Back

CMMC Level 1: What It Means for Over 139,000 Defense Contractors

Over 139,000 DoD contractors must meet CMMC Level 1. Learn what it requires, how to self-assess, and why it's essential for handling Federal Contract Information.

4 min read
Published on Jul 3, 2025
CMMC Level 1 - What It Means for Over 139,000 Defense Contractors

Fact: 63% of the Defense Industrial Base needs to have CMMC Level 1 status! Even if you do not handle Controlled Unclassified Information (CUI), if you do business with the Department of Defense (DoD), you need to align to CMMC!

You should already know why the Cybersecurity Maturity Model Certification (CMMC) program exists. But, just in case, the Department of Defense (DoD) developed the CMMC Program to enhance cybersecurity across the Defense Industrial Base (DIB) and safeguard sensitive unclassified information shared with contractors and subcontractors. A key component and foundational step of this program is CMMC Level 1.

Do I Need CMMC Level 1?

Yes! CMMC Level 1 focuses on protecting Federal Contract Information (FCI). FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service, excluding publicly available information or simple transactional details.

According to DoD estimates, a significant number of organizations will be required to meet CMMC Level 1 requirements. It is projected that 139,201 entities will perform Level 1 self-assessments. This makes Level 1 self-assessments the most common assessment type across the CMMC program, accounting for 63% of the total estimated companies that will undergo CMMC assessments.

What Does CMMC Level 1 Entail?

CMMC Level 1 is the basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) Clause 52.204-21 with 15 security controls. These requirements are translated into 17 CMMC practices and to demonstrate compliance, organizations must meet 59 assessment objectives across these 17 practices.

Key aspects of a CMMC Level 1 assessment include:

  • Scope: Generally, the assets that process, store, or transmit FCI are considered in-scope and should be assessed against the CMMC Level 1 practices. For most companies, this means their entire system (all people, processes, and technology involved in contracts) will fall under Level 1 scope, as FCI is a broad category of data that typically isn’t segregated into specialized enclaves.

  • No Plans of Action and Milestones (POA&Ms): For CMMC Level 1, POA&Ms are strictly not permitted. This means that all 15 security requirements must be fully met to achieve the CMMC Status of Final Level 1.

  • Annual Self-Assessment: Contractors are required to conduct an annual Level 1 self-assessment. This self-assessment can be performed internally or with the assistance of a third-party, but it remains a self-assessment and does not result in a certification.

  • Senior Company Official Affirmation: Following the self-assessment, a senior company official must provide an annual affirmation of compliance in the Supplier Performance Risk System (SPRS). This affirmation needs to be submitted after each assessment and annually thereafter to maintain compliance.

Cost and Implementation

The estimated cost to support a CMMC Level 1 self-assessment and affirmation is roughly $6,000 for small entities. It’s important to note that the cost estimates set forth by the DoD are based on the assumption that contractors and subcontractors have already implemented the 15 basic safeguarding requirements specified in FAR Clause 52.204-21, as these are existing contractual obligations that have been in place since June of 2016.

The CMMC program is being implemented in phases, with CMMC Level 1 self-assessments starting in Phase 1. Phase 1 begins once 48 CFR Part 204 becomes finalized and we understand how the CMMC requirements will be contractually implemented.

Why is Level 1 Important?

Level 1 serves as the “floor” in cybersecurity and represents the basic cybersecurity hygiene that any business should implement in the modern digital era, regardless of your industry. By meeting these foundational requirements, contractors increase confidence in their ability to protect Federal Contract Information, which is crucial for participating in DoD contracts.

If your organization handles Federal Contract Information, understanding and implementing CMMC Level 1 requirements is a critical step towards securing your systems and maintaining eligibility for DoD contracts.

Need Help Preparing for CMMC Level 1?

Even if your organization only handles FCI, meeting CMMC Level 1 requirements is critical to maintaining DoD eligibility. If you’re unsure where to start or want expert guidance through the self-assessment process, connect with Agile IT today.

Related Posts

How Does CMMC Compliance Align with NIST SP 800-171?

How Does CMMC Compliance Align with NIST SP 800-171?

Learn how CMMC compliance aligns with NIST SP 800-171. Understand the security controls, certification requirements, and how both frameworks help protect Controlled Unclassified Information (CUI).

Jul 4, 2025
11 min read
CMMC Level 1 - What It Means for Over 139,000 Defense Contractors

CMMC Level 1: What It Means for Over 139,000 Defense Contractors

Over 139,000 DoD contractors must meet CMMC Level 1. Learn what it requires, how to self-assess, and why it's essential for handling Federal Contract Information.

Jul 3, 2025
4 min read
CMMC Compliance — Understanding the Requirements and Why It's Important

CMMC Compliance — Understanding the Requirements and Why It's Important

CMMC compliance is crucial for protecting Controlled Unclassified Information (CUI) in defense contracts. Learn what CMMC is, its certification levels, and why it matters.

Jul 2, 2025
9 min read
CMMC Certification vs. Self-Assessment What You Need to Know

CMMC Certification and Self-Assessment: What Contractors Need to Know

Not all contractors need a third-party CMMC certification. Find out the differences between CMMC certification and self-assessment and which one applies to your organization.

Jul 1, 2025
7 min read
How Much Does It Cost to Achieve CMMC Compliance?

How Much Does It Cost to Achieve CMMC Compliance and Prepare for Certification?

CMMC compliance costs vary by level and organization size. Get a breakdown of certification expenses, hidden costs, and funding options for meeting CMMC requirements.

Jun 30, 2025
7 min read
Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

A successful Azure migration starts with proper planning. Use this step-by-step assessment checklist to evaluate infrastructure, dependencies, and tools before migrating.

Jun 23, 2025
7 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation