← Custodia

CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

Everything a small DoD contractor needs to know about CMMC Level 1 in 2026 — what it is, who it applies to, the 15 safeguarding requirements, the SPRS affirmation, the senior official, the costs, the FCA exposure, and the fastest path through it.

By Custodia Compliance Team· Information security engineers, CustodiaMay 24, 202614 min read

This is the single page to read if you're a small DoD contractor staring at a contract clause and wondering what CMMC Level 1 actually means for you in 2026. It pulls together everything the other posts cover in detail, in the order you actually need it.

If you only have 60 seconds, read the TL;DR. If you have ten minutes, read the whole thing — it will save you a week.

TL;DR in 60 seconds

  • CMMC Level 1 = 15 basic safeguarding requirements from FAR 52.204-21(b)(1). Not 110. Not 17 practices (that's the NIST framing of the same 15).
  • It applies to contractors handling FCI only. If you handle CUI, you need Level 2.
  • It's self-assessed — no C3PAO, no DIBCAC, no auditor visiting your office.
  • Annual cycle: self-assess → post score in SPRS → senior official affirms. Repeat every 12 months.
  • Contractually enforced via DFARS 252.204-7021, in effect since November 10, 2025.
  • Real cost for a small business: roughly $300–$15,000 depending on whether you DIY, use a platform, or hire a consultant.
  • Lying on the affirmation = False Claims Act exposure under the DOJ Civil Cyber-Fraud Initiative. Honest mistakes are not FCA cases.

What CMMC Level 1 is

CMMC (Cybersecurity Maturity Model Certification) is the DoD's program for verifying that contractors implement the cybersecurity controls already required by federal regulation. It has three levels:

  • Level 1 — 15 safeguarding requirements (FAR 52.204-21), self-assessed annually. For FCI.
  • Level 2 — 110 controls (NIST SP 800-171), self or C3PAO assessed every 3 years. For CUI.
  • Level 3 — 110 + 24 controls (800-171 + 800-172), DIBCAC assessed every 3 years. For critical CUI programs.

The program is established by 32 CFR Part 170 (the program rule, effective December 16, 2024) and made contractual by 48 CFR (DFARS 252.204-7021) (effective November 10, 2025).

Do I need it?

Three conditions need to be true for CMMC Level 1 to apply:

  1. You have (or will have) a contract or subcontract with DoD.
  2. The contract includes FAR 52.204-21 and DFARS 252.204-7021.
  3. You handle FCI but not CUI in performance of the contract.

If you handle CUI as well, you need Level 2, not Level 1. If you only have commercial-off-the-shelf (COTS) item contracts and never touch any non-public contract information, the FAR clause may not apply at all. The fast triage is the 4-question decision tree.

The right way to think about FCI vs CUI is covered in detail here — but the short version: FCI is non-public information the government gives you to perform a contract. CUI is a narrower, explicitly marked category of sensitive but unclassified information that triggers stronger requirements.

The 15 safeguarding requirements

The full breakdown lives at CMMC Level 1: The 15 FAR Safeguarding Requirements. The short list:

  1. AC.1 — Limit system access to authorized users.
  2. AC.2 — Limit access to authorized transactions and functions.
  3. AC.3 — Verify connections to/use of external systems.
  4. AC.4 — Control information posted on publicly accessible systems.
  5. IA.1 — Identify users, processes, devices.
  6. IA.2 — Authenticate identities before granting access.
  7. MP.1 — Sanitize media before disposal/reuse.
  8. PE.1 — Limit physical access to systems and facilities.
  9. PE.2 — Escort visitors; monitor activity.
  10. PE.3 — Maintain physical access logs.
  11. SC.1 — Monitor/control communications at external boundaries.
  12. SC.2 — Subnetwork separation for publicly accessible components.
  13. SI.1 — Identify and correct system flaws.
  14. SI.2 — Protect against malicious code.
  15. SI.3 — Monitor security alerts/advisories.

None of these are exotic. For a shop running M365 or Google Workspace, an MDM, antivirus, MFA, and a locked office door, most of the implementation already exists — the work is documenting that it does.

The compliance process (5 steps)

  1. Scope. Identify your FCI assets — what systems touch contract information? That set is your assessment scope. Everything else is out of scope. (See scoping guide.)
  2. Self-assess.Walk each of the 15 requirements. Mark MET or NOT MET against evidence. There's no partial credit at Level 1 — it's binary. (See Level 1 is binary.)
  3. Remediate.Anything NOT MET gets fixed before you affirm. Most of the “fixes” are documentation: writing down the policy you already follow.
  4. Post to SPRS. Submit the compliance result in the Supplier Performance Risk System. Level 1 is binary — you confirm full implementation. (See how to post your SPRS score.)
  5. Senior official affirms. A named senior official electronically affirms continued compliance under 32 CFR 170.22. Repeat annually.

The senior official affirmation

32 CFR 170.22 requires a named senior official to electronically affirm continued compliance every 12 months. For Level 1, this is the legal teeth of the program. The senior official is the person whose signature creates FCA exposure if it's false.

Who? Owner, president, CEO, or a designated senior official with authority to bind the company. Not your IT contractor. Not a compliance consultant. Someone on your org chart with executive authority. See the annual affirmation explained for the full picture.

Scoping: drawing your FCI boundary

Scope is the highest-leverage decision you make in Level 1. Everything inside the scope must meet all 15 requirements; everything outside is irrelevant. Most small contractors waste weeks because they over-scope (the entire company network) instead of drawing the smallest defensible boundary (one shared drive folder, one email distribution group).

The scoping guide has the long version. The principle: scope = anywhere FCI is stored, processed, or transmitted, plus the systems that directly protect or manage those.

What evidence actually means

At Level 1, “evidence” doesn't mean SOC 2-style audit packets. It means a written explanation of how you meet each requirement, ideally with one or two screenshots or configuration exports. For example, AC.1 (limit system access to authorized users) is satisfied by:

  • A short policy line: “Access to FCI systems is granted only after manager approval and removed on termination.”
  • A screenshot of your M365 / Google Workspace admin user list.
  • An offboarding checklist that includes account disablement.

That's it. The goal is “a reasonable person could verify this is true.” You do not need a 30-page SSP for Level 1. (See our free SSP template.)

Real costs in 2026

DoD's own published cost estimate for small business Level 1 (in the 32 CFR 170 final rule): roughly $4,000 in year 1, $4,000 annually after. That assumes part-time internal labor at a burdened rate. Actual market pricing:

  • DIY from templates: $0 in cash, ~30–60 hours of internal time over a few weeks.
  • Self-serve platform (Custodia): ~$300/year, ~1–5 days of internal time.
  • Consultant-led: $5,000–$15,000 for a first-year engagement, $2,000–$5,000 annually for maintenance.

Detail in CMMC Level 1 cost breakdown. The honest truth: if you have basic IT discipline, a self-serve platform pays for itself the first time it saves you a day of copy-pasting policy templates.

Timeline (DIY vs platform vs consultant)

ApproachCalendar timeInternal effortCash cost
DIY from templates3–6 weeks part-time30–60 hours$0
Self-serve platform1–5 working days8–20 hours~$300/yr
Consultant-led2–6 weeks10–20 hours$5K–$15K

The FCA exposure (real but manageable)

Once DFARS 252.204-7021 took effect (November 2025), the senior official affirmation became a material condition of award. Material + knowingly false = potential False Claims Act case under the DOJ Civil Cyber-Fraud Initiative.

The cases that have settled — Aerojet Rocketdyne ($9M, 2022), Penn State ($1.25M, 2024) — all share the pattern of internal records showing the company knew the controls weren't in place. Honest mistakes and good-faith remediation don't hit the FCA's knowledge bar. Full breakdown: CMMC and the False Claims Act.

Common mistakes

  1. Confusing Level 1 with Level 2. The single biggest waste of money. If you only handle FCI, do not pay for a 110-control assessment. (See L1 vs L2 and CMMC vs NIST 800-171.)
  2. Over-scoping.Don't scope your whole network. Scope only the systems that touch FCI.
  3. Affirming with NOT MET items. The affirmation is binary. Fix gaps first.
  4. Senior official rubber-stamping.They need to actually read what they're signing. This is the single highest-leverage FCA defense.
  5. Hiring a consultant for a $300 problem. If your shop has basic IT discipline, a platform is faster and cheaper.
  6. Forgetting it's annual. The affirmation renews every 12 months. Calendar it on signature day.

The fast path

If you want the absolute shortest line from “contract has DFARS -7021 in it” to “SPRS affirmation done”:

  1. Read the decision tree (5 minutes). Confirm Level 1.
  2. Sign up for Custodia (free 7-day trial, no card).
  3. Walk the 15 requirements in the wizard (1–3 hours).
  4. Remediate any NOT MET items (varies; usually 0–2 days).
  5. Generate SSP and affirmation packet (instant).
  6. Senior official reviews and signs (15 minutes).
  7. Post in SPRS (30 minutes, how-to).
  8. Calendar the annual refresh on the affirmation date.

FAQ

What is CMMC Level 1?

CMMC Level 1 is the lowest of the three Cybersecurity Maturity Model Certification tiers. It applies to DoD contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires implementing the 15 basic safeguarding requirements in FAR 52.204-21(b)(1), performing an annual self-assessment, posting the result in SPRS, and having a senior official affirm continued compliance every 12 months.

Who needs CMMC Level 1?

Any contractor (or sub) on a DoD contract that includes FAR 52.204-21 and DFARS 252.204-7021, and whose work involves FCI but not CUI. In practice, this is most small subs: anyone who receives FCI as part of contract performance (drawings, statements of work, technical data marked FOUO/FCI, etc.). If you handle CUI, you need Level 2, not Level 1.

How much does CMMC Level 1 cost?

The DoD's own estimate (from the 32 CFR 170 final rule) is roughly $4,000 for a small business in the first year and $4,000 in recurring annual cost. In practice, total-cost-of-compliance varies from ~$300 (Custodia, self-serve) to $5,000–$15,000 (consultant-led) depending on whether you DIY, use a self-serve platform, or hire a consultant.

Do I need a C3PAO for Level 1?

No. Level 1 is self-assessed. C3PAOs only assess Level 2 (and DIBCAC assesses Level 3). If a consultant tells you that you need a C3PAO for Level 1, they're either wrong or upselling you to Level 2 — neither is good.

How long does CMMC Level 1 take?

Implementation depends on your starting point. A typical 10-person sub with M365/Google Workspace and basic IT hygiene can complete the self-assessment, SSP, and SPRS posting in 1–5 working days using a self-serve platform. From scratch, with no documentation and weak IT controls, expect 3–6 weeks of part-time work or a 2-week consultant engagement.

What happens if I lie on the affirmation?

Knowing false statements on the SPRS affirmation can trigger False Claims Act exposure under the DOJ Civil Cyber-Fraud Initiative. The FCA itself is civil (treble damages, per-claim penalties), not criminal. Honest gaps remediated in good faith are not FCA cases — but make sure your internal documentation reflects that good faith. See our detailed write-up on CMMC and the FCA.

Is CMMC Level 1 the same as NIST 800-171?

No. NIST SP 800-171 has 110 controls and corresponds to CMMC Level 2. CMMC Level 1 is the 15-requirement subset from FAR 52.204-21(b)(1), which maps to 17 NIST practice IDs. If you only handle FCI, you do not need to implement all of 800-171.

Keep reading
  1. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  2. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
  3. CMMC Level 1
    The CMMC False Claims Act Risk: What's Real, What's Hype (2026)

    FCA exposure on CMMC is real — but not in the way most vendors describe it. Here's what actually triggers it at Level 1, and what doesn't.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)