CMMC 2.0 Level 1

CMMC Level 1 Cost: $5,000 to $15,000 for Self-Assessment

Level 1 is the entry point for all DoD contractors handling Federal Contract Information (FCI). It requires 17 basic safeguarding practices from FAR 52.204-21, an annual self-assessment, and an affirmation submitted through SPRS. No C3PAO assessment is needed.

What Level 1 Requires

The 17 practices map to the 15 security families in FAR 52.204-21 and cover basic cyber hygiene. They include access control (limit system access to authorized users), identification and authentication (verify user identities), media protection (sanitize media before disposal), physical protection (limit physical access), system and communications protection (monitor and control communications at system boundaries), and system and information integrity (identify and manage information system flaws).

Every practice must be fully implemented. Unlike Level 2, there is no Plan of Action and Milestones (POA&M) option for Level 1. If you have gaps, they must be closed before you submit your annual affirmation.

Cost Breakdown

PhaseCost RangeNotes
Gap Assessment$1,000 - $5,000Review current state against 17 practices
Remediation$2,000 - $10,000Closing gaps (MFA, AV, policies, training)
Documentation$1,000 - $3,000SSP, policies, training records, evidence
Annual Affirmation$560SPRS annual affirmation fee
Total First Year$5,000 - $15,000
Annual Maintenance$3,000 - $8,000Training, scanning, policy updates, affirmation

Who Needs Level 1

All DoD contractors and subcontractors handling FCI (Federal Contract Information) need Level 1. FCI is information provided by or generated for the government under a contract that is not intended for public release. This is different from CUI (Controlled Unclassified Information), which requires Level 2 or above.

If your contracts only involve FCI and you never handle CUI, Level 1 is likely sufficient. Check your contracts for DFARS 252.204-7021 and the specific CMMC level cited. If CUI is mentioned anywhere in the contract, you need at least Level 2.

DIY Level 1 Checklist

  1. Define your system boundary. Identify every device, application, and network segment that processes, stores, or transmits FCI. This is your assessment scope.
  2. Inventory all assets. Create a complete list of hardware, software, and users within scope. You cannot protect what you do not know exists.
  3. Assess each practice. Walk through all 17 FAR 52.204-21 practices and document whether you meet each one. Be honest in your self-assessment.
  4. Close the gaps. Implement missing controls. Common gaps include MFA, malware protection, system patching, media sanitization, and security training.
  5. Write your SSP. Document your system boundary, data flows, implemented controls, and how each practice is satisfied. Templates are available from NIST.
  6. Collect evidence. Screenshots, configuration exports, policy documents, training completion records. You need proof for each practice.
  7. Submit SPRS score. Enter your self-assessment results into the Supplier Performance Risk System. Level 1 requires a score of 110 (all practices met).
  8. Affirm annually. Your responsible company official must re-affirm compliance each year through SPRS.

Common Pitfalls

Undefined system boundary

Without a clear boundary, you cannot determine what is in scope. This leads to either over-scoping (more cost) or under-scoping (compliance failure).

Incomplete asset inventory

Forgotten devices, shadow IT, and personal devices used for work are common blind spots that lead to gaps during review.

Missing training evidence

Security awareness training must be documented with completion records. Verbal briefings without records do not satisfy the practice requirement.

Assuming Level 1 covers CUI

Level 1 only covers FCI. If any of your contracts involve CUI, you need Level 2 certification with a C3PAO assessment.

When Level 1 Is Not Enough

If your contracts reference CUI, DFARS 252.204-7012, or require NIST SP 800-171 compliance, you need at least CMMC Level 2. Check every contract and subcontract for these references. When in doubt, ask your contracting officer to clarify the required CMMC level before investing in certification.

Frequently Asked Questions

Do I need a C3PAO for CMMC Level 1?
No. Level 1 requires an annual self-assessment and affirmation submitted through the SPRS (Supplier Performance Risk System). There is no third-party assessment required. The responsible company official must affirm compliance annually, and the SPRS score must reflect a perfect 110 (since all 17 basic safeguarding practices must be met, with no POA&M allowed for Level 1).
What is the annual cost of maintaining Level 1?
Annual maintenance for Level 1 runs $3,000 to $8,000, covering security awareness training renewals, policy and procedure updates, basic vulnerability scanning, SPRS annual affirmation preparation, and IT support for maintaining the 17 practices. This assumes no major changes to your system boundary or business operations.
Can I do Level 1 without a consultant?
Yes, especially if you have an IT-competent staff member. The 17 practices cover basic cyber hygiene that most organizations should already implement: antivirus, password management, physical access controls, and user training. The DIY checklist on this page walks through each step. That said, a consultant can save time and ensure you do not miss anything, particularly around documentation and SPRS scoring.
Estimate Your CostCompare All LevelsLevel 2 CostTimeline