CMMC Level 1 Requirements: The Complete 2026 Guide for Small DoD Contractors

If you sell anything to the U.S. Department of Defense — products, services, software, even office supplies — the Cybersecurity Maturity Model Certification (CMMC) program now decides whether you stay eligible for those contracts. The DoD finalized the CMMC 2.0 rule (32 CFR Part 170) and the contract clause (48 CFR / DFARS 252.204-7021) in 2024–2025, and the requirement is being phased into solicitations through 2028. For the overwhelming majority of small businesses in the defense supply chain, the starting line is CMMC Level 1.

This guide walks through exactly what CMMC Level 1 is, who needs it, the 17 practices you have to meet, how the self-assessment and annual affirmation work, what it costs, and a realistic 90-day roadmap a small contractor can actually execute. Written by the cybersecurity team at Cybrvault, a Miami-based firm that helps small DoD contractors get and stay compliant.

What Is CMMC Level 1?

CMMC Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification program. It applies to any DoD contractor or subcontractor that processes, stores, or transmits Federal Contract Information (FCI) — information provided by or generated for the government under a contract that is not intended for public release.

Level 1 covers 17 basic cybersecurity practices that come directly from FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. These are the bare-minimum hygiene controls every federal contractor was already supposed to be following — CMMC simply formalizes them and adds an annual self-assessment and a senior-official affirmation.

Two big things to know up front:

• Level 1 is self-assessed. You do not have to hire a CMMC Third-Party Assessment Organization (C3PAO) at this tier.
• Level 1 must be re-affirmed every year by a senior company official, and the result is recorded in the DoD's Supplier Performance Risk System (SPRS).

Who Needs CMMC Level 1?

You almost certainly need CMMC Level 1 if any of the following are true:

• You hold a DoD prime contract or subcontract — at any dollar amount.
• You receive Federal Contract Information (FCI) from a DoD prime or the government (drawings, statements of work, contract terms, purchase orders, etc.).
• Your contract or RFP includes FAR 52.204-21.
• You sell commercial products or services to a DoD-related buyer and they share non-public contract information with you.

You likely need a higher level (CMMC Level 2 or Level 3) if you handle Controlled Unclassified Information (CUI), which is marked or otherwise covered under DFARS 252.204-7012. If you are not sure whether what you handle is FCI or CUI, assume FCI at minimum and have a qualified assessor or cybersecurity firm review your contracts.

COTS-only resellers (commercially available off-the-shelf items, with no FCI exchanged) are generally exempt — but the moment a buyer sends you anything non-public about a federal contract, you are in scope.

FCI vs. CUI: The Distinction That Decides Your Level

This single concept determines whether you are looking at Level 1 or Level 2 — and getting it wrong is the most common mistake small contractors make.

Federal Contract Information (FCI)

Defined in FAR 4.1901 as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service. Examples: a non-public statement of work, your draft proposal, internal emails with your contracting officer, delivery schedules, purchase order details.

Controlled Unclassified Information (CUI)

A specific category of sensitive government information covered by 32 CFR Part 2002 and the DoD's CUI Registry — typically marked CUI, ITAR, EAR, or with handling caveats. CUI triggers CMMC Level 2 and the 110 controls of NIST SP 800-171 Revision 2 (transitioning to Rev 3).

Bottom line: FCI = Level 1, CUI = Level 2 or higher.

The 17 CMMC Level 1 Practices (Plain English)

All 17 Level 1 practices come from FAR 52.204-21 and are mirrored in NIST SP 800-171 Rev 2. They are grouped into six domains. Here is what each one actually means for a small business.

Access Control (AC)

1. 1AC.L1-3.1.1 — Limit information system access to authorized users, processes, and devices. (Translation: every user has their own account; no shared logins.)
2. 2AC.L1-3.1.2 — Limit access to the types of transactions and functions authorized users are permitted to execute. (Translation: least privilege — accounting doesn't get domain admin.)
3. 3AC.L1-3.1.20 — Verify and control connections to and use of external systems. (Translation: control VPN, remote access, contractor laptops, and cloud links.)
4. 4AC.L1-3.1.22 — Control information posted or processed on publicly accessible systems. (Translation: nothing sensitive on the public website, public Google Drive, or public S3 bucket.)

Identification & Authentication (IA)

1. 1IA.L1-3.5.1 — Identify users, processes, and devices. (Translation: unique usernames, asset inventory.)
2. 2IA.L1-3.5.2 — Authenticate users, processes, and devices before granting access. (Translation: real passwords, MFA wherever you can.)

Media Protection (MP)

1. 1MP.L1-3.8.3 — Sanitize or destroy media containing FCI before disposal or reuse. (Translation: wipe or shred drives, USBs, and old laptops — do not donate a hard drive without sanitizing it.)

Physical Protection (PE)

1. 1PE.L1-3.10.1 — Limit physical access to systems, equipment, and operating environments. (Translation: locked office, server closet, badge or key entry.)
2. 2PE.L1-3.10.3 — Escort visitors and monitor visitor activity.
3. 3PE.L1-3.10.4 — Maintain audit logs of physical access. (A sign-in sheet counts.)
4. 4PE.L1-3.10.5 — Control and manage physical access devices. (Track keys, badges, smartphones used for MFA.)

System & Communications Protection (SC)

1. 1SC.L1-3.13.1 — Monitor, control, and protect communications at the external boundaries of your network. (Translation: a real firewall, not just the router from your ISP.)
2. 2SC.L1-3.13.5 — Implement subnetworks for publicly accessible system components. (Translation: keep public web servers off the internal LAN — use a DMZ or hosted provider.)

System & Information Integrity (SI)

1. 1SI.L1-3.14.1 — Identify, report, and correct system flaws in a timely manner. (Translation: patch Windows, macOS, and apps on a schedule.)
2. 2SI.L1-3.14.2 — Provide protection from malicious code. (Translation: endpoint protection / EDR on every workstation and server.)
3. 3SI.L1-3.14.4 — Update malicious code protection mechanisms when new releases are available.
4. 4SI.L1-3.14.5 — Perform periodic scans and real-time scans of files from external sources.

How the CMMC Level 1 Self-Assessment Works

Unlike Level 2, you are not required to hire an external assessor at Level 1. Here is the process the DoD expects, in order:

1. 1Define your assessment scope. List every asset (laptop, server, cloud tenant, network, app) that processes, stores, or transmits FCI.
2. 2Review each of the 17 practices against that scoped environment. For each one, mark it MET or NOT MET — Level 1 does not allow partial credit or POA&Ms.
3. 3Document objective evidence for every MET practice (screenshots, policies, configuration exports, training records). Auditors and primes can ask for this later.
4. 4Calculate your final result. To pass Level 1, all 17 practices must be MET.
5. 5Have a senior company official (typically the owner, CEO, CIO, or CISO) submit the annual affirmation in SPRS at https://www.sprs.csd.disa.mil.
6. 6Repeat the self-assessment and affirmation every 12 months, and any time your environment materially changes.

Important: a false affirmation in SPRS can trigger False Claims Act liability. This is not a check-the-box exercise — the affirming official is personally on the hook for the accuracy of the assessment.

What CMMC Level 1 Will Cost a Small Business

Realistic 2026 numbers for a small contractor (5–50 employees) with no prior compliance program:

• Internal staff time: 60–150 hours over the first year.
• Endpoint protection / EDR: $4–$10 per endpoint per month.
• Business-grade firewall (or managed firewall service): $500–$2,500 one-time, plus $20–$200/month.
• MFA platform (Microsoft Entra, Duo, JumpCloud): often included in your existing Microsoft 365 Business Premium or Google Workspace license.
• Policies, scoping, and gap assessment from a cybersecurity partner: $3,000–$10,000 one-time for most small businesses.
• Total realistic first-year investment: roughly $5,000–$20,000 for most 5–50 person contractors.

Compare that to losing a single DoD contract because you could not affirm Level 1, and the ROI is obvious.

90-Day Roadmap to CMMC Level 1

This is the same phased plan our team uses with small DoD contractors at Cybrvault. Adjust the pace based on your team size.

Days 1–30: Scope and Stabilize

• Identify every system, account, vendor, and physical location that touches FCI.
• Create a written asset inventory and a network diagram.
• Remove or migrate any FCI that lives in unmanaged personal email, personal Dropbox, or shadow IT.
• Standardize on Microsoft 365 Business Premium or Google Workspace Business Plus so you inherit MFA, endpoint, and DLP capabilities.

Days 31–60: Implement the 17 Practices

• Enable MFA for every user account, especially admins.
• Deploy a reputable EDR (CrowdStrike, SentinelOne, Microsoft Defender for Business, Bitdefender GravityZone).
• Configure a real firewall with logging at every internet boundary.
• Document acceptable use, access control, media disposal, and visitor procedures.
• Roll out security awareness training to every employee and contractor.

Days 61–90: Self-Assess, Document, Affirm

• Walk through all 17 practices and collect screenshots and policy references as objective evidence.
• Run an internal mock assessment — ideally with a third party — to catch anything marked NOT MET.
• Remediate gaps. Re-test. Confirm 17 of 17 practices are MET.
• Have a senior official log into SPRS and submit the Level 1 affirmation.
• Calendar the next annual self-assessment and affirmation now, so it does not slip.

Common Mistakes Small Contractors Make

• Assuming personal Gmail or personal phones are fine for handling FCI — they are not.
• Skipping the asset inventory because the company is small. You cannot protect what you have not listed.
• Using a single shared admin account on Microsoft 365 or QuickBooks. Level 1 explicitly forbids this.
• Treating CMMC as one-and-done. The annual affirmation is non-negotiable.
• Confusing FCI and CUI. If you have CUI, Level 1 will not be enough and you need a real NIST SP 800-171 program.
• Letting the IT vendor self-attest on your behalf. The senior official signs in SPRS, not the MSP.

How a Cybersecurity Partner Helps

Most small DoD contractors do not have a full-time security team — and CMMC was not designed to be navigated alone. A qualified cybersecurity partner like Cybrvault can scope your environment, write the policies the DoD wants to see, configure your firewall and EDR, run the mock self-assessment, and prepare the affirmation package so the senior official can sign with confidence.

Cybrvault Cybersecurity is a Miami-based ethical hacking and compliance firm serving small DoD contractors across South Florida and the entire United States. Every CMMC engagement starts with a free, confidential discovery call. Visit https://www.cybrvault.com or call 305-988-9012 to talk through your contracts and timeline.

Final Thoughts

CMMC Level 1 is not a heavy lift — it is the baseline of cybersecurity hygiene every business should already be doing. The challenge for most small contractors is not the controls themselves, it is the documentation, the scoping, and the discipline to keep the program running year after year. Get scope right, stand up the 17 practices, document the evidence, and submit the affirmation. Do that, and you stay in the game for DoD work in 2026 and beyond.