Can a Level 1 contractor use a Plan of Action and Milestones (POA&M)?

No. CMMC Level 1 does not permit POA&M items. Under 32 CFR § 170.21(a), every safeguarding requirement must be MET at the time of the annual affirmation. POA&M flexibility is a Level 2 feature — there, a contractor can temporarily defer some controls with a minimum score of 88/110 and a 180-day closeout deadline.

What happens if one Level 1 requirement is NOT MET?

If any of the 15 requirements is NOT MET on any in-scope asset, the entire Level 1 self-assessment is NOT MET, and the senior official cannot truthfully file the annual affirmation in SPRS. The fix is to remediate the failed requirement, re-test, and then affirm. Filing a MET affirmation when a requirement is actually NOT MET is a federal false statement under 18 U.S.C. § 1001.

Is there partial credit on CMMC Level 1?

No. There is no partial credit at Level 1. Each of the 15 requirements is evaluated as MET, NOT MET, or NOT APPLICABLE. A finding of NOT APPLICABLE requires a documented justification (typically that the asset category does not exist in the environment). Anything short of MET counts as NOT MET for the rollup.

Is CMMC Level 1 easier or harder than Level 2 because it's binary?

Easier overall for most small contractors. Level 1 has 15 requirements (vs. Level 2's 110), no third-party assessor (vs. C3PAO every 3 years at Level 2), and no SSP that has to satisfy a NIST 800-171A objective set of 320. The binary scoring is stricter per requirement, but the number of requirements is much smaller, the scope is narrower (FCI only, not CUI), and the assessor is you.

CMMC Level 1 Is Binary. There Is No Score. Here's What That Means.

Q: What score do you need to pass CMMC Level 1?

There is no numeric score at CMMC Level 1. The Level 1 assessment is binary — MET or NOT MET. To pass, every one of the 15 FAR 52.204-21(b)(1) safeguarding requirements must be MET on every in-scope asset. If one requirement is NOT MET, the entire assessment is NOT MET, and the affirmation cannot be filed in SPRS. The 0-110 numeric score belongs to CMMC Level 2 (NIST SP 800-171 Basic Assessment).

Two minutes on a federal contracting forum will leave you convinced that “everyone needs a SPRS score of 88 or above.” That's true at Level 2. It's false at Level 1, where most small DoD contractors actually live. This post explains how the Level 1 grading regime actually works, what “binary” means in plain English, and the only legitimate escape valve in the rule.

TL;DR — the rule in one sentence

What “binary” actually means

Three things, in the order they matter:

Per requirement, the finding is one of three values: MET, NOT MET, or NOT APPLICABLE. There is no “mostly MET,” “MET except on one laptop,” or “MET if you don't look at the warehouse PC.” The finding applies to your scope as a whole.
No numbers anywhere.No 0–110 scale, no percentages, no weights. The Level 1 self-assessment is a checklist of 15 items.
The overall result is the rollup.All 15 MET → assessment MET. Any NOT MET → assessment NOT MET. The senior official cannot truthfully file a MET affirmation if any requirement is actually NOT MET.

The 15 requirements you have to MET

These are the safeguarding requirements at FAR 52.204-21(b)(1)(i)–(xv), grouped by the six CMMC Level 1 domains. Every one of them must be MET on every system that touches FCI.

Access Control — 4 requirements

AC.L1-3.1.1Limit access to authorized users
AC.L1-3.1.2Limit functions per user
AC.L1-3.1.20Control external connections
AC.L1-3.1.22Control public information

Identification & Auth — 2 requirements

IA.L1-3.5.1Identify users & devices
IA.L1-3.5.2Authenticate users & devices

Media Protection — 1 requirement

MP.L1-3.8.3Sanitize media before disposal

Physical Protection — 4 requirements

PE.L1-3.10.1Limit physical access
PE.L1-3.10.3Escort & monitor visitors
PE.L1-3.10.4Physical access logs
PE.L1-3.10.5Manage physical access devices

System & Comms — 2 requirements

SC.L1-3.13.1Monitor communications at boundary
SC.L1-3.13.5Public-system subnetworks

System & Info Integrity — 2 requirements

SI.L1-3.14.1Identify & correct system flaws
SI.L1-3.14.2Malicious code protection

The 15 FAR 52.204-21(b)(1) safeguarding requirements, grouped by the six CMMC Level 1 domains. Source: 48 CFR §52.204-21; DoD CMMC Scoping Guide — Level 1, v2.13 (Sept 2024).

That's the entire program. Most are common-sense business hygiene a well-run small company is already doing in some form — the Level 1 assessment just asks you to do them deliberately and document the evidence.

Why Level 2 has a score and Level 1 doesn't

Two different problems, two different grading regimes.

Property	Level 1	Level 2
Requirement count	15	110
Source	FAR 52.204-21(b)(1)	NIST SP 800-171 Rev. 2/3
Scoring	Binary — MET / NOT MET	Numeric — −203 to +110
Minimum to pass	All 15 MET	88/110 (with POA&M)
POA&M permitted	No	Yes (close in 180 days)
Who assesses	Yourself, annually	C3PAO, every 3 years
Why scored this way	Small fixed set — either you do them or you don't	Large set — partial implementation is meaningful info for the government

Binary scoring at Level 1 is not a quirk — it's the regulator's design choice. With only 15 requirements and every requirement being a non-negotiable basic hygiene item, a numeric score would just be misleading. Either you patch your systems or you don't. Either you run anti-malware or you don't. There is no “75 percent of a patch.”

The one escape valve: NOT APPLICABLE

Under the CMMC Assessment Guide — Level 1, a requirement can be marked NOT APPLICABLE rather than NOT MET in a narrow case: the requirement does not apply to your environment. The standard example is the requirement to manage physical access devices (PE.L1-3.10.5) in a fully remote company that has no office. You document the reason; you do not magically pass.

What an audit failure actually costs

Level 1 has no C3PAO; the audit is your own self-assessment. So what's the consequence of failing? Three real scenarios:

You honestly find one requirement NOT MET. Remediate it, re-test, and affirm. This is the system working as designed. Most first-year Level 1 contractors hit this loop once or twice.
You affirm MET when one is actually NOT MET. A federal false statement under 18 U.S.C. § 1001 with False Claims Act exposure under 31 U.S.C. § 3729. The DOJ's Civil Cyber-Fraud Initiative has produced settlements between $1M and $9M+ against contractors who misrepresented cybersecurity posture. The affirming official is named personally.
You miss the annual affirmation deadline. Your status in SPRS lapses. Contracts that condition award on a current affirmation become ineligible for you. The fix is to affirm; there is no penalty beyond lost eligibility, but the eligibility loss is real.

What to do this week

Take the 4-minute SPRS readiness quiz to see how you stand on each of the 15 requirements right now.
If you haven't scoped your environment, take the free CMMC check first.
Read FAR 52.204-21(b)(1) yourself — the entire clause fits on a single page.
Subscribe to the Monday Bid Digest for weekly Level 1-fit federal opportunities.

FAQ

What score do you need to pass CMMC Level 1?

There is no score. Level 1 is binary — every one of the 15 requirements must be MET. The 0–110 score belongs to Level 2.

Can Level 1 use a POA&M?

No. 32 CFR § 170.21(a) requires every requirement to be MET at the time of the annual affirmation. POA&M is a Level 2 feature.

What if one requirement is NOT MET?

The whole assessment is NOT MET. Remediate, re-test, then affirm. Don't file MET when something is NOT MET.

Is there partial credit?

No. Each requirement is MET, NOT MET, or NOT APPLICABLE. Anything short of MET counts as NOT MET for the rollup.

Is binary scoring harder than Level 2's score?

Easier overall for small contractors — fewer requirements, no C3PAO, no SSP-to-objectives mapping. The per-requirement bar is strict, but the total surface area is much smaller.