CMMC Level 1 Complete Guide: All 17 Practices Explained

CMMC Level 1 establishes foundational cybersecurity practices for protecting Federal Contract Information (FCI). This guide covers all 17 practices required for Level 1 certification with practical implementation guidance. This is part 2 of our CMMC series.

Understanding Level 1

CMMC Level 1 is designed for contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). The practices derive from FAR 52.204-21 and represent basic cyber hygiene that every organization should implement.

The 17 practices span six security domains:

• Access Control (AC): 4 practices
• Identification and Authentication (IA): 2 practices
• Media Protection (MP): 1 practice
• Physical Protection (PE): 4 practices
• System and Communications Protection (SC): 2 practices
• System and Information Integrity (SI): 4 practices

Access Control (AC) - 4 Practices

AC.L1-b.1.i: Authorized Access Control

Requirement: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

What this means: Only people and devices you've explicitly approved should access your systems. This is the foundation of all access control.

Implementation example:

• Maintain a list of authorized users with unique accounts
• Disable default accounts or rename them
• Remove access promptly when employees leave
• Use Active Directory or similar to manage user accounts centrally
• Implement device authentication (domain join, certificates, or MAC filtering)

AC.L1-b.1.ii: Transaction and Function Control

Requirement: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

What this means: Users should only have access to what they need for their job. Nothing more. This is the principle of least privilege.

Implementation example:

• Create role-based access groups (e.g., "Accounting," "Engineering," "HR")
• Limit administrative privileges to IT staff who need them
• Regular employees should not have local admin rights
• Document who has access to what and review quarterly

AC.L1-b.1.iii: External Connection Control

Requirement: Verify and control/limit connections to and use of external information systems.

What this means: Know what external systems your organization connects to and control those connections.

Implementation example:

• Maintain an inventory of approved cloud services and external systems
• Require approval before connecting to new external systems
• Use a VPN for remote access to internal systems
• Block unauthorized cloud storage services (personal Dropbox, etc.)

AC.L1-b.1.iv: Public Information Control

Requirement: Control information posted or processed on publicly accessible information systems.

What this means: Have a process to review what goes on your public website or other publicly accessible systems to prevent accidental disclosure.

Implementation example:

• Designate who can post to public websites
• Require review/approval before publishing content
• Periodically review public-facing content for sensitive information
• Train employees on what should never be posted publicly

Identification and Authentication (IA) - 2 Practices

IA.L1-b.1.v: Identification

Requirement: Identify information system users, processes acting on behalf of users, or devices.

What this means: Every user, process, and device must have a unique identifier. No shared accounts.

Implementation example:

• Assign unique usernames to each employee (e.g., jsmith, not "admin1")
• Name devices clearly (e.g., "ACCT-LAPTOP-001")
• Eliminate shared accounts so each person gets their own
• Service accounts should be named and documented

IA.L1-b.1.vi: Authentication

Requirement: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

What this means: Verify that users are who they claim to be before granting access. This typically means passwords, but multi-factor authentication is better.

Implementation example:

• Require strong passwords (12+ characters, complexity requirements)
• Implement multi-factor authentication (MFA) where possible
• Set account lockout after failed login attempts
• Require password changes periodically (or use MFA instead)

Media Protection (MP) - 1 Practice

MP.L1-b.1.vii: Media Disposal

Requirement: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

What this means: Before throwing away or repurposing hard drives, USB drives, or other storage media, ensure all FCI is completely removed.

Implementation example:

• Use certified data destruction software (DBAN, Blancco) for hard drives
• Physically destroy drives that can't be sanitized (shredding, degaussing)
• Maintain destruction logs with date, method, and responsible person
• Use a certified e-waste vendor and get destruction certificates
• Don't forget about copiers and printers with internal storage

Physical Protection (PE) - 4 Practices

PE.L1-b.1.viii: Physical Access Limitation

Requirement: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

What this means: Not everyone should be able to walk into your server room or access areas where FCI is processed.

Implementation example:

• Lock server rooms and network closets
• Use badge access or keys for sensitive areas
• Keep workstations in areas not accessible to the public
• Secure laptops with cable locks when unattended

PE.L1-b.1.ix: Visitor Escort and Monitoring

Requirement: Escort visitors and monitor visitor activity.

What this means: Visitors shouldn't wander your facility unescorted, especially near systems containing FCI.

Implementation example:

• Require visitors to sign in and receive a visitor badge
• Escort visitors at all times in sensitive areas
• Brief employees on visitor escort procedures
• Collect visitor badges upon departure

PE.L1-b.1.x: Physical Access Logs

Requirement: Maintain audit logs of physical access.

What this means: Keep records of who accessed secure areas and when.

Implementation example:

• Use electronic badge readers that log access automatically
• Maintain a paper sign-in log if electronic isn't feasible
• Keep visitor logs with name, company, time in/out, and escort
• Retain logs for at least one year

PE.L1-b.1.xi: Physical Access Device Management

Requirement: Control and manage physical access devices.

What this means: Track keys, badges, and other access devices. Know who has them and recover them when people leave.

Implementation example:

• Maintain an inventory of all keys and badges issued
• Collect access devices during employee offboarding
• Deactivate badges immediately when employees depart
• Rekey locks if keys are lost or not returned

System and Communications Protection (SC) - 2 Practices

SC.L1-b.1.xii: Boundary Protection

Requirement: Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems.

What this means: Use firewalls and other boundary defenses to protect your network from external threats.

Implementation example:

• Deploy a firewall at your network perimeter
• Configure firewall rules to block unnecessary inbound traffic
• Use a next-generation firewall or UTM device for small businesses
• Segment your network if you have guest WiFi

SC.L1-b.1.xiii: Public-Access System Separation

Requirement: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

What this means: If you have public-facing systems (like a web server), keep them separated from your internal network.

Implementation example:

• Place public web servers in a DMZ (demilitarized zone)
• Keep guest WiFi on a separate VLAN from corporate network
• Don't expose internal systems directly to the internet
• Use a cloud provider for public-facing services to isolate them

System and Information Integrity (SI) - 4 Practices

SI.L1-b.1.xiv: Flaw Remediation

Requirement: Identify, report, and correct information and information system flaws in a timely manner.

What this means: Keep your systems patched and updated. When security vulnerabilities are announced, fix them promptly.

Implementation example:

• Enable automatic updates for operating systems
• Patch third-party software regularly (browsers, Adobe, Java)
• Subscribe to vendor security bulletins
• Test patches in a non-production environment when possible
• Critical patches should be applied within 30 days

SI.L1-b.1.xv: Malicious Code Protection

Requirement: Provide protection from malicious code at appropriate locations within organizational information systems.

What this means: Deploy antivirus/anti-malware software at key locations in your environment.

Implementation example:

• Install endpoint protection on all workstations and servers
• Enable real-time scanning of files
• Consider modern EDR (Endpoint Detection and Response) solutions
• Enable email filtering to block malicious attachments

SI.L1-b.1.xvi: Update Malicious Code Protection

Requirement: Update malicious code protection mechanisms when new releases are available.

What this means: Keep your antivirus signatures and protection software up to date.

Implementation example:

• Configure automatic signature updates (daily at minimum)
• Enable automatic software updates for your endpoint protection
• Monitor update status across all endpoints
• Alert on systems that fall behind on updates

SI.L1-b.1.xvii: System and File Scanning

Requirement: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

What this means: Run scheduled full-system scans and scan files in real-time as they enter your environment.

Implementation example:

• Run full system scans weekly
• Enable on-access scanning for all file operations
• Scan email attachments before delivery
• Scan downloaded files before execution
• Scan removable media when connected

Self-Assessment Process

Level 1 requires annual self-assessment. Here's how to approach it:

1. Review each practice against your current implementation
2. Document evidence of implementation (screenshots, policies, logs)
3. Calculate your score using the DoD Assessment Methodology
4. Submit to SPRS (Supplier Performance Risk System)
5. Affirm annually that you remain in compliance

Key Takeaways

• Level 1 has 17 practices (derived from FAR 52.204-21's 15 requirements) focused on basic cyber hygiene
• These practices protect Federal Contract Information (FCI)
• Annual self-assessment is required with no third party needed
• Most practices are foundational IT security that you should already have
• Document everything because you need evidence of implementation

Next in the Series

Ready for more advanced requirements? The next article covers CMMC Level 2: Access Control & Identity, diving into the enhanced requirements for protecting Controlled Unclassified Information (CUI).

Need help tracking your CMMC compliance? Get early access to Pretorin and let AI guide your path to certification.