CMMC Level 1 is the entry level of the Cybersecurity Maturity Model Certification program. It focuses on basic safeguarding of Federal Contract Information (FCI)—information not intended for public release that is provided by or generated for the government under a contract.
Level 1 is often the first contractual cybersecurity bar for suppliers who touch FCI but may not handle CUI. It is simpler than Level 2, but it is not automatic just because you “have IT support.”
What Level 1 is trying to ensure
At a high level, Level 1 expects you to limit system access to authorized users, authenticate those users, control information at rest and in transit in basic ways, update and protect systems, and sanitize or destroy media appropriately. The spirit matches long-standing FAR basic safeguarding expectations.
Why SMBs struggle
- Unclear which systems process FCI (email? ERP? file shares? personal phones?)
- Shared logins or incomplete multi-factor authentication
- No inventory of devices and cloud apps
- Policies that do not match real behavior
- Self-assessment answers that cannot be evidenced
Practical first steps
- Confirm whether your contracts involve FCI and whether Level 1 is specified or implied by flow-down.
- Map where FCI lives (mailboxes, Teams/SharePoint, line-of-business apps, backups).
- Enforce MFA for all users who can access that data—especially admins.
- Remove shared accounts where possible; use unique identities.
- Patch endpoints and servers on a defined cadence; use modern endpoint protection (EDR).
- Document what you do. If it is not written, self-assessment becomes guesswork.
Need a clear baseline for your environment?
Start with a free 15-minute review. When a structured assessment is the right next step, ImpetraInsights™ can provide multi-framework scoring and an executive-ready report—including CMMC and HIPAA readiness paths.