← All learn guides

Framework guide

CMMC Level 1 self-assessment checklist

CMMC Level 1 is the entry tier of the Department of Defense's Cybersecurity Maturity Model Certification program. It covers 15 basic safeguarding requirements, it is self-assessed rather than audited, and it applies to contractors and subcontractors that handle Federal Contract Information. This guide walks through the requirements in plain language, family by family, with the documents that support each one.

Last reviewed: July 2026.

What CMMC Level 1 is

The CMMC Program is codified at 32 CFR Part 170. Level 1 consists of the 15 security requirements already found in FAR 52.204-21(b)(1), the Basic Safeguarding of Covered Contractor Information Systems clause that has appeared in federal contracts since 2016. CMMC Level 1 does not add new controls; it adds accountability for the controls that were already contractually required.

The accountability model has three parts. First, a self-assessment: your organization checks itself against all 15 requirements, and every requirement must be fully MET or NOT APPLICABLE. Plans of Action and Milestones (POA&Ms) are not permitted at Level 1, so there is no partial credit and no "we will fix it later." Second, submission: the results go into the Supplier Performance Risk System (SPRS), the DoD's database of record. Third, affirmation: a senior official from your company, the Affirming Official, formally attests in SPRS that the organization is compliant, at the time of the assessment and annually thereafter. The self-assessment itself must also be repeated every year.

That affirmation carries real weight. It is a statement to the federal government that a named executive stands behind, which is why the practical goal of a Level 1 program is not just passing a checklist but being able to show, on paper, why each answer is true.

Who needs it

Level 1 applies to DoD contractors and subcontractors whose systems process, store, or transmit Federal Contract Information (FCI): information provided by or generated for the government under contract that is not intended for public release. If you sell to the DoD, or you are a subcontractor to someone who does, and any contract information touches your systems, Level 1 is the floor. Handling Controlled Unclassified Information (CUI) pushes you to Level 2 instead.

The acquisition side of the program took effect on November 10, 2025, when the 48 CFR final rule made the CMMC contract clause (DFARS 252.204-7021) available for new solicitations, with a phased rollout that starts with self-assessed Level 1 and Level 2 requirements at contract award. Practically: if defense work is anywhere in your pipeline, the requirement is no longer hypothetical, and primes are already pushing it down to their subcontractors.

The checklist: 15 requirements in six families

The DoD's Level 1 assessment guide organizes the 15 FAR requirements into six practice families. Work through them in order; for a small business, most of the effort is in Access Control and System and Information Integrity.

  1. 01

    Access Control (AC)

    4 requirements
    • Limit system access to authorized users, and to the processes and devices acting for them.
    • Limit each user to the transactions and functions their role actually needs.
    • Verify and control connections to external systems.
    • Control what gets posted on publicly accessible systems.

    In plain terms: Who can log in, what they can do once logged in, which outside systems you trust, and what ends up on your public website. For a small business this is mostly account hygiene: named accounts, role-based permissions, and a review step before anything is published publicly.

    Supporting documents: Account Management Policy, Acceptable Use Policy

  2. 02

    Identification and Authentication (IA)

    2 requirements
    • Identify system users and the processes and devices acting for them.
    • Authenticate users, processes, and devices before granting access.

    In plain terms: Every person and device gets its own identity, and that identity is verified before access is allowed. No shared logins, no anonymous devices on systems that touch contract information.

    Supporting documents: Account Management Policy, Information Security Policy

  3. 03

    Media Protection (MP)

    1 requirement
    • Sanitize or destroy media containing Federal Contract Information before disposal or reuse.

    In plain terms: One requirement, easy to miss: wipe or destroy drives, USB sticks, and paper that held contract information before you throw them out, sell them, or hand them to someone else.

    Supporting documents: Data Management Policy

  4. 04

    Physical Protection (PE)

    2 requirements
    • Limit physical access to systems, equipment, and operating environments to authorized individuals.
    • Escort visitors, monitor their activity, keep audit logs of physical access, and control physical access devices such as keys and badges.

    In plain terms: Who can walk up to the machines. Lock the office or server closet, keep track of keys and badges, and do not leave visitors alone next to the equipment that stores contract information.

    Supporting documents: Information Security Policy, Asset and Software Inventory Policy

  5. 05

    System and Communications Protection (SC)

    2 requirements
    • Monitor, control, and protect communications at the external boundaries and key internal boundaries of your systems.
    • Separate publicly accessible system components from your internal network.

    In plain terms: A working boundary between your network and the internet, and between your public-facing services and everything internal. In practice: a configured firewall and a public website that does not live inside your office network.

    Supporting documents: Network Architecture Plan, Secure Configuration Policy

  6. 06

    System and Information Integrity (SI)

    4 requirements
    • Identify, report, and correct system flaws in a timely manner.
    • Protect against malicious code at appropriate locations.
    • Update malicious code protection when new releases are available.
    • Run periodic system scans and real-time scans of files from external sources.

    In plain terms: Patching and malware defense. Apply updates promptly, run reputable endpoint protection everywhere, keep it current, and scan what comes in from outside. Have a way to notice and respond when something slips through.

    Supporting documents: Vulnerability Management Plan, Incident Response Plan

How Level 1 differs from Level 2

Level 2 is a different order of magnitude. It requires all 110 security requirements of NIST SP 800-171 Revision 2, covering fourteen requirement families instead of six, and it applies when your systems handle CUI rather than just FCI. Under the phased acquisition rollout, most Level 2 work will eventually require a certification assessment by an authorized third-party assessment organization (C3PAO), where Level 1 always remains a self-assessment.

The practical advice: do not build for Level 1 in a way you would have to undo for Level 2. The 15 Level 1 requirements are a strict subset of the practices NIST SP 800-171 expects, so clean account management, patching, and boundary documentation done properly at Level 1 all carry forward if a CUI contract later pushes you up a tier.

Realistic timeline and effort

For a small business with reasonably modern IT (cloud email, managed laptops, a configured firewall), a first Level 1 self-assessment is typically weeks of part-time effort, not months. The technical controls are largely things competent IT already does; the work is scoping which systems handle FCI, confirming each of the 15 requirements is actually met on those systems, and writing down the evidence behind each answer.

Budget the effort in three phases. Scoping: identify where FCI lives and which assets are in scope, usually a few days of asset inventory and data-flow mapping. Gap fixing: whatever the walkthrough above surfaced, most commonly visitor logs, media disposal practice, and formal account reviews. Documentation and submission: write down policies and evidence, run the self-assessment, submit the score in SPRS, and have your Affirming Official affirm. Then put the annual repeat on the calendar, because both the self-assessment and the affirmation recur every year.

Build the documents behind your Level 1 answers.

CMMC Level 1 support in Security Binder is rolling out. The document mappings above are available today: generate structured drafts from guided questions, export them, and finish sensitive specifics locally.

Get started

Official sources

This guide is general information, not legal or compliance advice. Security Binder prepares documentation. It does not guarantee compliance, certification outcomes, insurance coverage, or audit acceptance, and it does not substitute for licensed legal or audit review. CMMC is a program of the U.S. Department of Defense; framework names are the property of their respective publishers.