CMMC Level 1: What It Means for Over 139,000 Defense Contractors
Over 139,000 DoD contractors must meet CMMC Level 1. Learn what it requires, how to self-assess, and why it's essential for handling Federal Contract Information.
Fact: 63% of the Defense Industrial Base needs to have CMMC Level 1 status! Even if you do not handle Controlled Unclassified Information (CUI), if you do business with the Department of Defense (DoD), you need to align to CMMC!
You should already know why the Cybersecurity Maturity Model Certification (CMMC) program exists. But, just in case, the Department of Defense (DoD) developed the CMMC Program to enhance cybersecurity across the Defense Industrial Base (DIB) and safeguard sensitive unclassified information shared with contractors and subcontractors. A key component and foundational step of this program is CMMC Level 1.
Do I Need CMMC Level 1?
Yes! CMMC Level 1 focuses on protecting Federal Contract Information (FCI). FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service, excluding publicly available information or simple transactional details.
According to DoD estimates, a significant number of organizations will be required to meet CMMC Level 1 requirements. It is projected that 139,201 entities will perform Level 1 self-assessments. This makes Level 1 self-assessments the most common assessment type across the CMMC program, accounting for 63% of the total estimated companies that will undergo CMMC assessments.
What Does CMMC Level 1 Entail?
CMMC Level 1 is the basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) Clause 52.204-21 with 15 security controls. These requirements are translated into 17 CMMC practices and to demonstrate compliance, organizations must meet 59 assessment objectives across these 17 practices.
Key aspects of a CMMC Level 1 assessment include:
-
Scope: Generally, the assets that process, store, or transmit FCI are considered in-scope and should be assessed against the CMMC Level 1 practices. For most companies, this means their entire system (all people, processes, and technology involved in contracts) will fall under Level 1 scope, as FCI is a broad category of data that typically isn’t segregated into specialized enclaves.
-
No Plans of Action and Milestones (POA&Ms): For CMMC Level 1, POA&Ms are strictly not permitted. This means that all 15 security requirements must be fully met to achieve the CMMC Status of Final Level 1.
-
Annual Self-Assessment: Contractors are required to conduct an annual Level 1 self-assessment. This self-assessment can be performed internally or with the assistance of a third-party, but it remains a self-assessment and does not result in a certification.
-
Senior Company Official Affirmation: Following the self-assessment, a senior company official must provide an annual affirmation of compliance in the Supplier Performance Risk System (SPRS). This affirmation needs to be submitted after each assessment and annually thereafter to maintain compliance.
Cost and Implementation
The estimated cost to support a CMMC Level 1 self-assessment and affirmation is roughly $6,000 for small entities. It’s important to note that the cost estimates set forth by the DoD are based on the assumption that contractors and subcontractors have already implemented the 15 basic safeguarding requirements specified in FAR Clause 52.204-21, as these are existing contractual obligations that have been in place since June of 2016.
The CMMC program is being implemented in phases, with CMMC Level 1 self-assessments starting in Phase 1. Phase 1 begins once 48 CFR Part 204 becomes finalized and we understand how the CMMC requirements will be contractually implemented.
Why is Level 1 Important?
Level 1 serves as the “floor” in cybersecurity and represents the basic cybersecurity hygiene that any business should implement in the modern digital era, regardless of your industry. By meeting these foundational requirements, contractors increase confidence in their ability to protect Federal Contract Information, which is crucial for participating in DoD contracts.
If your organization handles Federal Contract Information, understanding and implementing CMMC Level 1 requirements is a critical step towards securing your systems and maintaining eligibility for DoD contracts.
Need Help Preparing for CMMC Level 1?
Even if your organization only handles FCI, meeting CMMC Level 1 requirements is critical to maintaining DoD eligibility. If you’re unsure where to start or want expert guidance through the self-assessment process, connect with Agile IT today.
