Breaches that used stolen or compromised credentials are among the most complex to resolve, taking an average of 88 days. This represents a critical vulnerability impacting everything from the efficacy of your cybersecurity program to compliance audits, federal contracts, and overall revenue.
For federal contractors handling Federal Contract Information (FCI), achieving CMMC Level 1 compliance directly addresses these risks. Since the CMMC Level 1 requirements officially became mandatory on November 10, 2025, defense industrial base (DIB) contractors must prioritize basic cyber hygiene to safeguard sensitive data and preserve their eligibility for Department of Defense (DoD) contracts.
In this blog, we provide a definitive CMMC Level 1 checklist to walk you through the core requirements and clarify how to get CMMC Level 1 certification readiness through structured annual self-attestation.
Who Does CMMC Level 1 Apply To?
Government contractors, subcontractors, and suppliers in the federal supply chain that handle FCI fall squarely under the CMMC Level 1 tier. This level is designed for organizations working with the DoD that do not store or process sensitive technical data, such as Controlled Unclassified Information (CUI), but still have access to basic contract information. (If your organization does handle CUI, you will need to map your posture to a higher tier using our full CMMC compliance guide).
The framework consists of 17 foundational security practices aligned with NIST SP 800-171, which map back to the 15 basic safeguarding requirements derived from the Federal Acquisition Regulation (FAR 52.204-21). Your organization must meet all of these practices and self-attest against them every single year.

Getting Started: The Gap Assessment
Before submitting your compliance score to the government, you need a clear, unvarnished picture of your current security posture.
"At Rhymetec, we always start with a gap assessment. A gap assessment against the NIST 800-171 controls is a must-have…It helps you determine if you have any missing controls or if you have any gaps in your compliance, so you can start putting together a roadmap for completing the remaining controls."
— Metin Kortak, Rhymetec
The goal is to compare your existing environment against the required controls. This process highlights exactly what needs remediation before you are ready to self-attest. CMMC 2.0 also allows you to use a Plan of Action and Milestones (POA&M) to formally track missing controls and your plan for implementing them.
“In 2.0, CMMC came out with a final action and milestones plan. This document essentially allows you to create implementation plans for controls that are missing in your gap assessment, so that you can remediate these controls within a certain amount of time. This is also something you can work with third parties on or conduct your own self-assessment.”
— Metin Kortak, Rhymetec
Note: While a POA&M is excellent for tracking internal milestones during your preparation phase, the DoD requires all Level 1 practices to be fully operational (marked as "MET") at the time of your final annual submission.
Next, we will break down what you need to do to meet the requirements of CMMC Level 1.
The CMMC Level 1 Checklist
If your organization handles exclusively FCI and not CUI, CMMC Level 1 is your baseline standard.
"If you're only handling FCI and not CUI, you fall into Level 1. Level 1 is an order of magnitude less involved than Level 2. It actually only has 17 foundational practices that are heavily aligned with a subset of the NIST 800-171 framework. You must meet these 17 requirements, and then you just need to self-attest against them each year."
— Matt Bruggeman, A-LIGN
While these 17 CMMC practices map back to the 15 basic safeguarding requirements found in FAR 52.204-21, the CMMC framework splits certain multi-part federal rules into distinct, individual line items.
Below are the 17 actions you need to address within your CMMC Level 1 self-assessment checklist, divided into clear domains based on our expert compliance architecture.
*For a full list of these items with a greater level of technical detail, see the official FAR 52.204-21 documentation.
Access Control (AC)
1. Limit system access to authorized users. To reduce the risk of unauthorized exposure, only users with a verified business need should be able to log in to systems storing or processing FCI.
In practice, you’ll need to take certain actions, such as setting up role-based access controls, implementing IAM (identity and access management) tools, and regularly auditing user access to remove accounts if they are no longer needed.
These types of security measures entail broader business benefits, as they reduce the risk of insider threats and limit the extent of potential damage in case of compromised credentials.
2. Limit system access to authorized devices. Restrict administrative rights and limit information system access to the specific types of transactions and functions that authorized users are permitted to execute.
All laptops and mobile devices connected to your systems should be managed to prevent untrusted endpoints from introducing threats. Implementing Mobile Device Management or endpoint detection and response solutions are industry-standard methods to accomplish this and prevent threats from entering through untrusted endpoints.
3. Control access to system functions (e.g., user roles). Systems linking to third parties (such as public cloud storage or external file-sharing apps) can become gateways for data leaks.
Users should only be able to perform actions appropriate for their job (such as admin tasks being restricted to IT staff). It is critical to define roles and assign permissions accordingly, and restrict admin rights to select personnel.
4. Verify control connections to external systems. Ensure that no non-public federal contract information is accidentally shared or processed on publicly accessible information systems, like public-facing company websites.
Organizations can accomplish this by maintaining an inventory of all third-party connections, reviewing and approving integrations before use, and monitoring data flow between internal systems and external services. This serves to protect against data loss via insecure APIs or file-sharing platforms.
Identification and Authentication (IA)
5. Identify system users, processes, or devices. Every entity attempting to interact with your systems must have a unique identifier so that all digital footprint activity is fully traceable.
Action items to accomplish this objective include assigning unique user IDs to all personnel, eliminating any shared accounts, and enabling logging to tie activity back to specific users.
6. Authenticate identities before granting access. Enforce a mandatory prerequisite verification check (such as secure corporate passwords or access tokens) before allowing any user or device onto organizational networks.
The business value of this step is crucial, as it creates accountability and aids in forensic investigation in case of incidents.
Media Protection (MP)
7. Sanitize or destroy media containing FCI before disposal. Avoid data leakage from decommissioned hardware.
Simply establishing a process to wipe drives using certified tools, physically destroy storage devices when decommissioned, and document sanitization or destruction (for audit purposes) accomplishes this and prevents data leakage from improperly discarded hardware.
Physical Protection (PE)
8. Limit physical access to organizational systems. Prevent unauthorized individuals from walking up to servers, workstations, or network closets by securing your physical environment.
Acceptable measures to fulfill this requirement under CMMC Level 1 include using keycards, biometric access, or badge systems, monitoring entry points with surveillance, and keeping visitor logs. All of these measures greatly reduce the risk of physical tampering and/or data theft.
9. Escort visitors and monitor visitor activity. Ensure that any non-employee or unauthorized individual inside a secure data environment is explicitly supervised at all times.
10. Maintain physical access audit logs. Keep a continuous, documented log of who enters and exits physical facility areas containing systems that process FCI.
11. Control and manage physical access devices. Implement strict oversight and inventory management for physical access tools, including keys, badges, keycards, or biometric locks.
System and Communications Protection (SC)
12. Monitor and control communications at system boundaries. Deploy robust firewalls and intrusion detection tools to inspect network traffic entering or leaving your perimeter, blocking suspicious activity.
13. Implement network subnetworks. Utilize network segmentation to separate publicly accessible system components (like public web servers) from internal networks, keeping external threats contained.
Actions such as applying email filters and web proxies, enforcing traffic rule zones between zones, and creating VLANs to isolate sensitive systems will limit the radius of a breach and keep attackers from causing further harm.
Systems and Information Integrity (SI)
14. Identify system flaws and manage them. Outdated systems are prime targets for malicious actors. This is why it is crucially important to keep systems up to date by applying security patches regularly.
For CMMC Level 1, organizations need to be accomplishing this by prioritizing critical updates, applying patches on a schedule with a documented process, and regularly checking for software updates.
15. Provide protection from malicious code. Deploy enterprise-grade anti-malware and antivirus tools across appropriate system locations to automatically block, quarantine, and report threats.
16. Update malicious code protection mechanisms. Ensure your anti-malware and security definitions are set to update automatically as soon as new releases are made available by the vendor.
17. Perform periodic system scans. Execute regular vulnerability scans and configure real-time file scanning on downloads or newly opened files to catch infrastructure weaknesses early.
Submitting Your Self-Attestation
Unlike Level 2 and Level 3, achieving compliance at Level 1 does not require an independent, mandatory third-party assessment by a C3PAO. Instead, organizations must perform an annual self-assessment and submit a formal attestation.
Following the implementation of the final rule, this submission must be signed by a designated corporate affirming official and uploaded directly into the DoD’s Supplier Performance Risk System (SPRS).
To satisfy the requirements of a complete CMMC Level 1 self-assessment checklist, your business must document:
- Exactly how each of these 17 security controls are implemented across your environment.
- Which specific assets, systems, and networks store, process, or transmit FCI.
- The personnel responsible for managing and maintaining each control.
- The dates of your most recent security reviews and policy updates.
Because the implementation rollout is actively underway, failing to meet these mandatory requirements carries immediate business risks, including contract termination and disqualification from bidding on future defense solicitations.
Here is how long you can anticipate CMMC Level 1 to take:
Accelerating Your Path to CMMC Compliance
Navigating the defense industrial base compliance landscape can be resource-intensive, but you don’t have to tackle it alone. While Level 1 relies on annual self-assessments, many contractors use it as a stepping stone for higher tiers or want the peace of mind that comes with expert oversight.
As an approved CMMC Registered Provider Organization (RPO), Rhymetec is authorized to deliver the precise consulting, control implementation, and readiness support you need to align with DoD standards.
To give our clients an even greater competitive edge, we partner with accredited C3PAOs. If your contract trajectory requires you to eventually go beyond self-assessments and achieve a formal Level 2 certification, our combined expertise ensures a seamless, accelerated transition. Together, we handle the compliance legwork so your business stays eligible and audit-ready.
Ready to Speak to a CMMC Consultant?
At Rhymetec, we deliver the clarity, documentation, and expertise needed for successful certification. With a decade of trusted delivery and a 100% in-house team, we help you every step of the way, making an otherwise complex process clear, structured, and achievable.
From gap assessment and policy development to control implementation and SPRS submission support, we simplify the journey so you can focus on unlocking new growth.
Contact us today to speak with one of our compliance experts.