Recapping CMMC Level 1: Considerations for Government Contractors

Go-To Guide:

Starting Nov. 10, 2025, contractors and subcontractors handling federal contract information (FCI) must have a current CMMC Level 1 status for new contracts and option exercises involving FCI.
Level 1 requirements include fully implementing 17 security controls and an annual self-assessment using the methodology in NIST SP 800-171A for the applicable security controls.
A senior company representative must annually attest to the company’s continued compliance with the CMMC Level 1 security controls and assessment requirements.

On Sept. 10, 2025, the Department Defense (DoD) issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program for government contractors. This final rule established a November 10, 2025 go-live date for the start of phase 1 of CMMC. As we covered in our prior alerts, under the four-phased implementation approach, the focus will be on Level 1 and Level 2 self-assessments in the first year; Level 2 third-party certifications in the second year; Level 3 certifications in the third year; and all contracts and solicitations will include CMMC requirements in the fourth year.

Beginning on Nov. 10, contractors and subcontractors will see CMMC requirements in solicitations and option exercises. This GT Alert focuses on Level 1, which will apply to any contractors or subcontractors with information systems that store, process, or transmit federal contract information (FCI).

Application of CMMC Level 1

CMMC Level 1 focuses on safeguarding federal contract information FCI, which is any non-public information that is provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI does not include information provided to the public or simple transactional information, such as information necessary for processing payments. DoD anticipates approximately 63% of the Defense Industrial Base will need to self-assess at Level 1 to remain eligible for contracts involving FCI.

CMMC Level 1 Requirements

Pursuant to 32 C.F.R. 170.15, businesses must undergo an annual self-assessment against 15 basic safeguarding requirements found in FAR 52.204-21, which closely align with 17 controls in NIST SP 800-171 rev. 2 across six requirement categories: (1) access control, (2) identification and authentication, (3) media protection, (4) physical protection, (5) system and communications protection, and (6) system and information integrity.

When referencing Level 1 NIST requirements, businesses should substitute FCI for CUI to ensure the controls are applied correctly. Entities must assess all information systems that contain, process, or handle FCI. Specialized assets, which include government furnished equipment, internet of things devices, and operational technology, are excluded from the assessment and documentation requirements. The self-assessment is conducted according to the objectives in NIST SP 800-171A.

The results of the self-assessment, including any findings, are recorded in the Supplier Performance Risk System (SPRS). To meet Level 1, all required controls must be fully implemented at the time of the assessment.

In addition to the self-assessment, each year, a senior official of a business seeking Level 1 certification must provide an affirmation attesting to continued compliance. The senior official is responsible for ensuring the entity’s compliance with CMMC Program requirements and has the authority to affirm the company’s continuing compliance with the Level 1 requirements. Additionally, businesses are required to retain records of their assessments for six years following each assessment to ensure availability for future audits or reviews.

Certification expenses vary based on a business’s size. For other-than-small businesses, DoD estimates the cost of an assessment fee as about $4,000 with an annual affirmation fee of $584. Small businesses should expect to invest around $6,000 in conducting the assessment and an annual affirmation fee of $560. Critically, DoD does not consider the advance costs of implementing the controls as part of the analyzed costs. The only costs considered under the rule are those that relate to preparing for and conducting the assessment, reporting the score, and making the annual affirmation. Whether these costs are recoverable will depend on the type of contracts the company performs and additional analysis under the cost accounting standards, which are outside the scope of the CMMC rulemakings.

Takeaways

Companies impacted by CMMC should consider properly scoping their assessments to ensure that all FCI is secured for Level 1. With the Nov. 10 date fast approaching, companies may wish to:

Identify all FCI in a company’s possession. Special care should be taken to understand what data, if any, a company generates or creates itself that may be considered FCI.
Understand their information systems that store, process, transmit, or receive FCI. This step is critical to properly scoping a Level 1 assessment.
Conduct self-assessments of those information systems that store, process, transmit, or receive FCI. This includes updating policies and procedures to ensure that FCI is safeguarded on only those adequately secured contractor information systems.
Identify an affirming official who is responsible for the company’s CMMC compliance and can reasonably attest to continued implementation of all required security controls.