If your DoD contract involves Federal Contract Information (FCI) but not Controlled Unclassified Information, CMMC Level 1 is what applies to you. Level 1 is an annual self-assessment: no third-party assessor required, but you do need to complete the assessment, score it, and have a senior official affirm the results annually.
Level 1 covers 17 practices drawn from FAR 52.204-21. They are basic — this is deliberately a floor, not a ceiling — but "basic" does not mean automatic. Many small contractors who assume they're in good shape find real gaps when they work through the practices against their actual systems.
Before you start: define your scope
The assessment applies to the systems that process, store, or transmit FCI. Before scoring any control, identify those systems. This is your assessment boundary. If a system doesn't touch FCI, it's out of scope. If it does — or if it connects to systems that do — it's in scope. Document this boundary; it's the foundation your score rests on.
The 17 Level-1 practices
Only people who are supposed to have access should have it. Do you have a list of who has accounts on your in-scope systems? Are accounts for former employees disabled promptly? Are there shared or default accounts still active?
Fully implemented: a documented account-management process, no active accounts for departed staff, no generic shared credentials on systems handling FCI.
Least privilege: users should only be able to do what they need to. An employee who only reads files shouldn't have admin rights.
Fully implemented: users operate with standard (non-admin) accounts day to day; admin rights are separate and limited to those who need them.
External systems include personal devices, cloud services, and third-party connections. Do you know what connects to yours, and have you reviewed and approved those connections?
Fully implemented: an inventory of external connections; policies covering personal-device use; documented approval for third-party access.
If you have a public website or portal, FCI should not be on it. This is about ensuring public-facing systems don't expose information that belongs inside your boundary.
Fully implemented: a process for reviewing what goes on public-facing systems before it's posted.
Every user, process, and device accessing your in-scope systems should have a unique identifier. No shared accounts, no anonymous access.
Fully implemented: unique usernames for every person; devices and processes identifiable and tracked.
Authentication means proving you are who you claim to be — typically a password, ideally multi-factor authentication (MFA). This control requires that authentication actually happens before access is granted.
Fully implemented: all accounts require authentication; passwords meet basic complexity; MFA on remote access (required at Level 2, strongly recommended here).
When you retire a hard drive, laptop, or USB that has handled FCI, the data must be removed before the device leaves your control. Deleting files is not sufficient.
Fully implemented: a process for wiping or physically destroying media; documentation of what was sanitized and when.
Your server room, network closet, and workstations handling FCI should not be accessible to visitors, vendors, or unauthorized employees.
Fully implemented: locked server rooms; access limited to named individuals; a visitor-management process.
Visitors in areas where in-scope systems are located should be escorted and monitored. An unattended vendor in your server room is a gap.
Fully implemented: a visitor log; a practice of escorting anyone not badged for the space.
Keep records of who accessed physically controlled areas. Badge logs, sign-in sheets, or access-control system logs all count.
Fully implemented: access logs retained for a defined period; someone reviews them.
Keys, badges, access cards — track them, revoke them when someone leaves, and audit the list periodically.
Fully implemented: an inventory of physical access credentials; a process for deactivating credentials when someone departs.
This is your network perimeter. Are you using a firewall? Is traffic monitored where your network meets the internet?
Fully implemented: a firewall configured and managed; network boundary defined and controlled.
Public-facing systems (a web server, for example) should sit in a separate network segment (DMZ) from internal systems handling FCI. This limits the blast radius if the public system is compromised.
Fully implemented: public-facing infrastructure separated from internal FCI systems; firewall rules limiting traffic between them.
Patch your systems. Keep operating systems and software up to date, track what versions you run, and have a process for applying patches when vulnerabilities are disclosed.
Fully implemented: a patch-management process; a documented patching cadence; someone tracking vendor security advisories.
Anti-malware on endpoints handling FCI, updated regularly, with scanning enabled.
Fully implemented: endpoint protection deployed on all in-scope systems; definitions updating automatically or on a defined schedule.
The update requirement that pairs with the previous control. Anti-malware only works if its signatures are current.
Fully implemented: automatic updates enabled; a process to verify updates are occurring.
Scan files coming in from email, downloads, and external media. Scheduled scans of your systems in addition to real-time protection.
Fully implemented: real-time protection enabled; scheduled full-system scans on a defined interval.
Scoring your assessment
For Level 1, the methodology is simpler than Level 2: each of the 17 practices is either met or not met — there's no partial credit, and no negative point-weighting the way the 110-control 800-171 / Level 2 scoring works. To meet Level 1, you need all 17 practices implemented. Document your results and complete the annual affirmation in SPRS (piee.eb.mil).
Where gaps go
A gap on any of these 17 means the practice is not fully implemented. For Level 1 you aren't required to maintain a formal POA&M the way Level 2 contractors are, but documenting your gaps and your remediation plan is good practice and protects you if your status is ever questioned. Prioritize gaps in the authentication controls (IA.L1-3.5.1 and 3.5.2) and the system-integrity controls (SI.L1-3.14.x) — that's where exploits happen most often.
Where outside help fits
Level 1 is designed to be self-assessable, and that's the right model for most small contractors. You don't need to hire a consultant to complete a Level 1 assessment, and any consultant who suggests otherwise is overselling. Where outside help is genuinely useful:
- If you're not sure how to scope the assessment — defining which systems are in scope is the most consequential decision you'll make, and scoping errors are common.
- If you want a second set of eyes before you affirm — a structured review can catch misscorings that would be hard to explain later.
- If you have gaps you don't know how to close — especially the technical controls (SC.L1-3.13.x, SI.L1-3.14.x), implementation guidance from someone who's done it is faster than the NIST documentation.
- As preparation for Level 2 — if your contracts are growing and Level 2 is coming, doing Level 1 rigorously now saves significant rework later.
Rimrock offers a free 800-171 gap check as a starting point — a structured review of your current posture against Level 1 and Level 2 controls so you know where you actually stand before you affirm a score or engage a C3PAO.
This article is general guidance, not compliance advice. Verify each practice against the current FAR 52.204-21 and official CMMC documentation for your specific contract obligations.