The answer in 50 words
CMMC Level 1is the DoD's lowest cybersecurity requirement, mandatory for any contractor handling Federal Contract Information (FCI). It requires you to meet 15 safeguarding requirements from FAR 52.204-21, self-assess annually, and have a senior official affirm the result in SPRS. There is no score — it is binary: MET or NOT MET.
Free 4-question scoping check. Tells you Level 1, Level 2, or not applicable — same logic a DoD contracting officer uses.
Free 15-question readiness quiz against FAR 52.204-21. Shows exactly which safeguards are MET and which still need work before your senior official signs the affirmation.
Have a CMMC Level 1 question? Ask it now.
Charlie is Custodia's public vCO (virtual compliance officer), grounded in the official DoD CMMC Level 1 documents on this site. Ask anything — scoping, evidence, SPRS, Level 1 vs Level 2, whether you even need it. No email, no signup, no sales pitch.
Hi — I'm Charlie, Custodia's CMMC Level 1 helper.
I'm grounded in the three official DoD CMMC Level 1 documents (you can download them here) — the Model Overview, the Scoping Guide, and the Assessment Guide, all v2.13. Ask me anything about Level 1: the 15 FAR 52.204-21 requirements, scoping, evidence, SPRS, the difference from Level 2, whether you even need it.
One thing to keep in mind as we talk: the point of CMMC Level 1 isn't compliance theater — it's qualifying your business to sell what you already make to the largest buyer in the world. DoD obligates $400B+ a year. Level 1 is the entry gate.
What would you like to figure out?
Why CMMC Level 1 is a business opportunity, not a tax
Federal contracting is the largest single buyer in the world. DoD alone obligated over $400 billion in contracts in FY 2024, and roughly a quarter of that flowed to small businesses — much of it to firms doing the exact work you already do for commercial customers: IT, machining, staffing, construction, electrical, logistics, software, engineering, facilities.
What gates access is not capability. It's a current CMMC Level 1 affirmation in SPRS. Get the affirmation and you unlock:
- DoD subcontracts that flow FAR 52.204-21 down from primes (Lockheed, RTX, GD, Northrop, L3Harris, etc.).
- Small-business set-aside primes (SDVOSB, WOSB, 8(a), HUBZone, SDB).
- SBIR/STTR Phase I and Phase II awards.
- Agency direct buys and micro-purchase windows (under $250k threshold).
- GSA Multiple Award Schedule (MAS) federal sales pipelines that increasingly require CMMC posture.
The work is the same work you already do. The credential is what lets a contracting officer give you the contract.
What CMMC Level 1 actually is
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense's program for verifying that contractors handling sensitive government information have basic cybersecurity hygiene in place. The program is codified at 32 CFR Part 170 and enforced through the DFARS clause 252.204-7021.
Level 1 is the entry tier. It applies to contractors that handle Federal Contract Information (FCI) — non-public information provided by or generated for the government under a contract — but not Controlled Unclassified Information (CUI). The requirements come straight from FAR 52.204-21(b)(1) — the same 15 basic safeguards every federal contractor has owed since 2016. For the clause itself — what it requires, who it covers, and how it flows down to subcontractors — see our full guide to FAR 52.204-21.
What CMMC adds is a verification layer: the contractor must now self-assess annually, document the result, and have a senior official affirm in SPRS (the DoD Supplier Performance Risk System) that the 15 safeguards are met. A false affirmation is a federal false statement and a False Claims Act exposure. The compliance standard is the same; the accountability is new.
Who needs CMMC Level 1
You need CMMC Level 1 if all four are true:
- You hold or seek a DoD contract or subcontract.
- The contract incorporates FAR 52.204-21 and/or DFARS 252.204-7021 (it flows down to subs automatically when the prime is in scope).
- You handle Federal Contract Information (FCI) — non-public information shared as part of the contract.
- You do not handle Controlled Unclassified Information (CUI). If you do, you need CMMC Level 2 instead.
If you only sell commercial products to commercial customers, CMMC does not apply. If you sell to civilian agencies (GSA, DHS, HHS), FAR 52.204-21 still applies but CMMC affirmation in SPRS does not — yet. The pending FAR CUI Rule (RIN 9000-AN56) may extend similar requirements government-wide.
Not sure? Walk the 4-question decision tree — it's the same tree a DoD contracting officer would use.
Concrete examples of who needs CMMC Level 1
If you see your business in this list, you almost certainly need CMMC Level 1. None of these businesses are "cybersecurity companies" — they're ordinary firms doing ordinary work for DoD:
- An electrical contractor wiring a hangar at a Navy base under a subcontract from a prime.
- A machine shop producing non-classified metal parts for a DoD aerospace supplier.
- An IT staffing firmplacing developers on a DoD project where the contract data isn't marked CUI.
- A janitorial or facilities subcontractor servicing a DoD installation.
- A logistics or freight firm moving non-sensitive DoD cargo.
- A SBIR Phase I winner in a non-CUI topic area — the Phase I contract triggers FAR 52.204-21 flow-down. See the CMMC timeline for SBIR Phase I winners.
- A software development sub building a non-CUI internal tool for a DoD agency.
- A construction subcontractor on a base renovation contract.
If your work touches anything marked CUI — technical drawings of weapons systems, ITAR-controlled data, export-controlled engineering specs — you need CMMC Level 2, not Level 1.
The 15 safeguarding requirements (and 17 CMMC practices)
CMMC Level 1 maps to 15 plain-language requirements at FAR 52.204-21(b)(1)(i)–(xv). The CMMC Assessment Guide expresses those as 17 practice IDsacross six security families. Every Level 1 affirmation in SPRS rolls up to a single "MET": every practice must be implemented for the overall affirmation to be valid (32 CFR § 170.24).
Access Control (AC)
AC.L1-3.1.1Limit system access to authorized usersAC.L1-3.1.2Limit transactions to authorized functionsAC.L1-3.1.20Control connections to external systemsAC.L1-3.1.22Control information posted publicly
Identification & Authentication (IA)
IA.L1-3.5.1Identify users, processes, and devicesIA.L1-3.5.2Authenticate users, processes, and devices
Media Protection (MP)
MP.L1-3.8.3Sanitize or destroy media before disposal or reuse
Physical Protection (PE)
PE.L1-3.10.1Limit physical access to authorized individualsPE.L1-3.10.3Escort visitors and monitor visitor activityPE.L1-3.10.4Maintain audit logs of physical accessPE.L1-3.10.5Control and manage physical access devices
System & Communications Protection (SC)
SC.L1-3.13.1Monitor and control communications at boundariesSC.L1-3.13.5Use subnetworks for publicly accessible systems
System & Information Integrity (SI)
SI.L1-3.14.1Identify, report, and correct system flawsSI.L1-3.14.2Provide protection from malicious codeSI.L1-3.14.4Update malicious-code protection mechanismsSI.L1-3.14.5Perform periodic and real-time scans
Each requirement is unpacked in plain English — including what evidence satisfies it — in the full walkthrough of the 15 FAR 52.204-21 requirements.
SPRS and the annual affirmation
The Supplier Performance Risk System (SPRS)is the DoD's central system for supplier risk data. For CMMC Level 1, your record in SPRS contains one thing: a senior official's annual affirmation that your organization meets the 15 FAR 52.204-21 safeguarding requirements.
There is no numeric "SPRS score" at Level 1. The 0–110 score you may have read about applies only to CMMC Level 2 (the NIST SP 800-171 Basic Assessment). At Level 1 the affirmation is binary. Read CMMC Level 1 Is Binary — There Is No Score for the long version, and what to send a prime that asks for your score for the email template. To run the assessment itself, follow the step-by-step CMMC Level 1 self-assessment guide. And if a prime told you to get “certified,” read how CMMC Level 1 certification actually works — there is no third-party certificate at Level 1.
What CMMC Level 1 actually costs in 2026
There is no government filing fee. The DoD does not charge you to post the affirmation. Real costs are time and tooling:
- DIY: $0–$1,500 in cash if you already pay for Microsoft 365 Business Premium or Google Workspace Business Plus + 20–40 hours of founder/admin time.
- vCISO / consultant: $6,000–$18,000 for a full Level 1 engagement at $150–$300/hour.
- Guided SaaS (Custodia): $249/month Self Service (or $2,496/year on annual — two months free) or $397/month with a credentialed Custodia compliance officer on call. 7-day free trial, no card.
See the full breakdown in CMMC Level 1 Cost in 2026: DIY vs Consultant vs SaaS, or compare the tools head-to-head in CMMC compliance software.
CMMC Level 1 vs CMMC Level 2
| Dimension | Level 1 | Level 2 |
|---|---|---|
| Data type | FCI | CUI |
| Controls | 15 FAR safeguards (17 CMMC practices) | 110 NIST SP 800-171 controls |
| Assessment | Annual self-assessment | Triennial C3PAO assessment (most) |
| SPRS result | Binary (MET / NOT MET) | Score –203 to 110 |
| Typical cost | $0–$18k one-time + $249/mo SaaS | $20k–$200k+ per assessment cycle |
Long version with side-by-side examples: CMMC Level 1 vs Level 2. If you're unsure which data type you handle, start with What Is FCI?
7-day path to a CMMC Level 1 SPRS affirmation
- Step 1Confirm CMMC Level 1 applies to you
Verify your contract or solicitation includes FAR 52.204-21 (and DFARS 252.204-7021 at Level 1), and that the data you handle is Federal Contract Information — not Controlled Unclassified Information. If you handle any CUI, you need Level 2 instead.
Deep dive → - Step 2Inventory your FCI assets
List every device, account, and location that stores, processes, or transmits FCI. This is your assessment scope. For most small contractors it is one cloud tenant (M365 or Workspace), 5–25 endpoints, and one office.
- Step 3Implement the 15 FAR 52.204-21 safeguarding requirements
Enable MFA on all accounts, restrict admin privileges, install endpoint anti-malware, configure boundary controls, sanitize media before disposal, lock the office, escort visitors, and patch systems. Most of this is configuration of tools you already have.
Deep dive → - Step 4Draft a System Security Plan (SSP)
Document — in writing — how your environment satisfies each of the 15 safeguards. The SSP is the single artifact a prime, contracting officer, or DIBCAC reviewer will ask for. It does not need to be long, but it must be specific.
- Step 5Run the annual self-assessment
Walk through each of the 17 CMMC practice IDs (mapped from the 15 FAR requirements) and confirm MET against the NIST SP 800-171A assessment objectives. Document evidence (screenshots, logs, policies) for each.
- Step 6Have a senior official sign the affirmation
A senior company official (typically owner, CEO, or CISO) signs the SPRS affirmation, attesting under 32 CFR § 170.22 to the accuracy of the assessment. This person is personally responsible.
- Step 7Post the affirmation in SPRS
Log into PIEE (piee.eb.mil), open the SPRS module, select 'CMMC Level 1 (Self) Affirmation', enter the assessment date and CAGE code, and submit. The post is free. Save the confirmation.
Deep dive → - Step 8Maintain continuously and re-affirm annually
Patch, monitor, train staff, and update evidence as systems change. Re-affirm in SPRS every 12 months. Custodia handles continuous monitoring and the annual re-affirmation for paid members.
Regulatory timeline
- 2016 — FAR 52.204-21 published. The 15 basic safeguarding requirements become federal acquisition law for all contractors handling FCI.
- 2020 — DFARS Interim Rule (252.204-7019/7020) requires NIST 800-171 self-assessment scores in SPRS for DoD contractors handling CUI.
- Oct 15, 2024 — CMMC Final Rule (32 CFR Part 170) published. Effective December 16, 2024.
- Nov 10, 2025 — 48 CFR rule (the contract-clause side, DFARS 252.204-7021 amendment) begins phased rollout in DoD solicitations. Phase 1 of 4.
- Through Nov 2028 — Phases 2–4 expand the clause to most DoD solicitations. By the end of the rollout, substantially all DoD contracts handling FCI or CUI carry the CMMC requirement.
CMMC Level 1: Frequently Asked Questions
What is CMMC Level 1?
CMMC Level 1 is the lowest tier of the Department of Defense's Cybersecurity Maturity Model Certification program. It applies to any contractor that handles Federal Contract Information (FCI) on a DoD contract and requires implementation of the 15 basic safeguarding requirements from FAR 52.204-21(b)(1), annual self-assessment, and a senior official affirmation posted in the Supplier Performance Risk System (SPRS). It is binary — MET or NOT MET — not a numeric score.
Who needs CMMC Level 1?
Any organization that holds or seeks a DoD contract or subcontract that flows down FAR 52.204-21 and handles Federal Contract Information (FCI) — but not Controlled Unclassified Information (CUI). That generally means small primes and subcontractors providing non-classified products and services to DoD where the contract data is not public but is not marked CUI. Contractors handling CUI need CMMC Level 2.
How many requirements are in CMMC Level 1?
Fifteen. They come directly from FAR 52.204-21(b)(1)(i)–(xv) and cover six security families: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. The CMMC Assessment Guide expresses these as 17 practice IDs because one FAR requirement splits into multiple sub-practices.
Is CMMC Level 1 self-attested or third-party assessed?
Self-attested. The contractor performs the annual self-assessment, a senior official affirms the result, and the affirmation is posted in SPRS. Unlike CMMC Level 2 (which requires a C3PAO assessment for most contracts), Level 1 does not require a third-party assessor.
How often do I have to renew my CMMC Level 1 affirmation?
Annually. The senior official affirmation in SPRS must be renewed every 12 months. Each affirmation covers the prior assessment cycle. Per 32 CFR § 170.21(a)(2), the senior official is personally responsible for the affirmation's accuracy.
What does CMMC Level 1 cost in 2026?
There is no government filing fee. Real costs are time (20–40 hours DIY) and tooling. Typical 2026 paths: do-it-yourself with existing Microsoft 365 or Google Workspace tenants ($0 cash + 30 hours), vCISO consultant ($6,000–$18,000), or guided SaaS like Custodia ($249/month Self Service — or $2,496/year on annual — or $397/month with a credentialed Custodia Compliance Officer assigned to your account). The SPRS affirmation itself is free.
Can I bid on DoD contracts without CMMC Level 1?
Increasingly, no. Under the 48 CFR phased rollout that began November 10, 2025, more DoD solicitations require a current SPRS affirmation at the time of award. For Level 1 set-aside opportunities, the affirmation is the bid-eligibility step. Solicitations vary — some require it at proposal submission, others at award.
What happens if I file a false CMMC Level 1 affirmation in SPRS?
A false SPRS affirmation is a federal false statement under 18 U.S.C. § 1001 and actionable under the False Claims Act (31 U.S.C. § 3729). The DOJ has prosecuted multiple FCA cases against contractors for misrepresenting NIST 800-171 / CMMC posture; settlements have ranged from $300,000 to over $9 million. The senior official who signs the affirmation is personally exposed.
What's the difference between CMMC Level 1 and CMMC Level 2?
Level 1 covers 15 FAR safeguards for handling Federal Contract Information (FCI), self-attested annually in SPRS. Level 2 covers all 110 NIST SP 800-171 controls for handling Controlled Unclassified Information (CUI), typically requires a third-party C3PAO assessment every three years, and yields a numeric SPRS score from –203 to 110.
How long does it take to get CMMC Level 1 ready?
A small contractor on a modern cloud tenant (Microsoft 365 Business Premium or Google Workspace Business Plus) typically gets to a defensible package in 3–5 business days. Most of the technical safeguards (MFA, antivirus, account lockout, boundary protection) are already enabled in the default tenant configuration and only need to be documented in a System Security Plan. The longer items are media-sanitization procedures and physical-access log routines.
The official DoD CMMC Level 1 documents (PDFs)
Everything on this page is derived from the three documents below. They are the U.S. Department of Defense Chief Information Officer's authoritative publications for CMMC Level 1, released September 2024, version 2.13. “DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.” We mirror them here so you can verify every claim against the actual regulation.
- CMMC Scoping Guide — Level 1 (v2.13)Read the PDFHow to draw the boundary around your in-scope systems · 6 pages
- CMMC Assessment Guide — Level 1 (v2.13)Read the PDFPer-practice objectives, evidence examples, MET/NOT MET rules · 53 pages
- CMMC Model Overview (v2.13)Read the PDFFull model: 3 levels, 14 domains, complete practice matrix · 46 pages
Documents reproduced under DoD Distribution Statement A. Custodia is not affiliated with or endorsed by the Department of Defense. Authoritative DoD copy: dodcio.defense.gov/CMMC/Documentation. Full curated index of all CMMC, SPRS, FAR, DFARS, and NIST primary sources on the regulations hub.
Get CMMC Level 1 done in a week
Custodia walks you through all 15 FAR 52.204-21 safeguarding requirements, drafts your SSP and affirmation memo, and posts you to SPRS — all inside a 7-day free trial. No credit card. $249/month after if you stay (or $2,496/year on annual — two months free), or $397/month with a credentialed Custodia compliance officer on call.