CMMC Level 1 has 15 requirements. They come straight from Federal Acquisition Regulation clause 52.204-21, the basic safeguarding rule that already applies to most defense contracts. If your contract requires Level 1, these 15 items are the full list you have to meet and self-attest to. There is nothing hidden behind them.
This post is for small Department of Defense (DoD) subcontractors and suppliers who handle Federal Contract Information (FCI) and are looking at the requirements for the first time. The official wording is written for assessors, not business owners, so it can read as more complicated than it is. We are going to translate each requirement into plain language and show where small businesses commonly fall short.
A quick note on identifiers. If you are working from older CMMC materials, you may have seen reference to NIST 800-171 alongside CMMC materials. That standard is the baseline for Level 2, not Level 1. Level 1 maps entirely to FAR 52.204-21, which is the clause cited throughout this post. The current identifier scheme, used in the September 2024 official Level 1 Self-Assessment Guide and in any new contract paperwork you receive, is the b.1.x format used throughout this post (for example, AC.L1-b.1.i). The numbers tie to FAR 52.204-21 paragraph (b)(1), items (i) through (xv).
If you want to look up any of these requirements by ID while you read, the CMMC Practice Lookup lets you search all Level 1 and Level 2 practices with plain-English explanations and common implementation notes.
APT Security Management is a managed security services provider based in North Charleston, South Carolina. We help contractors prepare for both Level 1 and Level 2. Below, the 15 requirements are grouped into their six domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity.
A quick note before the list
CMMC Level 1 is the entry tier of the program. It covers FCI only, which is information provided by or generated for the government under a contract that is not meant for public release. It does not cover Controlled Unclassified Information (CUI). If your work touches CUI, you are looking at Level 2, not Level 1. If you are not sure whether what you handle qualifies as CUI, the CUI Identifier walks you through a decision-tree to find out. If you want to go deeper on the FCI vs. CUI distinction specifically, our post, FCI vs. CUI: What's the Difference?, walks through exactly how to tell which category your data falls into and why it changes your compliance path.
Each requirement below keeps its official identifier so you can match it to your contract, your self-assessment paperwork, and the official CMMC Level 1 Self-Assessment Guide.
Access Control (4 requirements)
Access Control is about making sure only the right people, processes, and systems can reach your FCI, and that they can only do what their job requires.
AC.L1-b.1.i — Authorized Access Control
Only people, processes, and devices you have approved should be able to log in to systems that hold FCI. In practice this means every user has their own account, accounts are created on purpose, and accounts are removed when someone leaves. A common failure is a former employee whose login still works months after their last day.
AC.L1-b.1.ii — Transaction & Function Control
Authorized users should only be able to perform the transactions and functions their role requires. A shipping clerk does not need administrator rights. This is about scoping permissions, not just granting access.
AC.L1-b.1.iii — External Connections
You have to verify and limit how outside systems connect to yours and how your team uses outside systems. This covers personal laptops, home networks, third-party services, and cloud applications. If staff check work email or open contract files from personal devices, that is an external connection you are expected to control.
AC.L1-b.1.iv — Control Public Information
Anything posted on a publicly accessible system, such as your company website or a public social media account, must be reviewed so FCI does not end up there by accident. Someone responsible has to approve public content before it goes live.
Identification and Authentication (2 requirements)
This domain makes sure a system can tell who is who before it grants access.
IA.L1-b.1.v — Identification
Every user, process, and device on your systems needs a unique identity. Shared logins break this requirement. If three staff members all sign in as the same "office" account, the system cannot identify any of them, and you cannot tell who did what.
IA.L1-b.1.vi — Authentication
Before access is granted, the system has to verify that the identity is genuine, usually with a password and a second factor. Multi-factor authentication is not strictly named in the Level 1 wording, but weak or reused passwords are one of the most common reasons a Level 1 environment fails a closer look. Turning on multi-factor authentication for email and key accounts is one of the highest-value steps you can take here. Default credentials on new devices should be changed before the device sees production use.
Media Protection (1 requirement)
MP.L1-b.1.vii — Media Disposal
Before you throw out, sell, donate, or repurpose any device or media that held FCI, the data has to be properly removed or the media destroyed. Dragging files to the recycle bin does not count. This applies to old laptops, hard drives, USB sticks, printers and copiers with internal storage, and non-digital media like paper records.
Physical Protection (2 requirements)
Physical Protection is about the building and the equipment, not the network.
Note that this domain looks different from older CMMC materials. The September 2024 official guide consolidated three former practices (visitor escort, physical access logs, and physical access device management) into a single requirement, PE.L1-b.1.ix. The domain now has two requirements instead of four. The underlying expectations have not changed.
PE.L1-b.1.viii — Limit Physical Access
Only authorized people should be able to physically reach systems and equipment that handle FCI. Locked offices, locked server closets, and a front door that is not propped open all support this requirement. It also covers placement of devices like printers, so the documents they produce are not exposed to unauthorized eyes.
PE.L1-b.1.ix — Manage Visitors & Physical Access
This single requirement covers three connected practices. Visitors are escorted and their activity is monitored. Physical access is logged, whether by a sign-in sheet or a badge reader. And physical access devices, meaning the keys, badges, and access codes that grant entry, are tracked and controlled.
In practice that means: visitors do not roam unaccompanied, even ones you know well; you keep a record of who came and went and retain it as long as your policy requires; and you know who holds each key or badge, you collect them when someone leaves, and you change door codes when needed.
System and Communications Protection (2 requirements)
This domain covers the boundary of your network and how internal and public-facing systems are separated.
SC.L1-b.1.x — Boundary Protection
You have to monitor, control, and protect traffic at the edge of your network and at key internal boundaries. In plain terms this means a real firewall that is configured on purpose, not the default settings on a consumer router. Boundary protection is exactly the kind of gap that gets closed with a properly configured firewall from a partner such as Fortinet or Sophos, which is why prep work and tool selection tend to happen together.
SC.L1-b.1.xi — Public-Access System Separation
Any publicly accessible system component, such as a web server, should sit on a separate subnetwork from your internal systems. If a public server is compromised, that separation keeps the attacker away from the systems that hold FCI. A small DMZ on your firewall or a cloud environment isolated from your internal network can both meet this.
System and Information Integrity (4 requirements)
This last domain is about keeping systems patched, clean, and protected from malicious software.
SI.L1-b.1.xii — Flaw Remediation
You have to identify, report, and correct system flaws within a time frame you define. In plain terms, this is patching. Operating systems and applications need updates applied on a regular cadence, not whenever someone remembers. The cadence should be written down, and the patching should follow it.
SI.L1-b.1.xiii — Malicious Code Protection
You need malicious code protection, meaning antivirus or endpoint protection, running where it makes sense across your systems. Built-in basic antivirus and modern endpoint protection are not the same thing, and the gap between them is a common weak spot.
SI.L1-b.1.xiv — Update Malicious Code Protection
Malicious code protection only works if its definitions and engine stay current. This requirement says updates have to be applied when new releases come out. Most endpoint tools can do this automatically, so the failure here is usually a tool that was installed once and never maintained.
SI.L1-b.1.xv — System & File Scanning
You have to perform periodic full scans and real-time scanning of files from external sources as they are downloaded, opened, or run. Endpoint protection and email security tools, such as those from Sophos or Proofpoint, handle account access, malware scanning, and phishing defense as standard features, which is why several of these Integrity requirements are often met by the same tooling.
Where small businesses commonly trip up
Across the 15 requirements, the same handful of gaps show up again and again in small subcontractor environments:
None of these are expensive to fix. They are usually a matter of configuration, policy, and habit. The harder part is proving the fix is real, because Level 1 is about implementation, not just intent.
What to Do Next
Read through the 15 requirements and mark each one as met, partially met, or not met for your own environment. If you want a structured format for that first pass, the CMMC Readiness Quickcheck runs you through the key gaps and tells you where you stand. That honest first pass tells you how much work is ahead. Level 1 compliance is self- attested annually, which means a senior official in your company signs a statement that all 15 requirements are in place. Our post How CMMC Level 1 Self-Attestation Actually Works explains what that signature commits you to.
If you are not sure whether a requirement is genuinely met, a CMMC gap assessment checks each requirement against your real systems and tells you where you stand. A gap you find now is a fix. The same gap found after you have signed is non-compliance.
Get a Quote for Your Environment
APT can review your environment against all 15 Level 1 requirements and scope the work to close any gaps, all on token-based pricing with no long-term contract. Tell us about your setup and we will put together a quote.
