โ† Home
Confidential โ€” Internal Use Only

CMMC Level 1 โ€” At a Glance

Enterprise Security Maturity Program ยท Protecting Federal Contract Information (FCI)

17practices
6domains
110SPRS target

What it is: CMMC Level 1 protects Federal Contract Information (FCI) โ€” basic business data shared under DoD contracts (schedules, invoices, logistics). It requires 17 security practices across 6 domains, self-assessed annually and submitted to SPRS. The Senior Official (CEO/Owner) personally affirms compliance โ€” a legal attestation.

The 17 Practices

AC Access Control (4)
  • AC.1.001 Limit access to authorized users
  • AC.1.002 Limit to authorized transactions
  • AC.1.003 Control external connections
  • AC.1.004 Control FCI on public systems
IA Identification & Auth (2)
  • IA.1.076 Identify users & processes
  • IA.1.077 Authenticate before access
MP Media Protection (1)
  • MP.1.118 Sanitize/destroy media before reuse
PE Physical Protection (4)
  • PE.1.131 Limit physical access
  • PE.1.132 Escort & monitor visitors
  • PE.1.133 Log physical access
  • PE.1.134 Manage access devices
SC System & Comms (2)
  • SC.1.175 Protect comms at boundaries
  • SC.1.176 Subnet public-facing systems
SI System Integrity (4)
  • SI.1.210 Identify & correct flaws
  • SI.1.211 Malicious code protection (AV/EDR)
  • SI.1.212 Periodic & real-time scans
  • SI.1.213 Update protection mechanisms

~8โ€“10 Week Timeline (~66โ€“96 hrs)

PHASE 1Foundation โ€” MFA, Conditional Access, admin hardening, audit loggingWk 1โ€“3
PHASE 2Email & Data โ€” Defender, anti-phishing, DLP, SharePoint lockdownWk 3โ€“4
PHASE 3Endpoints โ€” Intune, compliance, BitLocker, patchingWk 5โ€“7
PHASE 4Evidence & Attestation โ€” SSP, screenshots, SPRSWk 8โ€“9

Evidence Repository

  • Recommended: dedicated, private GCC SharePoint site (M365 Business Premium) โ€” role-based access, audit logs, version history.
  • Folders: 00_Governance ยท 01_AC ยท 02_IA ยท 03_MP ยท 04_PE ยท 05_SC ยท 06_SI ยท 07_Annual-Assessment.
  • Avoid: personal Dropbox, non-GCC OneDrive, local shared drives โ€” fail access-control & audit requirements.

FCI vs. CUI / ITAR

  • FCI (Level 1): commercial M365 is fine. No GCC High needed.
  • CUI / ITAR (Level 2+): different program โ€” GCC High, stricter controls, legal review.
Definition of done: all 17 MET + evidence uploaded + SSP signed + Senior Official submits in SPRS (target 110) + annual reassessment date booked.