Skip to content
Proofyx
Proofyx
Get Started

© 2026 Proofyx. All rights reserved.

CMMC 2.0 · · 4 min read

What Is CMMC 2.0 Level 1?

A practical introduction to CMMC Level 1 for small businesses and government contractors.

Share
What Is CMMC 2.0 Level 1?

Understanding CMMC 2.0 Level 1

Let’s be honest — when most people hear “CMMC,” they immediately think of something complicated, expensive, and designed for large defense contractors with dedicated compliance teams. If your company is smaller, you might be wondering whether this even applies to you.

Short answer: it probably does.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 was created by the Department of Defense to ensure that companies handling sensitive government information actually have baseline security practices in place. Level 1 is the entry point — and while it’s genuinely not that complex, a lot of smaller GovCon organizations are still struggling to demonstrate it properly.

What Is Level 1 Actually About?

CMMC 2.0 Level 1 covers 17 practices drawn directly from FAR clause 52.204-21. These aren’t exotic security requirements — they’re foundational hygiene measures that any well-run organization should already be doing. Think things like:

  • Access Control — Are only authorized users getting into your systems? Do you revoke access when someone leaves?
  • Identification & Authentication — Are users uniquely identified? Is there any password policy in place?
  • Physical Protection — Can random visitors walk up to a server rack or an unlocked workstation?
  • System & Information Integrity — Do you run antivirus? Do you have any process for patching known vulnerabilities?
  • Media Protection — What happens to old hard drives when they leave your building?

None of these should be surprising. The challenge isn’t understanding the requirements — it’s documenting that you’re actually doing them.

Who Needs to Comply?

If your company handles Federal Contract Information (FCI) — basically, any information generated for or provided by the federal government under a contract — you are likely subject to CMMC Level 1. This is a much broader category than most people assume. It includes subcontractors, not just prime contractors.

Importantly, Level 1 does not apply to companies working with Controlled Unclassified Information (CUI). Those organizations fall under Level 2 or Level 3, which are significantly more demanding.

The Annual Self-Assessment Requirement

Here’s where things get real. Under CMMC 2.0 Level 1, you’re responsible for conducting an annual self-assessment against all 17 practices and submitting that score to the Supplier Performance Risk System (SPRS). A senior company official — typically a C-level executive — must sign off on the results.

This is not just a checkbox exercise. Submitting a false self-assessment score is a potential violation of the False Claims Act, which carries serious legal risk. Accuracy matters.

Where Most Organizations Fall Short

In our experience, the compliance problem isn’t usually that organizations have no security practices. Most do. The issue is that their practices are undocumented, untested, or inconsistently applied across different employees or locations.

Common failure points:

  • Former employees still have active accounts in cloud systems
  • Physical access procedures exist verbally but have never been written down
  • Antivirus is deployed on most machines, but not all — and no one tracks which ones are missing
  • Media disposal happens, but there’s no log of it

When an auditor (or the government) asks for proof, “we think we do this” is not an acceptable answer.

How to Get Started

  1. Map out your FCI flows — What systems touch government contract information? Who has access to them?
  2. Evaluate each of the 17 practices against your current state. Be honest.
  3. Document your evidence — policies, screenshots, access control lists, anything that shows you’re doing what you claim.
  4. Identify and remediate gaps before submitting your SPRS score.
  5. Set a review cadence — the self-assessment is annual, so build a process, not a one-time event.

This is exactly the workflow Proofyx was built to support. Instead of scattered spreadsheets and email threads, you get a structured environment to map controls, attach evidence, and track status — so when it’s time to sign off on your SPRS submission, you’re not scrambling.

The 17 practices aren’t the hard part. The documentation and accountability are. Build those habits now, before the assessment date is approaching and you’re doing it under pressure.

Build your audit-ready proof with Proofyx

Automate evidence collection and policy management — always prepared for your next audit.

Get Started

Proofyx Editorial Team

Compliance Intelligence

Expert analysis and regulatory guidance for organizations navigating modern compliance frameworks.

Keep Reading

More from the Proofyx compliance library.

All Posts →
Does CMMC Flow Down to Subcontractors?
CMMC·

Does CMMC Flow Down to Subcontractors?

If you're a subcontractor in the defense supply chain, here's what you need to know about whether CMMC applies to you — and at what level.

5 min read Read more

Ready to Build Audit-Ready Proof?

Move from spreadsheets and disconnected documents to centralized compliance and policy management.

Get Started Request a Demo