CMMC/Level 1
Foundational — 17 Practices

CMMC Level 1:
Foundational Cybersecurity

CMMC Level 1 applies to every DoD contractor that handles Federal Contract Information (FCI). Here is everything you need to know about the 17 required practices, the self-assessment process, and how to get compliant.

Who Needs CMMC Level 1?

CMMC Level 1 is required for any company that receives, processes, or stores Federal Contract Information (FCI) under a DoD contract or subcontract.

FCI is defined as information provided by or generated for the government under a contract to develop or deliver a product or service to the government — and that is not intended for public release.

This means even small businesses, sole proprietors, and subcontractors deep in the DoD supply chain may be required to achieve CMMC Level 1.

DoD prime contractors with FCI on their systems
Subcontractors who receive FCI from a prime
IT service providers supporting DoD contractors with FCI
Small businesses in the defense industrial base (DIB)

Key Facts About CMMC Level 1

17 Practices
Based on the 15 requirements in FAR 52.204-21 plus two additional access control practices.
Annual Self-Assessment
Companies self-assess and affirm their score annually — no third-party auditor required for Level 1.
3-Year Validity
CMMC Level 1 certification is valid for 3 years, with annual affirmations required in years 2 and 3.
Contract Requirement
Contracts with the CMMC DFARS clause require compliance before award — non-compliant companies cannot bid.

The Requirements

The 17 CMMC Level 1 Practices

These 17 practices are derived from FAR 52.204-21 and cover six security domains. Every DoD contractor handling FCI must implement all 17.

AC

Access Control

4 practices
Limit System Access to Authorized Users

Only allow authorized users, processes, and devices to access your company's information systems and Federal Contract Information.

AC.L1-b.1.i
Limit Access to Authorized Transactions

Ensure users can only perform the specific functions their role requires — no more access than necessary.

AC.L1-b.1.ii
Control External System Connections

Verify and control all connections to external systems, including cloud services and third-party networks.

AC.L1-b.1.iii
Control Publicly Accessible Systems

Regulate what information is posted or processed on publicly accessible systems to prevent unauthorized FCI disclosure.

AC.L1-b.1.iv
IA

Identification & Authentication

2 practices
Identify System Users and Devices

All users, processes, and devices that access your systems must be identified — no anonymous or generic accounts.

IA.L1-b.1.i
Authenticate Identities Before Access

Verify the identity of all users, processes, and devices before granting access — passwords, MFA, or certificates.

IA.L1-b.1.ii
MP

Media Protection

1 practice
Sanitize or Destroy Media Before Disposal

Securely wipe or destroy hard drives, USB drives, and other media containing FCI before disposal or reuse.

MP.L1-b.1.i
PE

Physical Protection

4 practices
Limit Physical Access to Authorized Individuals

Restrict physical access to computers, servers, and network equipment to authorized personnel only.

PE.L1-b.1.i
Escort Visitors and Monitor Activity

Escort visitors in sensitive areas and maintain logs of visitor access to your facilities.

PE.L1-b.1.ii
Maintain Physical Access Audit Logs

Keep records of who physically accesses areas containing information systems that process FCI.

PE.L1-b.1.iii
Manage Physical Access Devices

Control and track physical access devices such as keys, key cards, and access badges.

PE.L1-b.1.iv
SC

System & Communications Protection

2 practices
Monitor and Protect Communications at Boundaries

Monitor and control your network at external boundaries and key internal boundaries — firewalls are typically required.

SC.L1-b.1.i
Implement Subnetworks for Public Components

Separate publicly accessible system components (like web servers) into isolated subnetworks from internal systems.

SC.L1-b.1.ii
SI

System & Information Integrity

4 practices
Identify and Correct System Flaws Timely

Apply security patches and fix known vulnerabilities in your operating systems and software in a timely manner.

SI.L1-b.1.i
Provide Malicious Code Protection

Deploy antivirus and anti-malware software on all systems that process or store FCI.

SI.L1-b.1.ii
Update Malicious Code Protection Mechanisms

Keep antivirus and anti-malware definitions current — enable automatic updates where possible.

SI.L1-b.1.iii
Perform Periodic and Real-Time Scans

Run regular scheduled scans of your systems and enable real-time scanning of all files.

SI.L1-b.1.iv

The Process

The CMMC Level 1 Self-Assessment Process

Unlike Level 2 and Level 3, CMMC Level 1 does not require a third-party auditor. You self-assess, affirm, and submit your score to the DoD's SPRS system.

1

Conduct Internal Review

Assess your organization against all 17 practices. Galaxy's RPs guide you through each one.

2

Calculate Your SPRS Score

Document your compliance status. Each unmet practice reduces your score from the maximum of 110.

3

Create a Plan of Action

For any gaps, document a corrective action plan with target completion dates.

4

Affirm and Submit to SPRS

A senior company official affirms the assessment results and submits your score to the DoD's Supplier Performance Risk System (SPRS).

5

Annual Renewal

CMMC Level 1 self-assessments must be renewed annually and affirmed by a senior official each year.

How Galaxy Consulting Helps

As your CMMC RPO, Galaxy Consulting guides you through every step of this process. Our Registered Practitioners conduct the gap assessment, help remediate deficiencies, draft your SSP and documentation, and prepare your team for the self-assessment and SPRS submission — so you can focus on running your business.

See Our CMMC Services

Not Sure Where to Start?

Galaxy Consulting offers a free initial consultation to help you understand your current CMMC Level 1 posture and what it will take to get certified.

Get Free ConsultationCMMC FAQs