The 15 Requirements at CMMC Level 1

CMMC Level 1 aligns directly with FAR clause 52.204-21. It covers basic safeguarding for Federal Contract Information (FCI). You must implement all 15 practices fully. No partial credit exists. No Plan of Action and Milestones (POA&M) is permitted. Fail any one and you fail the self-assessment.

Here is the list with high-level explanation:

  1. Limit system access to authorized users, processes acting on behalf of users, and devices (including other systems).
  2. Limit system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity.
  10. Maintain audit logs of physical access.
  11. Control and manage physical access devices.
  12. Guard against, detect, and report malicious code.
  13. Update malicious code protection mechanisms when new releases are available.
  14. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
  15. Identify, report, and correct information and information system flaws in a timely manner.

Note: Official guidance maps these to 17 practices in some older documents, but current CMMC Level 1 uses the 15 from FAR 52.204-21.

Where Contractors Consistently Fail on First Pass

Three to four areas cause repeated failures:

  • Access control basics (1, 2, 5, 6): Contractors assume default OS settings suffice. They do not. You need documented user lists, role-based access, and multi-factor where passwords alone are used. Many fail identity verification because they lack MFA or even strong password policies.
  • Media sanitization (7): People delete files and think that is enough. It is not. Use NIST-approved methods like overwrite or physical destruction for drives, USBs, or paper containing FCI.
  • Malicious code protection (12-14): Antivirus is installed but not updated automatically or scanned in real-time. Contractors miss real-time file scanning on downloads.
  • Physical access (8-11): No visitor logs, no escort policy, or unlocked server rooms. Even small offices fail here if they do not track who enters sensitive areas.

Why Scoping Matters More Than the Controls

Scoping determines what assets you assess. Assets that process, store, or transmit FCI are in scope. Out-of-scope assets (those that never touch FCI) are ignored. Specialized assets like IoT, OT, or government property can be documented as out-of-scope if they do not handle FCI.

Many contractors over-scope by including everything in their network. This inflates effort and risk of failure. Others under-scope by excluding shared systems that do touch FCI. The scoping document must be clear and defensible. Poor scoping leads to reassessment or SPRS submission errors.

If you need a structured way to conduct your Level 1 self-assessment, check out the CMMC Level 1 Self-Assessment Kit for templates and checklists.