CMMC Level 1 Checklist

On September 10, 2025, the Department of Defense (DoD) published its final Cybersecurity Maturity Model Certification (CMMC 2.0.). The  framework measures cybersecurity maturity at three levels - Foundational (Level 1), Advanced (Level 2), and Expert (Level 3). Each CMMC level is based on various considerations, including regulations, implementation complexity, the type and sensitivity of the information, threats, and costs. 

CMMC Level 1 organizations should already have established internal practices to ensure sensitive data is accessed only by authorized users and protected from basic security risks. CMMC Level 1 may seem simple at first glance. Yet, it quickly becomes more complex once contract terms, self-assessments, and reporting obligations come into play. What looks like “basic cybersecurity” often leaves people unsure about which data security measures to apply, how to demonstrate compliance, and whether internal practices are sufficient. 

This CMMC Level 1 Checklist breaks the requirements down into clear, practical steps, helping organizations understand what to focus on, where common gaps appear, and how to approach CMMC Level 1 compliance with confidence. 

What is CMMC Level 1?

Read how to determine your CMMC Level

CMMC Maturity Level 1, also called Foundational, is the entry-level tier of the CMMC framework. Unlike CMMC Level 2, it applies to organizations that handle Federal Contract Information (FCI) but do not store, process, or transmit Controlled Unclassified Information (CUI). FCI refers to non-public information related to a U.S. government contract that is provided by or generated for the government during contract performance and is not intended for public release.

In practical terms, FCI represents routine government contract information that must be safeguarded using fundamental cybersecurity practices. From a business perspective, FCI typically includes everyday contractual data such as:

• contract terms and conditions, 
• pricing and delivery schedules, 
• statements of work, and 
• basic contractual requirements. 

While this information is not considered highly sensitive, it still requires basic protection to prevent unauthorized access or disclosure.

CMMC Level 1 focuses on basic cybersecurity hygiene. Organizations must implement 15 fundamental security practices designed to protect FCI from unauthorized access or disclosure. 

CMMC 2.0. Level 1 control requirements

CMMC Level 1 requirements are based on a set of foundational cybersecurity practices that cover 15 FAR security controls across six core security families: Access control, Identification and authentication, Media protection, Physical protection, Systems and communication, protection, System and information integrity.

Access controls

• Restrict system access to authorized users, approved processes, and trusted devices.
• Ensure users can only perform actions required for their role.
• Control and limit connections to external systems.
• Prevent non-public contract information from being posted or processed on public systems.

To successfully meet this requirement, all the users’ accounts must be protected with a username, a strong password, and MFA. Organizations must also implement role-based access controls (RBAC) for all systems that handle FCI. Additionally, they must maintain an active log of all assets (people, processes, and technologies) authorized to access organizational resources. 

It's important to keep track of who is allowed to post or manage information on public systems and platforms. There should be clear guidelines to prevent FCI from being shared on these platforms and a review process before any content is made public. Regularly check all public content to make sure no FCI is shared, and have a quick way to remove any incorrect or unauthorized FCI if needed.

Identification and authorization

• Identify authorized users, processes, and devices.
• Verify identities before granting system access.

To meet these requirements, one should clearly know who and what can access their systems. This starts with assigning unique identities to users and devices, so every login and action can be traced back to an individual. Clear identification reduces confusion, supports accountability, and makes it easier to investigate issues if something goes wrong.

In practice, when setting up accounts in platforms like Azure or Google Workspace, companies should follow defined naming and access standards rather than creating accounts randomly. This ensures that access remains controlled, while reducing the risk of unauthorized or unmanaged access to critical systems.

Media protection

• Securely erase or destroy media containing FCI before disposal or reuse.

The information systems media include mobile devices, portable storage devices, and digital storage components found in devices. Proper media protection practices would prevent the retrieval or reconstruction of sensitive information from the device.

NIST SP 800-88 provides guidance on best practices for media sanitation.

To ensure this control, the organization should establish a media sanitization procedure requiring all system media to be cleared, purged, or destroyed before reuse or disposal. Before reusing any device, all data should be fully wiped to prevent recovery. This applies to laptops, desktops, mobile devices, and removable media. Devices intended for disposal should be restored to factory settings, wiped clean of all previously stored data, and properly destroyed prior to disposal.

Physical access

• Limit physical access to organization information systems, equipment, and the respective operating environments to authorized individuals
• Escort visitors and monitor visitor activity
• Maintain audit logs of physical access and Control and manage physical access devices

To implement physical access control requirements, one should create a list identifying all individuals permitted to access organizational spaces, including detailed information about areas with enhanced access restrictions. Additionally, it is necessary to implement physical barriers, such as fences, secure doors, and windows, to prevent unauthorized access to its devices and facilities.

System and communications protection

• Secure and monitor data traffic at external and critical internal network boundaries.
• Separate public-facing systems from internal networks to reduce risk.

In practice , organizations must develop documentation that outlines the data flows across the network, highlighting both external and critical internal access boundaries (e.g., cloud applications, endpoints, etc.)

It is also necessary to protect against dangerous web domains and applications, including those hosting phishing scams, exploits, and other malicious content. Utilize technologies such as web filtering to block web traffic to low-reputation sources.

System and Information Integrity

• Identify, report, and remediate system security issues.
• Deploy malware protection across key systems and entry points.
• Keep malware protection tools up to date.
• Regularly scan systems and automatically scan files from external sources.

Organizations need to develop policies and procedures to check vendor resources for available patches. It is also required to create processes to evaluate update severity and determine remediation deadlines for flaws. Consider using automated solutions and anti-malware products to accurately identify threats. 

It's important to create and keep an up-to-date inventory of all assets that can access the organization’s resources. This helps identify potential entry points into the information system that could be used to introduce malicious code. Protection measures should cover servers, workstations, mobile devices, and network appliances, such as firewalls and switches.

It is also necessary to determine the frequency at which its environment should be scanned for malicious code (computer viruses, worms, Trojan horses, logic bombs, spyware) and define that frequency in its documented policies and procedures. Best practice is to have the antivirus solution run a full system scan at least once daily. Additionally, the antivirus solution should conduct real-time scans on all emails, files, attachments, and downloads.

CMMC Level 1 self-assessment

Compliance at Level 1 is demonstrated through an annual self-assessment, rather than a third-party audit. Although it is the entry-level requirement, Level 1 is mandatory for applicable DoD contracts, and noncompliance may exclude an organization from contract eligibility. From a business standpoint, CMMC Level 1 sets a minimum, defensible security baseline and often acts as a foundation for scaling to higher CMMC levels as organizations take on work involving more sensitive DoD information.

For CMMC Level 1, organizations must complete a self-assessment to confirm compliance with basic cybersecurity safeguards. In practice, this includes: 

• Conducting a CMMC Level 1 self-assessment to determine their conformity.
• Submitting an annual self-affirmation of the organization’s compliance to FAR 52.204-21 security requirements to DoD’s Supplier Performance Risk System (SPRS) (c.f., §170.22, Affirmation ).

Please note that there are two NOs in the CMMC Level 1 Self Assessment:

1. NO POA&Ms are permitted for CMMC Level 1.

2. NO 3^rd-party conformity assessment and certification is necessary for Level 1. 

If an organization fails to meet CMMC Level 1 compliance, standard contractual penalties will apply. Additionally, the organization will not be eligible for new contracts requiring CMMC Level 1 or higher until they successfully complete a valid self-assessment for Level 1, as stated in §170.15(a)(1)(ii).

Boost your CMMC Level 1 compliance with Planet 9

With the broad scope of practice controls under CMMC 2.0, DoD contractors and subcontractors may seek guidance and oversight from CMMC specialists. Planet 9 can support your CMMC Level 1 compliance efforts with the following CMMC certification readiness services:

• Scope your environment to determine the boundaries where Federal Contract Information (FCI) is stored, processed, and exchanged;
• Understand the applicable CMMC Level 1 requirements;
• Conduct readiness assessment;
• Identify and address gaps in your CMMC Level 1 status to understand what you need to improve to meet compliance;
• Conduct a comprehensive CMMC Level 1 self-assessment.

Book a free consultation to learn more, or contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646

‍