Level 1 requires that an organization performs the specified practices. Because the organization may
only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation,
process maturity is not assessed for Level 1.
As a basic cyber hygiene level, Level 1 focuses on the protection of Federal Contract Information (FCI)
and consists only of practices that correspond to the basic safeguarding requirements specified in 48
CFR 52.204-21 ("Basic Safeguarding of Covered Contractor Information Systems").