Library

What is CMMC Level 1?

CMMC Level 1 is the starting point for defense contractors looking to do business with the U.S. Department of Defense (DoD). Known as the “Foundational” level, it’s all about protecting Federal Contract Information (FCI)—data provided by or generated for the government under contract, which isn’t intended for public release.

Why it matters: If your organization handles FCI, CMMC Level 1 is not optional. It’s a mandatory compliance threshold that determines contract eligibility, and starting November 2025, it becomes a required condition for many awards.

Let’s explore what CMMC Level 1 requires, how it's been historically implemented, where organizations stumble, and what the future holds under the final CMMC rule.

What CMMC Level 1 requires

CMMC Level 1 consists of 15 basic safeguarding practices, drawn directly from the Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1). These controls cover key areas like access control, device protection, and incident reporting—fundamentals any responsible contractor should already address.

Organizations perform an annual self-assessment. There’s no third-party certification, and no external CMMC auditor signs off. However, that doesn’t make it optional or low-stakes.

You must:

Define your scope. Identify all systems that process, store, or transmit FCI, including cloud environments, remote work endpoints, facilities, and external service providers.

Assess implementation for each control. Using NIST SP 800-171A objectives (with “FCI” substituted for “CUI”), verify whether each control is fully implemented. The result is a simple pass/fail—every required control must be met; no exceptions.

Maintain evidence. Retain final (not draft) artifacts proving each control for six years. If it’s not defensible, it doesn’t count.

Post results in SPRS. The Supplier Performance Risk System (SPRS) stores the assessment outcome and changes your organization’s compliance status. You must have a current “Final Level 1 (Self)” in SPRS to be eligible for certain contracts.

Submit an annual affirmation. A senior official within your company—known as the Affirming Official—must attest that controls remain implemented and effective each year.

Compliance at Level 1 is executed internally, but mishandling it can carry real procurement and legal consequences.

How CMMC Level 1 has evolved

Historically, the DoD relied on trust. Contractors were expected to abide by the safeguarding practices in FAR 52.204-21, but there was little visibility into how well they followed through.

That changed with the original rollout of CMMC (Cybersecurity Maturity Model Certification), which aimed to bring more accountability through structured certification. Early versions of the model listed 17 practices at Level 1, contributing to confusion and inconsistencies across the ecosystem.

With the final CMMC rule (32 CFR Part 170), clarity arrived. Level 1 is now formally mapped to the 15 safeguards in FAR 52.204-21. Self-assessments remain, but with more rigorous expectations:

  1. Assessments must follow standard NIST 800-171A objectives.
  2. FCI scoping is explicitly defined and must follow federal guidelines.
  3. Annual affirmation by an internal executive is mandatory.
  4. SPRS postings are required to be complete, timely, and accurate.

The phased rollout begins in November 2025—when contracts will start listing CMMC Level 1 self-assessment as a condition of award. That phased expansion runs through 2028.

Common challenges with CMMC Level 1

Even though Level 1 sounds straightforward, implementation pitfalls are common. These are the issues most likely to derail your assessment—or worse, lead to misrepresentation.

Scoping errors. Failing to capture the full FCI boundary is the top issue. Remote employees, unmanaged devices, physical access risks, and third-party IT providers are often overlooked. If an asset processes or transmits FCI, it must be in scope.

Failure to meet every control. Level 1 is pass/fail. If one required control is NOT MET, there’s no partial credit. Importantly, no Plan of Action & Milestones (POA&M) is allowed—meaning you must fully implement all controls before assessment.

Misinterpreting requirements. Legacy guidance sometimes refers to 17 Level 1 practices, creating confusion. Today, the rule clearly mandates only the 15 FAR-based requirements.

Insufficient evidence hygiene. You must retain final artifacts, not drafts or work-in-progress docs. And those records must be preserved for six years following the CMMC Status Date. Poor recordkeeping not only risks noncompliance—it also impairs your ability to respond to inquiries or audits later.

SPRS errors or omissions. Forgetting to submit—or submitting inaccurate affirmations—can jeopardize your eligibility for federal contracts and expose your organization to False Claims Act liability.

These aren’t abstract risks. A missed control or delayed affirmation can prevent your company from winning or keeping DoD business.

What to expect in 2026 and beyond

By 2026, CMMC Level 1 will no longer be just a baseline—it will be a recurring part of your contract lifecycle.

During Phase 1 (starting November 10, 2025), solicitations will begin including Level 1 as a condition of award. Each subsequent phase will expand the scope, eventually requiring Level 1 for most defense contractors handling FCI.

Compliance becomes a continuous expectation: each year, you’ll repeat your self-assessment, update your evidence, and re-attest in SPRS. If your business grows or your systems change, your Level 1 scoping may need to evolve too.

Tools that support continuous monitoring and evidence upkeep will be essential. Without automation, staying current year after year becomes costly and time-consuming. The good news: the right platform can simplify this process and guard against the most common errors.

How Thoropass simplifies and strengthens CMMC Level 1

Thoropass is built to align directly with the CMMC Level 1 self-assessment process—and to take the guesswork out of compliance.

Guided scoping ensures full coverage. Our platform walks you through the scoping process, helping you identify all in-scope systems, remote users, and support assets. That reduces exposure from mis-scoping and ensures your assessment reflects your actual risk surface.

Control-mapped policy templates save time. We provide pre-aligned policies for all 15 Level 1 requirements, mapped to NIST 800-171A objectives. That means fewer hours writing from scratch—and clearer alignment during assessment.

Centralized evidence and secure retention. Upload and manage final artifacts across your systems, teams, and facilities. Thoropass maintains your evidence history, helping you meet the six-year retention rule with confidence.

Workflow management tracks implementation. Assign responsibilities, monitor control status, and document supporting tasks—all in one place. You’ll always know what’s complete, what’s missing, and who’s responsible to get it done.

Automation supports annual repetition. With reminders for self-assessment timing, SPRS posting, and annual affirmations, Thoropass helps keep your program on schedule and error-free year after year.

Cross-framework reuse cuts duplicate work. Thoropass maps controls across other frameworks like NIST SP 800-171, SOC 2, and ISO 27001. You’ll save time and effort by leveraging shared evidence and simplifying overlapping obligations.

Compliance shouldn’t slow you down. With Thoropass, you don’t have to scramble during audit season—or risk blowing timelines during a contract bid. We help you stay Level 1 ready all year.

Why it matters: The CMMC rollout is real, and the timeline is fixed. Contractors who prepare now will compete—and win—faster than those who wait. A proactive, well-structured Level 1 program protects FCI, builds trust with buyers, and establishes a foundation for higher-level CMMC readiness down the road.

Ready to simplify CMMC Level 1? Schedule a discovery session with Thoropass today.

Get Started

Products

Thoropass AuditCompliance Automation
PentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Solutions

Get CompliantMaintain ComplianceIT Security AuditsThoropass vs. Audit FirmsThoropass vs. Vanta

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Resources

Case Studies
BlogGuidesEventsGlossaryHelp Center

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Certifications:

Laika Compliance, LLC dba Thoropass Assurance is a licensed certified public accounting firm registered with the American Institute of Certified Public Accountants (AICPA). Thoropass, Inc. dba Thoropass is a leading cybersecurity and compliance professional services and technology firm.

© Copyright 2025 Thoropass, Inc.

Linkedin Logo Streamline Icon: https://streamlinehq.com
X Logo Streamline Icon: https://streamlinehq.com
Video Player 1 Streamline Icon: https://streamlinehq.com