Level 1, in practice.
Fifteen requirements, a yearly self-assessment, and no POA&M.
Level 1 is where most DoD contractors actually live: the baseline for handling Federal Contract Information. This page walks the whole level — the 15 requirements in plain language, how the annual self-assessment works, what gets entered in SPRS, who signs the affirmation — plus the two facts that surprise people: no POA&M is ever allowed, and the “15” are checked as 17 mapped requirements’ worth of assessment objectives.
01When Level 1 is your level
Level 1 applies when a contractor information system handles FCI and nothing more sensitive — the ordinary, not-for-public-release paperwork of performing on a DoD contract. The Data covers what qualifies; the practical signal is the basic-safeguarding clause in your contract — FAR 52.204-21, appearing as FAR 52.240-93 in solicitations issued from February 2026 — together with the absence of CUI in the work.
Which level a contract requires is a fact about the contract, not a judgment call — The Levels covers how to read it, and Start Here lists the clause signals. Contracts exclusively for COTS items sit outside the requirement entirely (Glossary). One more scoping fact worth knowing early: if a system in scope handles CUI anywhere, that system’s conversation is a Level 2 conversation — Level 1 is not a partial credit tier for CUI environments.
02The fifteen requirements
All 15, condensed to their operative sentence, in the clause’s own order. They are real operational controls — visitor escort, media sanitization, boundary monitoring — not paperwork exercises. The right-hand column shows the NIST SP 800-171 requirement each one maps to for assessment purposes, because the objectives an L1 self-assessment actually checks come from NIST SP 800-171A through that mapping.
| § | Requirement | Maps to |
|---|---|---|
| (i) | Limit system access to authorized users, processes acting on their behalf, or devices. | 3.1.1 |
| (ii) | Limit system access to the types of transactions and functions authorized users are permitted to execute. | 3.1.2 |
| (iii) | Verify and control/limit connections to and use of external information systems. | 3.1.20 |
| (iv) | Control information posted or processed on publicly accessible information systems. | 3.1.22 |
| (v) | Identify system users, processes acting on behalf of users, or devices. | 3.5.1 |
| (vi) | Authenticate (or verify) the identities of those users, processes, or devices before allowing access. | 3.5.2 |
| (vii) | Sanitize or destroy system media containing FCI before disposal or release for reuse. | 3.8.3 |
| (viii) | Limit physical access to systems, equipment, and operating environments to authorized individuals. | 3.10.1 |
| (ix) | Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices. | 3.10.3 / 3.10.4 / 3.10.5 |
| (x) | Monitor, control, and protect organizational communications at external and key internal boundaries. | 3.13.1 |
| (xi) | Implement subnetworks for publicly accessible system components, separated from internal networks. | 3.13.5 |
| (xii) | Identify, report, and correct information and system flaws in a timely manner. | 3.14.1 |
| (xiii) | Provide protection from malicious code at appropriate locations. | 3.14.2 |
| (xiv) | Update malicious code protection mechanisms when new releases are available. | 3.14.4 |
| (xv) | Perform periodic system scans and real-time scans of files from external sources as they are downloaded, opened, or executed. | 3.14.5 |
Fifteen requirements, seventeen mappings: requirement (ix) was split into three phrases when NIST SP 800-171 was developed, so its escort, logging, and access-device parts map to 3.10.3, 3.10.4, and 3.10.5 separately. FAR 52.204-21(b)(1); Table 2 to 32 CFR 170.15(c)(1)(ii)
Requirement (ix) is also why the visitor sign-in sheet matters more than it looks: escorting visitors, logging physical access, and managing keys and badges are each checked on their own. And the last four — flaw remediation through scanning — mean “we have antivirus” is only half an answer; the updates and the scans have to be demonstrably happening.
03The self-assessment, start to finish
The rule says
“The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&Ms are permitted for CMMC Level 1.”
32 CFR 170.15(a)(1)In practice
All fifteen, MET, at the time of the self-assessment — not planned, not in progress, no partial credit and no 180-day window, because Conditional status does not exist at Level 1. The assessment repeats annually, and the result each year is effectively pass or not-yet.
The check itself runs on NIST SP 800-171A assessment objectives, applied through the mapping table above — with one substitution the rule makes explicit: wherever an objective says CUI, read FCI. Scope comes first, as always: the Level 1 CMMC Assessment Scope is defined by the Level 1 scoping requirements before any requirement gets checked against it. 32 CFR 170.15(c)(1); 170.19(a)–(b)
What goes into SPRS when you are done is specific, and shorter than people expect: the CMMC Level, the CMMC Status Date, the CMMC Assessment Scope, every CAGE code associated with the in-scope information systems, and the compliance result. What stays with you is longer-lived: the artifacts used as evidence must be retained for six years from the CMMC Status Date — the retention duty applies at Level 1, not just at certification levels. 32 CFR 170.15(a)(1)(i), (c)(2)
04The affirmation
A Level 1 self-assessment is not complete until a senior official — the Affirming Official — affirms continuing compliance in SPRS, and contract eligibility requires both: the status achieved and the affirmation submitted, for every information system in scope. The affirmation renews annually, alongside the self-assessment itself. 32 CFR 170.15(a)(2), (b); 170.22
The desk’s standing caution applies with full force here, precisely because Level 1 feels informal: an affirmation is a representation to the government, made by someone with the standing to know whether it is true, and the Department of Justice’s Civil Cyber-Fraud Initiative has pursued False Claims Act cases built on cybersecurity misrepresentations. Self-assessed does not mean without consequence.
05Where Level 1 goes wrong
Treating it as paperwork. The 15 include escorting visitors, sanitizing drives before disposal, and monitoring the network boundary — operational practices someone has to actually do, and be able to show. A policy binder with no visitor log behind it does not produce MET.
Scoping around the “contracts PC.” FCI moves through email, file shares, and quoting systems the same way CUI does (The Data, section 05, is written about CUI, but the hiding places are identical). A scope drawn around one workstation while purchase orders live in everyone’s inbox will not survive contact with the objectives.
Letting the calendar lapse. The status is annual. A self-assessment or affirmation that quietly ages out ends eligibility as surely as a failed requirement — and it is the easier of the two to prevent.
Assuming a POA&M can hold a gap open. It cannot, at this level, ever. The fourteen-of-fifteen shop does not have a Conditional Level 1; it has a gap to close before it has a status.
06Sources
| Document | What it’s for |
|---|---|
| FAR 52.204-21 | The 15 basic safeguarding requirements, verbatim. Appears as FAR 52.240-93 in solicitations issued from February 2026 (The contract clauses). |
| 32 CFR 170.15 | Level 1 self-assessment procedure, the 800-171A mapping table, SPRS inputs, artifact retention, and the affirmation requirement. |
| 32 CFR 170.19(a)–(b); 170.21(a)(1); 170.22 | Level 1 scoping; the no-POA&M rule; affirmation procedures. |
| CMMC Level 1 Self-Assessment Guide · Level 1 Scoping Guidance | DoD’s own guides to performing and scoping the Level 1 self-assessment (Source Library). |
| NIST SP 800-171A | The assessment objectives applied through the Level 1 mapping, FCI substituted for CUI. |