At Summit 7, we talk a lot about CMMC Level 2 compliance, but let’s talk about L2 and 3’s little brother, the foundation of federal cybersecurity compliance, CMMC Level 1. 

If your business works with the Department of War (DoW) and handles Federal Contract Information (FCI), this level applies to you. According to the CMMC final rule, 32 CFR part 170, over 60% of the Defense Industrial Base will need to meet CMMC level 1 requirements. 

We’re breaking down the 10 most common questions about CMMC Level 1: what it is, who needs it, and how to get compliant. 

What is CMMC Level 1? 

CMMC Level 1 is the baseline standard for “cyber hygiene.” 

While it is the entry point to DoW cybersecurity compliance, it’s still essential to the DIB’s ecosystem. It focuses on protecting Federal Contract Information (FCI), which is data provided by or generated for the government that isn’t meant for public release. 

FCI covers any data the government shares that isn’t intended for public release. 

Examples include: 

• Technical drawings shared during a contract (non-CUI) 

• Project timelines or internal DoW documentation 

• Non-public contract details or reports 

While this information isn’t classified, losing control of it can still expose vulnerabilities or damage national interests, which is why protection at Level 1 is critical. 

The goal is simply to ensure that every contractor and subcontractor working with the DoW follows essential security practices to protect federal information from common cyber threats. 

How does CMMC Level 1 differ from Level 2? 

The difference between CMMC Level 1 and Level 2 comes down to data type and depth. 

• Level 1 covers Federal Contract Information (FCI) and 15 basic practices. 

• Level 2 covers Controlled Unclassified Information (CUI) and requires 110 practices aligned with NIST SP 800-171. 

Level 1 is about basic cyber hygiene, but Level 2 introduces more formalized policies, procedures, and documentation, which is a significant step up in complexity. 

Who needs to comply with CMMC Level 1? 

Any organization that stores, processes, or transmits FCI must comply with CMMC Level 1. That includes prime contractors and subcontractors, even if they don’t handle Controlled Unclassified Information (CUI). 

If your company has a DoW contract or supports one, Level 1 compliance is a hard requirement to keep doing business with the government. 

What are the requirements for CMMC Level 1? 

In order to be compliant at CMMC Level 1, your organization has to address six control families.  

CMMC Level 1 Checklist 

🗹 Access Control (AC) – Limit who can access systems and FCI data. 
🗹 Identification & Authentication (IA) – Create uniquely identified users and securely authenticate them before allowing access systems or data. 
🗹 Media Protection (MP) – Sanitize or destroy devices with FCI before retiring them. 
🗹 Physical Protection (PE) – Restrict physical access to buildings and systems containing sensitive data. 
🗹 System & Communications Protection (SC) – Secure network boundaries and data in transit. Separate internal systems from public ones.  
🗹 System & Information Integrity (SI) – Always monitor, patch, and protect your systems from malicious code. Address vulnerabilities immediately.  

Note that each family encompasses 2-4 specific practices. In all, you’ll need to implement 15 practices to check all of these items off. The good news is, these align closely with FAR 52.204-21, meaning you’re likely already doing some of these as long as you follow common IT best practices.  

Is CMMC Level 1 assessed by a C3PAO? 

No, CMMC Level 1 doesn’t require an outside assessment. Unlike level 2, self-assessment is the standard for level 1. Your organization completes a self-evaluation of all 15 practices and submits a self-attestation in the Supplier Performance Risk System (SPRS). 

That said, the self-assessment must be accurate and defensible. False attestation could result in loss of contracts or penalties under the False Claims Act. 

How often do I need to reassess my CMMC Level 1 Compliance?  

CMMC Level 1 requires annual self-assessments and submission of results to SPRS. The good news is, you’re not starting from the ground up every year.  

You’ve already put in the hard work of implementation. After your first successful assessment, you should maintain year-round by regularly reviewing your controls, patching systems, and training staff. If you’re keeping up with your practices properly, most of the work is done for you when it’s time to resubmit.  

Do I need specific tools or software for CMMC Level 1 compliance? 

It’s important to understand no single tool can make you “CMMC compliant.” However, Microsoft 365 Government Cloud or Commercial Cloud and related tools, like Entra ID, Intune, and Defender for Endpoint, can satisfy many of the technical requirements.  

While you can satisfy CMMC level 1 requirements in a commercial cloud environment, if you plan to upgrade to level 2 in the future, it’s best to make the switch over to a government cloud environment. That will allow you to keep building toward your future compliance goals after your initial certification.  

CMMC Level 1 doesn’t have a FedRAMP requirement, but level 2 does. If you begin implementing all of your controls in a commercial tenant, you’ll have to start over in a government one for level 2. 

Ultimately, following the controls is what matters. You can use platforms not listed here as long as your configurations meet the intent of each control. 

How much does CMMC Level 1 compliance cost? 

Costs for CMMC compliance vary based on your size and IT maturity. Luckily, the DoW came through with some cost estimates for large and small entities pursuing compliance. 

CMMC Level 1 Cost for Small entities 

By the DoW’s 2023 estimate, each CMMC Level 1 assessment costs about $6,000 for a “small” (under 500 employees) entity.  

CMMC Level 1 Cost for Other than small entities 

Larger entities are able to spend a little less at $4,000 per assessment.  

Because Level 1 is self-attested, there’s no formal audit fee, but, of course, a lot of time and labor goes into planning, preparing, and conducting the assessment. Additional costs can come into play if you have to overhaul your existing systems and processes.   

How long does it take to become Level 1 compliant? 

While the timeframes vary greatly across company sizes and maturity levels, most organizations can reach Level 1 compliance within 30 to 90 days. 

A structured approach usually includes: 

• Performing a gap analysis 
• Updating policies and procedures 
• Implementing missing controls 
• Conducting a final self-assessment 

If your IT systems are already following NIST or FAR requirements, the timeline can be even shorter. 

When will CMMC Level 1 be required in contracts? 

The Department of War finalized CMMC 2.0 rulemaking in 2025, and the official rollout begins on November 10, 2025. 

Once DFARS 252.204-7021 is in your solicitations, contractors will need to have the appropriate CMMC level, including Level 1, in place before award.  

Organizations that wait could find themselves ineligible for future DoW work. 

CMMC Level 1 may be the entry point, but it’s far from trivial. It represents a new baseline of trust across the Defense Industrial Base, ensuring every contractor takes responsibility for securing government data. 

By understanding what’s required now, aligning your technology and policies, and documenting your self-assessment, you’ll be ready not just for CMMC Level 1, but for the next level of opportunity in the defense ecosystem. 

In a Nutshell 

CMMC Level 1 requirements will begin with the phased rollout on November 10, and chances are you’ll need to it to win contracts sooner than you think.  

In order to become compliant, you’ll have to adhere to 15 best practices, some of which you may already have in place. That said, identifying and addressing the gaps holding you back may take you a few months, so don’t hold off for too long.  

Do you have a question we didn’t answer here? Try the CUI Hotline or get started on CMMC Level 1 today.