The 15 CMMC Level 1 requirements, in plain English

Who gets in, and what can they do once they're in.

• Practice 1 of 15AC.L1-b.1.iFAR 52.204-21(b)(1)(i)

  Limit access to authorized users

  Every system that touches Federal Contract Information must restrict access to people you've authorized. No anonymous logins, no shared "admin" accounts, no public file shares with FCI in them. Every user who can reach FCI has a named, individually identifiable account.

• Practice 2 of 15AC.L1-b.1.iiFAR 52.204-21(b)(1)(ii)

  Limit what authorized users can do

  Authorizing someone to log in is not the same as authorizing them to do everything. Limit each user to the transactions and functions their job actually requires — admin actions for admins, read-only for reviewers, no FCI access for unrelated roles.

• Practice 3 of 15AC.L1-b.1.iiiFAR 52.204-21(b)(1)(iii)

  Control connections to external systems

  If your users connect from outside systems — personal laptops, home computers, a contractor's machine, a public Wi-Fi network — you have to know about it and control it. Don't let arbitrary external systems pull FCI out of your environment.

• Practice 4 of 15AC.L1-b.1.ivFAR 52.204-21(b)(1)(iv)

  Control information posted publicly

  Anything posted on your public website, social media, marketing collateral, or anywhere accessible to the public must not contain FCI. Have a clear sign-off process so nobody pastes a customer PO into a LinkedIn post or a case study.

Prove who you are before you touch FCI.

• Practice 5 of 15IA.L1-b.1.vFAR 52.204-21(b)(1)(v)

  Identify users (and devices and processes)

  Every user, device, and automated process that touches FCI has to be uniquely identifiable. No "guest" accounts, no anonymous service accounts, no unknown devices on the network. If something connects, you can name it.

• Practice 6 of 15IA.L1-b.1.viFAR 52.204-21(b)(1)(vi)

  Authenticate identities (MFA, passwords)

  Before anyone or anything reaches FCI, prove who they are. Passwords on every account, MFA on email and remote access at a minimum. The bar isn't NIST-grade cryptography — it's "no anonymous logins and no MFA-less email."

Wipe or destroy media containing FCI before it leaves.

• Practice 7 of 15MP.L1-b.1.viiFAR 52.204-21(b)(1)(vii)

  Sanitize or destroy media containing FCI

  Before a hard drive, USB stick, phone, printer, copier, or paper folder containing FCI leaves your control, wipe it or destroy it. Don't drop the old shop PC in the dumpster or sell the leased copier without scrubbing it.

Lock the door. Escort visitors. Track keys.

• Practice 8 of 15PE.L1-b.1.viiiFAR 52.204-21(b)(1)(viii)

  Limit physical access to systems

  Lock the door. Physical access to your laptops, servers, shop PC, trailer PC, file cabinets, and any other thing that holds FCI must be limited to authorized people. The bar is "reasonable for a small business," not "DoD facility."

• Practice 9 of 15PE.L1-b.1.ixFAR 52.204-21(b)(1)(ix)

  Escort visitors, log access, manage keys

  Visitors don't roam unaccompanied through areas that hold FCI. You keep a simple log of who came in and when, and you keep track of the keys / badges that let people into those areas. "Visitors" includes vendors, delivery drivers entering past the front desk, and subcontractors not on your team.

Protect the edges of the network and separate public from internal.

• Practice 10 of 15SC.L1-b.1.xFAR 52.204-21(b)(1)(x)

  Protect the boundary of your network

  Monitor, control, and protect what crosses the edges of your network. In practice for a small shop: keep a firewall on, don't expose internal systems to the public internet, and don't let inbound connections reach the FCI machine from anywhere on the open web.

• Practice 11 of 15SC.L1-b.1.xiFAR 52.204-21(b)(1)(xi)

  Separate publicly accessible systems

  Anything publicly accessible — your company website, a public quote portal, a public file-sharing site — must live on a subnetwork separate from the internal network where FCI lives. In practice for small shops: your website is hosted by a SaaS provider (which is already separate), and you don't run public services on the office LAN.

Patch, run anti-malware, and keep both current.

• Practice 12 of 15SI.L1-b.1.xiiFAR 52.204-21(b)(1)(xii)

  Identify, report, and fix system flaws on time

  Patch your systems. When Microsoft, Apple, or your router vendor ships a security update, install it — not eventually, but on a defined cadence. Have a way to know about flaws (vendor updates, security bulletins) and a defined window to act.

• Practice 13 of 15SI.L1-b.1.xiiiFAR 52.204-21(b)(1)(xiii)

  Provide protection from malicious code

  Run anti-malware (a.k.a. endpoint protection / EDR) on every system that handles FCI. The bar is not enterprise XDR — it's "something real and current is running." Microsoft Defender on Windows and the built-in protections on modern macOS qualify.

• Practice 14 of 15SI.L1-b.1.xivFAR 52.204-21(b)(1)(xiv)

  Update malicious code protection

  Anti-malware that's three years out of date is barely anti-malware. Keep signatures and engine versions current on every endpoint. In practice: turn on auto-update for whatever AV / EDR you use and confirm it's actually updating.

• Practice 15 of 15SI.L1-b.1.xvFAR 52.204-21(b)(1)(xv)

  Scan systems and files when downloaded

  Run periodic full scans on your systems and scan files in real time as they're downloaded or opened. Microsoft Defender's default settings (real-time protection + scheduled scans) satisfy this; same for macOS XProtect plus an EDR or AV product configured for on-access scanning.