What CMMC Level 1
Requires of You
Fifteen requirements. Six domains. All 15 require full implementation. Companies that handle Federal Contract Information (FCI) under a Department of Defense (DoD) contract must meet all 15 Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements before submitting their score in the Supplier Performance Risk System (SPRS).
| Domain | Practices | What It Requires | In Plain Terms | Key Point |
|---|---|---|---|---|
Access Control System Access | 4 Requirements | Limit system access to authorized users and processes only. Control what each user can do and restrict connections from external systems. | Who can log in, what they can see, and how outside connections are managed. | Undocumented user access lists are among the most frequent gaps assessors identify. |
Identification and Authentication Identity | 2 Requirements | Verify the identity of all users, processes, and devices before granting access to any system that stores or transmits FCI. | Password policies and login controls. Every user requires individual identification before gaining access. | Every user requires individual credentials. Default credentials require replacement before any system touches FCI. |
Media Protection Data Handling | 1 Requirement | Sanitize or destroy media containing FCI before disposal or reuse. Applies to physical and digital media equally. | USB drives, external hard drives, and printed documents require proper disposal or wiping before leaving your control. | All removable media containing FCI requires secure wiping or physical destruction before leaving organizational control. |
Physical Protection Facility Access | 2 Requirements | Limit physical access to systems, equipment, and operating environments to authorized individuals only. Maintain visitor logs and escort procedures. | Who can physically enter the space where FCI is stored or processed, and how that access is recorded. | Server rooms and physical access points require locks, controlled entry, and monitoring records. |
System and Communications Protection Network Boundary | 2 Requirements | Monitor and control communications at their boundaries. Separate FCI from public-facing or uncontrolled network segments. | Firewall configuration and basic network segmentation between systems that touch FCI and those that do not. | FCI systems require network segmentation from general office traffic to satisfy this domain. |
System and Information Integrity System Health | 4 Requirements | Identify and correct system flaws in a timely manner. Deploy malicious code protection across all in-scope systems, keep that protection current, and run both periodic system scans and real-time scans on files from external sources. | Antivirus on every in-scope device, kept current, with an active patch management process and scheduled scans in place. | Every in-scope device requires current AV coverage and active scanning. A single unprotected device puts the entire domain at risk. |
What Delayed Compliance Costs a DoD Contractor
2025
Where Assessments Most Often Stall
DivIHN surfaces these gaps on almost every initial scoping call. Both resolve when addressed before submission.