Not every contractor needs the full 110-control mountain. If you handle Federal Contract Information (FCI) but no CUI, you're CMMC Level 1 — and that's a dramatically lighter lift: 15 basic safeguarding practices, self-assessed once a year, no third party. Here's the whole picture.
What CMMC Level 1 actually requires
Level 1 is built on the 15 basic safeguarding requirements in FAR 52.204-21 — the same baseline that's been in federal contracts for years. They span six areas:
| Area | The gist |
|---|---|
| Access Control | Limit system access to authorized users, processes, and devices; control what they can do |
| Identification & Authentication | Identify users and authenticate them before granting access |
| Media Protection | Sanitize or destroy media containing FCI before disposal or reuse |
| Physical Protection | Limit physical access to systems and protect the facility |
| System & Communications Protection | Monitor and protect boundaries; separate public-facing systems |
| System & Information Integrity | Patch flaws, run anti-malware, and keep protections current |
How the Level 1 self-assessment works
- Confirm you're really Level 1. You handle FCI and no CUI. (Not sure? See FCI vs CUI — this is the step people get wrong.)
- Review each of the 15 practices and verify you meet it in your real environment.
- Document how you meet each one — enough that someone could see it's true.
- Affirm it annually. A senior company official affirms compliance each year. There's no C3PAO and no third-party assessment at Level 1.
Level 1 vs Level 2 — the gap is huge
| Level 1 (FCI) | Level 2 (CUI) | |
|---|---|---|
| Requirements | 15 practices (FAR 52.204-21) | 110 controls (NIST SP 800-171) |
| Assessment | Annual self-assessment | Self-assessment or C3PAO, by contract |
| Scoring | Met / not met | SPRS score out of 110 |
Think you might handle CUI? Check Level 2 in 10 minutes
If CUI is in the picture, you need the 110 controls — and a real SPRS score. Run it free, no signup, and find out where you actually stand.
Calculate your SPRS score free →Where to go from here
If you've confirmed Level 1, you're in good shape — review the 15 practices, document them, and affirm annually. If there's any chance CUI is involved, start with FCI vs CUI, then move to the SPRS calculator, the SSP generator, and the 110-control library. Still deciding whether CMMC applies at all? See do I need CMMC.
CMMC Level 1 — frequently asked
What is CMMC Level 1?
The entry tier for contractors handling FCI but not CUI — the 15 basic safeguards in FAR 52.204-21, met via annual self-assessment with a senior-official affirmation, no third party.
How many controls?
15 practices across six areas (access control, identification & authentication, media protection, physical protection, system & communications protection, system & information integrity). Level 2 has 110.
Do I need a C3PAO?
No. Level 1 is self-assessed and self-affirmed annually. C3PAOs apply to many Level 2 certifications, not Level 1.
How do I do the self-assessment?
Confirm you handle only FCI, verify each of the 15 practices, document how you meet them, and affirm annually. If you handle CUI, you're Level 2 — the biggest Level 1 mistake is misjudging that.