CMMC Level 1 Requirements for Small DoD Contractors

Published by Capital Cyber | Leesburg, VA | (571) 410 3066

If you’re a small DoD contractor wondering whether CMMC Level 1 requirements apply to you – the short answer is almost certainly yes.

Level 1 is the floor of the Cybersecurity Maturity Model Certification (CMMC). It is the minimum baseline every contractor handling Federal Contract Information (FCI) must meet to stay eligible for DoD work. And as of 2026, it is no longer optional, theoretical, or delayed. It is in your contracts right now.

This guide walks you through exactly what CMMC Level 1 requires in 2026, who it applies to, how much it costs, and how small contractors can self-assess without stumbling into common – and costly – mistakes.

What Is CMMC Level 1?

CMMC Level 1 is the Foundational tier of the CMMC 2.0 framework. It is designed to verify that defense contractors handling FCI implement a set of basic cyber hygiene practices drawn directly from FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems.

Two key points small contractors need to understand:

1. Level 1 applies to FCI, not CUI. If your contracts involve Controlled Unclassified Information – technical drawings, specifications, ITAR-controlled data – you need Level 2, not Level 1.
2. Level 1 is self-assessed, not certified by a C3PAO. You complete the assessment internally, affirm it with a senior official, and submit your score to the Supplier Performance Risk System (SPRS). This is done annually.

That sounds simple. It is not always simple in practice.

Who Needs CMMC Level 1 Compliance?

CMMC Level 1 applies to any organization that processes, stores, or transmits FCI as part of a DoD contract or subcontract. According to DoD estimates in 32 CFR Part 170, roughly 63% of the Defense Industrial Base will fall into this category.

At Capital Cyber, we see Level 1 most commonly apply to:

• Small manufacturers producing non-sensitive components
• Subcontractors supplying basic goods and services
• Federal construction contractors on non-sensitive projects
• Logistics and transportation providers serving DoD
• Janitorial, facilities, and base support contractors
• Small professional services firms supporting defense programs
• Printing and secure documentation vendors
• Maintenance, repair, and operations (MRO) suppliers
• Commercial vendors supplying standard products to DoD
• IT service providers that do not touch CUI

If you have a DoD contract or serve as a subcontractor under one – and you have any non-public contract information on your systems – you are in scope for Level 1.

FCI vs. CUI: The Distinction That Decides Your CMMC Level

This is the single most important decision point for small contractors. Get it wrong and you will either over-spend on unnecessary controls or lose contract eligibility.

Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release. Things like:

• Contract terms and pricing details
• Performance schedules
• Non-public contract correspondence
• Scheduling and facility access data
• Basic delivery and logistics information

Controlled Unclassified Information (CUI) is sensitive unclassified information that requires specific safeguarding – think technical data, engineering drawings, specifications, source selection data, and export-controlled information.

If your contracts only involve FCI, Level 1 is enough. If you touch CUI in any way, you need Level 2. And if you are not sure – get a qualified assessment before you guess.

The 15 CMMC Level 1 Requirements (2026 Update)

Here is the nuance most blogs get wrong: CMMC Level 1 was originally described as 17 practices, but the official DoD CMMC Level 1 Self-Assessment Guide (v2.13, September 2024) consolidated three Physical Protection items into one. The current count is 15 requirements, mapped across 6 domains. You will still see “17 practices” in older Summit 7 and secondary sources – they refer to the same underlying controls.

Here is the practical breakdown:

Access Control (AC) – 4 Requirements

1. Limit system access to authorized users, devices, and processes.
2. Limit access to the types of transactions and functions authorized users are permitted to execute.
3. Verify and control connections to external systems.
4. Control information posted or processed on publicly accessible systems.

Identification and Authentication (IA) – 2 Requirements

5. Identify information system users and processes acting on behalf of users.
6. Authenticate (or verify) the identities of those users before granting access.

Media Protection (MP) – 1 Requirement

7. Sanitize or destroy FCI-containing media before disposal or reuse.

Physical Protection (PE) – 2 Requirements (Consolidated from 4)

8. Limit physical access to information systems, equipment, and operating environments.
9. Escort visitors, monitor visitor activity, maintain audit logs of physical access, and control physical access devices.

System and Communications Protection (SC) – 2 Requirements

10. Monitor, control, and protect organizational communications at external and key internal boundaries.
11. Implement subnetworks for publicly accessible system components, separated from internal networks.

System and Information Integrity (SI) – 4 Requirements

12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within the system.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the system and real-time scans of files from external sources.

Important: Unlike Level 2, Level 1 does not allow Plans of Action and Milestones (POA&Ms). Every control must be fully in place at the time of your self-assessment and affirmation. Partial credit does not exist.

CMMC Level 1 Timeline – Why 2026 Matters

Small contractors tend to assume CMMC is still “coming.” It is not. Here is the 2026 reality:

• Phase 1 (Nov 2025 – present): CMMC self-assessment requirements began appearing in new DoD solicitations.
• Phase 2 (Nov 2026): Third-party certification becomes mandatory for most Level 2 contracts. Level 1 self-assessments continue but scrutiny increases.
• Phase 3 (2027): Full enforcement across all new and existing contracts.

Even for Level 1, 2026 is the year where contracts start requiring proof of compliance. If you’re a subcontractor under a larger prime, expect flow-down requirements to hit before the official deadlines.

What CMMC Level 1 Self-Assessment Actually Looks Like

Here’s the process, stripped of the jargon:

1. Scope your environment. Identify every system, device, cloud service, and user that processes, stores, or transmits FCI.
2. Review each of the 15 controls. For each control, determine whether your environment meets the requirement – and document how.
3. Build your documentation trail. You need evidence: policies, screenshots, configuration records, logs, and training records.
4. Write your SSP (System Security Plan). Even at Level 1, the SSP is your compliance map. It shows how each control is implemented in your real environment.
5. Submit your score to SPRS. A senior company official affirms the results annually.
6. Recertify every year. Level 1 is an annual affirmation – not a one-and-done.

This typically takes 30 to 40 hours if you have the internal expertise. Hiring a qualified CMMC partner to run the self-assessment typically costs $5,000 – $15,000 total, including remediation guidance.

The Most Common CMMC Level 1 Mistakes Small Contractors Make

Capital Cyber works with small DoD contractors across manufacturing, construction, logistics, and professional services. The same mistakes show up constantly:

Mistake 1: Confusing FCI with CUI. Teams either over-scope (spending Level 2 money on a Level 1 problem) or under-scope (discovering CUI in their environment after signing the affirmation).

Mistake 2: Submitting an inaccurate SPRS score. Under the False Claims Act, inaccurate SPRS scores are now a real legal risk. The DOJ’s Civil Cyber-Fraud Initiative is actively pursuing contractors who overstate compliance.

Mistake 3: Skipping documentation. Many small contractors implement the 15 controls but never write them down. When a prime asks for your SSP or a flow-down questionnaire, you are not ready.

Mistake 4: Assuming your MSP has you covered. Most generic IT providers have zero CMMC experience. Your MSP’s standard “cybersecurity package” almost never maps cleanly to the 15 Level 1 requirements.

Mistake 5: Treating it as a one-time project. Level 1 is an annual affirmation. If you pass this year and change nothing, your next affirmation may be invalid.

How Much Does CMMC Level 1 Cost in 2026?

For small DoD contractors, here is a realistic 2026 Level 1 budget:

Small contractors with strong existing IT practices often land near the lower end. Contractors starting from a “basic antivirus and hope for the best” posture land higher.

CMMC Level 1 Checklist for Small Contractors

Use this as your quick-start readiness list:

• Confirm you handle FCI but not CUI
• Identify every system that touches FCI
• Implement multi-factor authentication on all business accounts
• Document a formal System Security Plan
• Enforce least-privilege user access
• Sanitize or destroy FCI media before disposal
• Separate public-facing systems from internal networks
• Deploy and maintain anti-malware protection
• Train employees on basic security awareness
• Complete an annual self-assessment
• Submit your affirmation to SPRS
• Re-verify controls every year

If you cannot confidently check every box – you are not ready to affirm compliance, and you need help before you do.

Do not wait until you lose a contract to take action. Call (571) 410 3066 or visit capital-cyber.com for a free CMMC readiness consultation.

Capital Cyber | 1019B Edwards Ferry Rd. #1183, Leesburg, VA 20176

Security Obsessed. Service Driven.