Organizations working within the Defense Industrial Base (DIB) must achieve CMMC compliance through the implementation of policies, processes, and controls to defend Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC model, consisting of 3 maturity levels, requires Department of War (DOW) contractors to implement foundational cybersecurity practices in addition to NIST SP 800-171 guidelines. This process can be costly and time consuming for smaller businesses, meaning your organization should have a complete understanding of your requirements before you start down this path. If your business handles FCI, then you will need to comply with level 1 of CMMC.
Level 1 of the CMMC model is known as the "foundational level". The requirements of this tier specifically apply to organizations that handle FCI, not CUI. Included in level 1 are 17 practices intended to cover foundational cyber hygiene and are outlined in FAR 52.204-21. Once these practices have been implemented, contractors are required to submit an annual self-attestation into the Supplier Performance Risk System (SPRS).
With the publication of the 48 CFR CMMC final rule, phase 1 of CMMC implementation will begin on November 10, 2025. At this time, contractors will begin to see CMMC level 1 requirements in their contracts. Failure to submit an accurate SPRS score could put your organization at risk of being prosecuted under the False Claims Act.
FCI, or federal contract information, is information "not intended for public release, that is provided by or generated by the government under a contract to develop a product of service for the government".
Examples of FCI may include:
Access Control (AC)
Contractors are required to limit access of FCI to authorized users.
1.001: Limit information system access to authorized users, processes acting on behalf of users, or devices (including other information systems).
1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
1.003: Verify and control/limit connections to and use of external information systems.
1.004: Control information posted or processed on publicly accessible systems (e.g., websites, blogs).
Identification and Authentication (IA)
Users' identities must be validated before being given system access
1.076: Identify information system users, processes acting on behalf of users, or devices.
1.077: Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access.
Media Protection (MP)
Organizations must protect media containing FCI. Both physical and digital.
1.118: Sanitize or destroy information system media containing FCI before disposal or reuse.
Physical Protection (PP)
1.131: Limit physical access to organizational information systems, equipment, and operating environments to authorized individuals.
1.132: Escort visitors and monitor visitor activity.
1.133: Maintain audit logs of physical access.
1.134: Control and manage physical access devices (e.g., keys, cards).
System and Communication Protection (SC)
1.175: Monitor, control, and protect organizational communications (information transmitted or received) at system boundaries.
1.176: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
System and Information Integrity (SI)
1.210: Identify, report, and correct information and information system flaws in a timely manner.
1.211: Provide protection from malicious code at appropriate locations within organizational systems.
1.212: Update malicious code protection mechanisms when new releases are available.
1.213: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
CMMC level 1 applies to organizations working within the DIB that handle, process, or store FCI. This can encompass DIB SMBs, prime contractors, or subcontractors/vendors that receive FCI from their prime. It also includes any Cloud Service Providers (CSPs) who handle FCI on behalf of a contractor. If your organization sells commercial off-the-shelf (COTS) products, you are likely not required to comply with CMMC level 1.
To determine whether or not your business needs to be CMMC compliant, ask yourselves the following questions:
In order to achieve CMMC level 1 compliance, organizations must conduct a self-assessment against the 17 practices listed above. Unlike with level 2, this assessment does not allow for any POAMs (Plan of Action & Milestones) and, rather than a number score, results in either MET or NOT MET. Your self-assessment must include a documented policy for each control alongside a description of the processes, procedures, and technologies utilized to enforce those policies. This self-attestation must be signed by an executive annually, reaffirming that the organization has fully implemented and maintained the required controls to protect FCI.
In order to report your CMMC level 1 self-assessment, your organization will need to submit a SPRS score. This can be done by visiting the SPRS website.
To submit your SPRS score, you will need the following information:
CorpInfoTech is a CMMC L2 certified managed service provider (MSP) that a provides a turnkey CMMC Level 1 Compliance Setup service designed to prepare organizations for CMMC 2.0 Level 1 and FAR 52.204-21 requirements. This structured onboarding approach ensures that existing technology assets and Microsoft 365 Commercial tenants are fully aligned with federal cybersecurity mandates, beginning with an initial readiness assessment of your organizations people, processes, and tenant posture.
We follow this with baseline hardening of core Microsoft services while enforcing MFA for all identities, establishing role separation, and implementing conditional access for risky sign ins. All configurations are secured using the CIS Controls v8.1, an industry standard, while CorpInfoTech's managed security, monitoring, and application control tools deliver ongoing protection and visibility.
Partnering with CorpInfoTech ensures that your organization stays secure and compliant. Contact us today to learn more about how we can help!
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.