ROOT@DAKINE:~# | NODE: LOCATING... // IP: --.--.--.-- --:--:-- | --°F | STATUS: ONLINE

CMMC Level 1

Foundational safeguards for Federal Contract Information (FCI).

This page outlines all 15 Level 1 requirements aligned to FAR 52.204-21 so teams can quickly identify baseline controls and required operational evidence.

LEVEL 1 QUICK REFERENCE - 15 REQUIRED PRACTICES

Assessment Focus

Protect FCI with repeatable baseline security hygiene.

Level 1 emphasizes access control, patching, malware protection, and physical safeguards. Contractors generally complete annual self-assessment and annual affirmation activities.

  • Define where FCI is stored, processed, and transmitted.
  • Document who owns each control and where evidence is retained.
  • Track corrective actions with target dates and accountable owners.

All 15 Requirements

FAR 52.204-21(b)(1) safeguarding controls.

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control or limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate or verify the identities of users, processes, or devices before allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal, release, or reuse.
  8. Limit physical access to organizational information systems, equipment, and operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control/manage physical access devices.
  10. Monitor, control, and protect organizational communications at external boundaries and key internal boundaries.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations and update protection mechanisms when new releases are available.
  14. Update malicious code protection and other security-relevant software in a timely manner.
  15. Perform periodic and real-time scans of information systems and files from external sources as files are downloaded, opened, or executed.

Talk to Engineering

Map your current environment to a practical compliance roadmap.

Share your requirements and timeline. We will help you prioritize controls, evidence, and implementation phases.