CMMC Level 1 Foundational Compliance
Last reviewed · By Chad Griffith
CMMC Level 1 Foundational applies to any defense contractor or subcontractor that processes, stores, or transmits Federal Contract Information (FCI). It requires implementation of 17 cybersecurity practices aligned with FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). Level 1 certification is achieved through annual self-assessment with senior official affirmation, submitted in the Supplier Performance Risk System (SPRS).
Who Needs CMMC Level 1
CMMC Level 1 Foundational applies to defense contractors and subcontractors that handle Federal Contract Information (FCI) but do not process, store, or transmit Controlled Unclassified Information (CUI). FCI is information provided by or generated for the Government under contract that is not intended for public release. Common Level 1 contractors: subcontractors providing routine commodities, professional services without access to CUI, and businesses fulfilling general government contracts. Level 1 cannot be achieved by any business that has any access to CUI — those require Level 2 or 3.
The 17 Level 1 Practices
The 17 practices map directly to the 15 controls in FAR 52.204-21 (with two additional sub-practices). Practice areas include: Access Control (AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L1-3.1.22), Identification and Authentication (IA.L1-3.5.1, IA.L1-3.5.2), Media Protection (MP.L1-3.8.3), Physical Protection (PE.L1-3.10.1, PE.L1-3.10.3, PE.L1-3.10.4, PE.L1-3.10.5), System and Communications Protection (SC.L1-3.13.1, SC.L1-3.13.5), and System and Information Integrity (SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5).
Self-Assessment Procedure
Level 1 contractors conduct an annual self-assessment of their implementation of the 17 practices. The assessment must be completed by an individual with sufficient knowledge of the contractor's systems, typically the IT director or compliance officer. After assessment, a senior official (typically a C-level executive) must affirm the results. The affirmation includes attestation that the practices are implemented and that the contractor will maintain the practices throughout the period of performance.
SPRS Submission
Self-assessment results must be submitted to the Supplier Performance Risk System (SPRS), the Department of Defense's repository for contractor performance data. The submission requires the contractor's CAGE Code, system identification, score, and senior official affirmation. SPRS submissions are required for award eligibility on covered contracts. The score remains valid for one year, after which a new self-assessment and affirmation are required.
Common Level 1 Findings
Frequent gaps identified during DoD contract performance reviews of Level 1 contractors: missing or inadequate written policies for access control; failure to limit unsuccessful login attempts (AC.L1-3.1.8 sub-practice); inadequate media sanitization before disposal (MP.L1-3.8.3); missing visitor access logs (PE.L1-3.10.4); failure to monitor and control inbound and outbound communications at system boundaries (SC.L1-3.13.1); missing antivirus or endpoint protection (SI.L1-3.14.2); and failure to update threat protection signatures regularly (SI.L1-3.14.4).
Frequently Asked Questions
What is CMMC Level 1?
CMMC Level 1 Foundational is the lowest tier of the Cybersecurity Maturity Model Certification, requiring implementation of 17 cybersecurity practices aligned with FAR 52.204-21. It applies to defense contractors handling Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). Certification is via annual self-assessment with senior official affirmation submitted to SPRS.
Can a Level 1 contractor handle CUI?
No. Any contractor that handles Controlled Unclassified Information must achieve at least Level 2 certification. Level 1 is exclusively for contractors handling only FCI. Mishandling CUI under a Level 1 certification can result in contract termination, civil and criminal penalties under the False Claims Act, and suspension or debarment from federal contracting.
How often is Level 1 self-assessment required?
Annually. The senior official affirmation submitted to SPRS is valid for one year. Contractors must conduct a fresh self-assessment, document any changes in implementation, and submit a new affirmation each year to maintain award eligibility on covered contracts.
What documents are required for Level 1?
Required documentation: written cybersecurity policies covering each of the 17 practice areas, evidence of practice implementation (access control logs, media sanitization records, visitor logs, antivirus deployment), self-assessment scoring documentation, and the senior official affirmation submitted to SPRS.
Authoritative sources