CMMC Level 1 Requirements
If you’re a small business working with the U.S. Department of Defense (DoD), you’ve probably heard about CMMC—short for Cybersecurity Maturity Model Certification. It sounds fancy and complicated, but CMMC Level 1 is actually pretty simple once you break it down.
In this post, we’re going to walk through what CMMC Level 1 is, what the requirements are, and how your small business can meet them without breaking the bank (or your brain).
What is CMMC Level 1?
CMMC is a set of cybersecurity standards established by the U.S. Department of Defense to protect sensitive information that contractors handle while working on DoD projects.
There are multiple levels of CMMC. Level 1 is the first and most basic level. It’s focused on protecting something called Federal Contract Information (FCI) — which is just normal government business information that isn’t meant for the public Think of it this way: if you have contracts, purchase orders, or project schedules from the DoD, they probably contain FCI. It’s not secret like classified info, but it still needs to be protected.
Goal of Level 1: Make sure your business is using good, common-sense security habits so this information doesn’t get lost, stolen, or shared by accident.
How Many Requirements Are There?
CMMC Level 1 has 17 basic security practices you must follow. These come from another government rule called FAR 52.204-21. Each practice is designed to reduce simple cyber risks—things like stolen passwords, malware, or lost laptops. These 17 practices are grouped into 6 categories (called “domains”):
- Access Control
- Identification and Authentication
- Media Protection
- Physical Protection
- System and Communications Protection
- System and Information Integrity
The 17 CMMC Level 1 Practices (In Plain Language)
1. Access Control (Limit who gets in)
- Only give people access to information if they actually need it for their jobs.
- Make sure people can only use company computers or accounts when you say it’s okay.
- Block people from using accounts they’re not supposed to use.
- Turn off access when someone leaves the company.
2. Identification and Authentication (Know who’s who)
- Make sure every user has their own username and password.
- Use strong passwords and change them when needed.
- Make sure devices like laptops and phones require a password or PIN to unlock.
3. Media Protection (Protect data on devices)
- If you save government info on a USB drive, laptop, or phone, protect it.
- Destroy or wipe old devices and drives before throwing them away.
4. Physical Protection (Keep the bad guys out of your space)
- Limit who can walk into areas where you keep computers or paper files with government info.
- Lock up laptops or paper files when you’re not using them.
5. System and Communications Protection (Keep your network safe)
- Make sure your internet connection is secure.
- Block public access to systems that store FCI.
- If you use Wi-Fi, protect it with a strong password and modern encryption (like WPA2 or WPA3).
6. System and Information Integrity (Catch problems quickly)
- Install antivirus software on your computers.
- Update your computers and software regularly to fix security holes.
- Watch out for suspicious emails, links, or software.
- Report problems or suspicious activity right away.
Self-Assessment and SPRS Score
Here’s some good news: for CMMC Level 1, you don’t need an outside auditor. Instead, you self-assess. This means you answer questions about the 17 practices and give yourself a score. Then you upload that score to the Supplier Performance Risk System (SPRS).
- You start with 110 points (this number comes from NIST SP 800-171).
- Each missing practice subtracts points.
- You must have at least some score (not zero) to be considered for DoD contracts.
Why This Matters for Your Small Business
You might be thinking, “I’m just a small shop. Do I really need to do all this?” The short answer: yes.
Here’s why:
- It’s required.
- It builds trust.
- It protects your business.
How to Get Started (Without Getting Overwhelmed)
1. Make a List
Write down all the places where you store or use government information—emails, laptops, cloud drives, etc.
2. Review the 17 Practices
Go through the list above and check which ones you already do.
3. Fix the Gaps
Make a checklist to fix anything missing.
4. Write It Down
Keep notes or simple policies that explain how you meet each practice.
5. Do Your Self-Assessment
Answer the questions for each of the 17 practices and enter your score in SPRS.
Common Mistakes to Avoid
- Sharing accounts
- No backups
- Using personal devices without security
- Skipping updates
- No plan for when something goes wrong
Tools That Can Help
- Microsoft 365 or Google Workspace
- Bitdefender or Sophos
- LastPass or 1Password
- PreVeil or Microsoft Purview
The Bottom Line
CMMC Level 1 is really just about building smart security habits. Limit access. Use passwords. Lock things up. Run antivirus. Keep things updated. Do that, and you’re most of the way there. Keep up with the latest DoW CMMC reporting and the main CMMC compliance page.
Ready to Tackle CMMC Level 1?
Start now, and you’ll save yourself stress later. Even if you’re a one-person shop, showing that you take cybersecurity seriously makes you stand out as a trusted partner to the DoD.
At Greypike, we can help. We’ve built an AI-powered platform that enables you to achieve CMMC compliance quickly and confidently. Contact us to learn more





