Security Research Group Request a Demo

CMMC Level 1 Compliance Services

Stay eligible for DoD contracts with confident CMMC Level 1 self-assessment

Secure your DoD contract eligibility. Implement basic cyber hygiene the right way.

CMMC Level 1 compliance is now a condition of doing business with the Department of Defense. If your organization handles Federal Contract Information, you must self-assess against 17 cybersecurity practices, affirm the results in SPRS, and renew that affirmation every year. Security Research Group helps you get it right, with the rigor of a team that has operated at the highest levels of federal cybersecurity.

Abstract representation of CMMC Level 1 compliance and federal cybersecurity requirements

What is CMMC Level 1?

CMMC Level 1 (Foundational) is the first tier of the Cybersecurity Maturity Model Certification program, the Department of Defense’s framework for verifying that its supply chain follows sound cybersecurity practices. Level 1 is built around 17 basic safeguarding practices drawn directly from Federal Acquisition Regulation (FAR) clause 52.204-21.

Its purpose is narrow and important: to protect Federal Contract Information (FCI) - information provided by or generated for the government under a contract that is not intended for public release. Contract numbers, delivery schedules, budgets, and non-public project status reports are all FCI.

Level 1 applies to organizations that handle FCI but do not handle Controlled Unclassified Information (CUI). Contractors who handle CUI fall under Level 2, which carries stricter requirements and, in many cases, third-party certification.

Who needs CMMC Level 1?

If you are a DoD contractor or subcontractor that receives or generates FCI, Level 1 applies to you. This is the most common requirement across the Defense Industrial Base, covering an estimated 63% of contractors.

You likely handle FCI, and therefore need Level 1, if:

  • You receive RFIs, schedules, submittals, or other non-public job specifics on a DoD contract
  • A prime contractor has flowed a CMMC requirement down to you as a subcontractor
  • Your contracts involve federal information that isn’t meant for public release, but not CUI

Because FCI is a broad category that usually isn’t segregated into a specialized enclave, most organizations find that their entire system, all of the people, processes, and technology involved in their contracts, falls within Level 1 scope.

The 17 practices across 6 domains

CMMC Level 1 organizes its 17 practices into six security domains. None of them are exotic; most are things a reasonably well-run organization should already be doing. The challenge is implementing all of them, completely, and proving it.

  • Access Control - Limit system access to authorized users, restrict the functions they can perform, control connections to external systems, and govern what is posted on publicly accessible systems.
  • Identification and Authentication - Uniquely identify users and devices, and verify their identities before granting access.
  • Media Protection - Sanitize or destroy media containing FCI before disposal or reuse.
  • Physical Protection - Limit physical access to systems and facilities, and manage visitors and physical access logs.
  • System and Communications Protection - Monitor and protect network boundaries, and implement subnetworks for publicly accessible components.
  • System and Information Integrity - Identify and remediate flaws promptly, protect against malicious code, and keep protection mechanisms current.

Why Security Research Group?

CMMC Level 1 is straightforward on paper but demands discipline and defensible evidence. SRG brings the experience to make sure it’s done right.

National Security Expertise. SRG is built and led by veterans of the NSA, U.S. Cyber Command, and military cyber units. We understand federal cybersecurity requirements from the inside.

Defensible, Not Just Documented. Because the SPRS affirmation carries False Claims Act exposure, we focus on genuine implementation and real evidence, so the compliance you attest to is compliance you actually have.

Full Lifecycle Support. From scoping your FCI environment to building your System Security Plan to preparing your SPRS submission, we support every step rather than handing you a checklist.

Built for What Comes Next. Many contractors who start at Level 1 will eventually need Level 2 as their work evolves. We implement controls with that trajectory in mind, so you aren’t starting over later.

How SRG delivers CMMC Level 1 readiness

Our engagement follows a clear, disciplined process designed to get you to a defensible self-assessment.

Step 1: Scoping. We identify exactly where Federal Contract Information lives in your environment and define the assessment boundary, so nothing in scope is missed and nothing out of scope wastes effort.

Step 2: Gap Analysis. We assess your current state against all 17 practices and their underlying assessment objectives, identifying precisely what is and isn’t in place.

Step 3: Remediation. We help you implement the missing controls. Because Level 1 allows no Plans of Action and Milestones, every practice must be fully met, so we close gaps completely rather than deferring them.

Step 4: Documentation. We help build your System Security Plan and supporting documentation, the evidence that demonstrates how each of the 17 practices is met in your actual environment.

Step 5: SPRS Submission Support. We guide you through scoring the self-assessment and preparing the executive affirmation for submission to the Supplier Performance Risk System.

Step 6: Annual Maintenance. Level 1 is not one-and-done; the affirmation must be renewed every year. We help you maintain an audit-ready posture so each annual cycle is straightforward.

What you get

  • A clearly defined FCI scope and assessment boundary
  • A complete gap analysis against all 17 practices and assessment objectives
  • Implemented and documented controls across all six security domains
  • A System Security Plan demonstrating how each practice is met
  • A defensible SPRS self-assessment score and executive affirmation
  • A repeatable process for the required annual reaffirmation

The timeline that matters

CMMC requirements are already appearing in DoD solicitations. Phase 1 of the rollout began in November 2025, introducing mandatory Level 1 self-assessments and SPRS affirmations as a condition of contract award and renewal. Contractors who cannot affirm compliance risk losing eligibility for new business and some contract extensions.

The requirement is contract-driven: it applies when a CMMC level is named in a solicitation or flowed down by a prime. That means the right time to prepare is before the contract that depends on it appears, not after.

Certifications

Our team holds leading industry certifications, including CISSP, OSCP, and GIAC, and is backed by experience in the NSA, U.S. Cyber Command, and other national security missions. Every engagement is aligned with federal compliance standards and tailored to your specific contract obligations.

Learn More

Explore our latest articles, case studies, and expert insights on compliance, defense contracting, and cybersecurity strategy on the SRG blog.