CMMC 2.0 Level 1 Requirements Explained
A plain-language breakdown of every CMMC 2.0 Level 1 requirement. Understand what is needed, why it matters, and how to implement each control for your business.
Overview
The Cybersecurity Maturity Model Certification (CMMC 2.0) is required for companies that work with the US Department of Defense (DoD). The CMMC 2.0 Final Rule (32 CFR Part 170) was published on December 16, 2024 and became effective on the same date. Phase 1 enforcement began on November 10, 2025, with Level 1 self-assessments required for applicable contracts. Over 220,000 contractors and subcontractors are now impacted by CMMC requirements, and by October 31, 2026 all new DoD contracts will require CMMC certification.
The CMMC 2.0 rollout follows a four-phase timeline:
| Phase | Date | Milestone |
|---|---|---|
| Phase 1 | November 10, 2025 | Level 1 self-assessments begin appearing in new DoD contracts |
| Phase 2 | November 10, 2026 | Mandatory C3PAO assessments for Level 2 (CUI-handling contracts) |
| Phase 3 | November 10, 2027 | CMMC requirements extended to additional contract types |
| Phase 4 | November 10, 2028 | Full implementation across all applicable DoD contracts |
Level 1 is the foundation tier — it covers basic cyber hygiene practices that protect Federal Contract Information (FCI).
Level 1 is based on 17 practices drawn from NIST SP 800-171 and FAR 52.204-21. These are practices that most businesses should already have in place. Level 1 requires a self-assessment — no third-party audit is needed.
Who Needs CMMC 2.0 Level 1?
Any company that:
- Handles Federal Contract Information (FCI) — information provided by or generated for the government under a contract
- Is a subcontractor to a prime contractor that handles FCI
- Bids on DoD contracts that include the DFARS 252.204-7021 clause
If you handle Controlled Unclassified Information (CUI), you need Level 2 or higher. Under the CMMC 2.0 Final Rule, Level 2 requires a Certified Third-Party Assessment Organization (C3PAO) assessment for contracts involving CUI.
The 17 Level 1 Practices
CMMC 2.0 Level 1 practices are organised into six domains. These 17 practices are unchanged from the original framework and continue to be drawn from FAR 52.204-21. Below is each practice with a plain-language explanation and implementation guidance.
Access Control (AC)
AC.L1-3.1.1 — Limit system access to authorised users
Requirement: Only people who are supposed to use your systems can log in.
How to implement:
- Every user has a unique account (no shared logins)
- Accounts are created through a formal process (manager request or onboarding ticket)
- Accounts are disabled when someone leaves the company
- Guest and temporary accounts have expiration dates
AC.L1-3.1.2 — Limit system access to authorised functions
Requirement: Users can only do what their role requires. An accounting clerk should not have admin access to your servers.
How to implement:
- Use role-based access control (RBAC)
- Standard users do not have local admin rights on their PCs
- Admin accounts are separate from daily-use accounts
- File and folder permissions follow least privilege
AC.L1-3.1.20 — Control connections to external systems
Requirement: Control which external systems (cloud services, partner networks) can connect to yours.
How to implement:
- Maintain a list of approved cloud services and SaaS applications
- Use a firewall to restrict outbound connections where possible
- Review third-party app connections (OAuth consents) in Microsoft Entra ID regularly
AC.L1-3.1.22 — Control publicly accessible information
Requirement: Only information intended for public release is publicly accessible. Internal documents should not be findable by search engines.
How to implement:
- Audit your public-facing websites, SharePoint sites, and cloud storage for unintended exposure
- Ensure SharePoint "Anyone with the link" sharing is restricted or disabled
- Review what is indexed by search engines on your domain
Identification and Authentication (IA)
IA.L1-3.5.1 — Identify system users
Requirement: The system must be able to identify each individual user.
How to implement:
- Every user has a unique username (no shared accounts)
- Service accounts are documented and assigned to an owner
- All access is attributable to a specific individual
IA.L1-3.5.2 — Authenticate users
Requirement: Verify that users are who they claim to be before granting access.
How to implement:
- Require passwords that meet complexity requirements (minimum 12 characters)
- Enable multi-factor authentication (MFA) for all users
- Enforce account lockout after failed login attempts
Media Protection (MP)
MP.L1-3.8.3 — Sanitise media before disposal
Requirement: When you dispose of hard drives, USB drives, or other storage media, erase them so data cannot be recovered.
How to implement:
- Wipe drives with a certified tool (DBAN, Blancco) before disposal
- Physically destroy drives that contained sensitive data (shred or degauss)
- Maintain a log of disposed media
Physical Protection (PE)
PE.L1-3.10.1 — Limit physical access
Requirement: Only authorised people can physically access your systems (servers, network equipment, workstations).
How to implement:
- Servers and network equipment are in a locked room or cabinet
- Offices are locked when unoccupied
- Visitor access is controlled and logged
PE.L1-3.10.3 — Escort visitors
Requirement: Visitors to areas containing systems are escorted and monitored.
How to implement:
- Visitors sign in and out
- Visitors wear a badge that identifies them as visitors
- Visitors are escorted in server rooms and IT areas
PE.L1-3.10.4 — Maintain audit logs of physical access
Requirement: Keep a record of who accessed physical areas containing systems.
How to implement:
- Electronic access control systems (badge readers) with logging
- Or a physical sign-in log at the entrance to secure areas
- Retain logs for a defined period (typically 1 year)
PE.L1-3.10.5 — Control physical access devices
Requirement: Manage keys, badges, and other physical access devices.
How to implement:
- Maintain an inventory of issued keys and access badges
- Collect badges and keys during offboarding
- Re-key or re-program locks when keys are lost
System and Communications Protection (SC)
SC.L1-3.13.1 — Boundary protection
Requirement: Monitor and control communications at the boundary of your network.
How to implement:
- Use a firewall between your network and the internet
- Configure the firewall to deny all inbound traffic by default
- Review firewall rules periodically
SC.L1-3.13.5 — Public-access system separation
Requirement: Separate publicly accessible systems (your website) from internal systems.
How to implement:
- Public web servers are in a DMZ or separate network segment
- Internal systems are not directly accessible from the internet
- Use VPN for remote access to internal systems
System and Information Integrity (SI)
SI.L1-3.14.1 — Identify and remediate flaws
Requirement: Find and fix vulnerabilities in your systems.
How to implement:
- Enable automatic Windows updates on all devices
- Patch third-party applications (browsers, PDF readers, Java) regularly
- Monitor vendor security advisories for software you use
SI.L1-3.14.2 — Malicious code protection
Requirement: Protect your systems against malware.
How to implement:
- Antivirus installed and running on all devices (Windows Defender is acceptable)
- Real-time protection enabled
- Definitions updated automatically
- Regular scans scheduled
SI.L1-3.14.4 — Update malicious code protection
Requirement: Keep your antivirus software and definitions up to date.
How to implement:
- Automatic definition updates enabled (default in Windows Defender)
- Verify updates are being applied (check the "Last updated" timestamp in Defender)
SI.L1-3.14.5 — System and file scanning
Requirement: Scan your systems regularly for malware.
How to implement:
- Schedule a weekly full scan on all devices
- Enable real-time scanning of downloaded files
- Scan removable media (USB drives) when connected
Self-Assessment Process
CMMC 2.0 Level 1 requires a self-assessment:
- Map each practice to your current implementation
- Identify gaps where you do not meet the requirement
- Remediate gaps and document the controls in place
- Submit your score to SPRS (Supplier Performance Risk System)
Your score is calculated out of 110 points (based on the NIST 800-171 scoring methodology). For Level 1, you must achieve the score that reflects full implementation of the 17 practices.
Level 1 is self-assessed. You do not need a third-party auditor (C3PAO). However, the DoD can audit your self-assessment at any time, so your documentation must be accurate and defensible.
Documentation Requirements
For each practice, maintain:
| Document | Purpose |
|---|---|
| System Security Plan (SSP) | Describes how each control is implemented |
| Policies | Written policies covering each domain (access control, media protection, etc.) |
| Evidence | Screenshots, configuration exports, or logs proving the control is in place |
| POA&M (Plan of Action & Milestones) | For any controls not yet fully implemented — timeline for remediation |
Common Gaps for Small Businesses
| Practice | Common Gap | Quick Fix |
|---|---|---|
| Unique accounts | Shared logins (e.g., shared admin account) | Create individual accounts |
| MFA | Not enabled on all accounts | Enable via Conditional Access |
| Media sanitisation | Old hard drives in a closet | Wipe or physically destroy |
| Visitor logs | No sign-in process | Create a visitor log binder |
| Firewall | Default allow-all rules | Review and tighten rules |
| Patching | Manual, inconsistent updates | Enable automatic updates |
Next Steps
- Download the CMMC 2.0 Level 1 self-assessment template from the CMMC website
- Map your current state against each of the 17 practices
- Submit your SPRS score once all practices are in place
- If you need CUI handling, begin planning for Level 2 (requires a C3PAO assessment under the CMMC 2.0 Final Rule)
Related Articles
Was this article helpful?