might help your team?

DemoPrivacy Policy