If your organization handles Federal Contract Information (FCI), you're required to meet CMMC Level 1 requirements. First Column IT's CMMC Level 1 consulting services help defense contractors implement the required safeguards, complete accurate self-assessments, and submit compliant affirmations with confidence. Level 1 may be the most foundational tier of CMMC, but it's still a contractual requirement. Proper scoping, implementation, and documentation matter, especially when affirming compliance in the Supplier Performance Risk System (SPRS).
Cybersecurity Maturity Model Certification (CMMC) Level 1 focuses on protecting Federal Contract Information (FCI) and requires implementation of 15 basic cybersecurity safeguards derived from FAR 52.204-21. Unlike Level 2, Level 1 does not require a third-party audit. Organizations must:
Many contractors assume Level 1 is simple because it doesn't involve an assessment by a Certified Third Party Assessor Organization (C3PAO). In practice, improper scoping and incomplete safeguard implementation create risk.
Self-attestation is a formal affirmation. Under DFARS 252.204-7021, contractors are responsible for maintaining accurate compliance statements. Overstating your posture or misunderstanding requirements can expose your organization to contractual penalties.
Level 1 compliance should be structured, deliberate, and documented.
As a CMMC Level 2 certified External Service Provider, we understand how controls are evaluated and how compliance boundaries are defined. Our CMMC Level 1 consulting services give contractors a clear, manageable path to defensible compliance.
We begin by defining what is in scope for Level 1, including users, devices, systems, and cloud environments that store, process, or transmit FCI. Clear boundaries reduce unnecessary complexity and prevent over-engineering your environment.
We evaluate your current controls against the 15 required safeguards and guide remediation where needed. This includes:
Even though Level 1 doesn't require a third-party audit, documentation is still important. We assist in preparing supporting documentation and guide your team through the self-assessment and SPRS submission process to ensure accuracy and defensibility.
Compliance is not a one-time submission. Requirements must be maintained throughout the contract lifecycle. As a trusted CMMC Level 1 managed service provider, First Column IT provides ongoing support aligned with Level 1 safeguards. This ensures your technical controls remain active, updated, and aligned with contractual requirements year-round.
Level 1 compliance efforts range from $3,000 – $10,000+. Costs vary depending on your current environment and remediation needs, such as:
Many contractors begin at Level 1 and later move into Level 2 as their contracts evolve or as they begin handling Controlled Unclassified Information (CUI).
When that time comes, structured documentation, proper scoping, and sound architecture make the transition significantly smoother. First Column IT provides comprehensive Level 2 support when your requirements expand.
For now, the priority is clear: establish a defensible Level 1 posture and protect your eligibility for DoD contracts.
Any defense contractor or subcontractor that handles Federal Contract Information (FCI) but does not process Controlled Unclassified Information (CUI) is required to meet CMMC Level 1 requirements. If your contract references FAR 52.204-21 safeguards or includes DFARS cybersecurity clauses, Level 1 likely applies to your organization.
Yes, Level 1 requires an annual self-assessment and submission of your results in SPRS. However, self-assessment does not mean informal. Organizations must implement all 15 required safeguards and maintain compliance throughout the contract lifecycle. Inaccurate affirmations can create contractual and legal exposure, which is why structured guidance is important.
CMMC Level 1 requires implementation of 15 basic cybersecurity safeguards focused on protecting Federal Contract Information. These include access control, system configuration, user authentication, and basic network protections. While fewer than Level 2 controls, they must still be properly implemented and documented to ensure defensible compliance.
ADVANCE YOUR BUSINESS
Although compliance is there to protect you and your clients, it can be catastrophic should you ever fail to be compliant with your regulatory body. Our team of compliance experts is fluent in the latest requirements in CMMC, NIST, HIPAA, PCI-DSS, FINRA, GDPR, DFAR, SOX, and more.
Without your data, how would you operate your business? We protect your data with non-disruptive backups to multiple locations and ensure that you and your team have a plan in place should a disaster take your business offline for any reason.
We go beyond the basics of firewall, anti-virus and intrusion prevention services (IPS) to ensure you have multiple layers of zero trust ongoing protection beyond what most of our competitors provide. Because if your security offers only a single point of protection, you’re more vulnerable to breaches – and that just doesn’t work for us.
The password - as an adequate security measure - is long dead. In 2022, about 30,000 websites are hacked each day and 64% of companies worldwide have suffered at least one form of a cyber-attack. Two Factor (2FA) deployed for all entry points including workstations, terminal servers, Office 365, and VPN is critical to protecting your valuable data!
