Level 1 requires that an organization performs the specified practices. Because the organization may
only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation,
process maturity is not assessed for Level 1.
As a basic cyber hygiene level, level 1 focuses on the protection of Federal Contract Information (FCI) and
consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR
52.204-21 ("Basic Safeguarding of Covered Contractor Information Systems").
The CMMC model consists of 17 domains. The majority of these domains originate from the security-related
areas in Federal Information Processing Standards (FIPS) Publication 200  and the related security
requirement families from NIST SP 800-171 . Level 1 consist of the following CMMC domains.
Click each domain to review the practices specified for level 1 accreditation.