CHECKLIST: The 15 Foundational CMMC 2.0 Level 1 Requirements
Navigating cybersecurity for your shop can seem like a labyrinth, especially for manufacturers handling Federal Contract Information (FCI). With the DoD’s CMMC 2.0 final rule posted, we’re here to help simplify the process.
CMMC 2.0 Level 1 is the entry point for compliance, focusing on securing Federal Contract Information (FCI). Unlike higher levels, Level 1 allows for self-assessment, which must be completed annually and reported to the Supplier Performance Risk System (SPRS). To complete a CMMC 2.0 Level 1 self-assessment, manufacturers must follow 15 foundational practices outlined in FAR Clause 52.204-21 and ensure they are implemented across all systems.
To ensure you’re on the easiest path to success, check out our on-demand webinar, How to Streamline Your CMMC 2.0 Compliance. Then, download our comprehensive CMMC 2.0 Level 1 checklist to start your journey toward compliance. The checklist outlines the 15 foundational practices focused on cyber hygiene across your systems. Implementing these controls establishes a foundational layer of security to protect FCI and helps your shop mitigate risk.
Key Dates to Remember
This phased approach provides contractors with a clear roadmap for achieving compliance while minimizing disruptions*.
- Phase 1 — November 10, 2025 (now in effect): CMMC clauses began appearing in new DoD solicitations and contract awards. Self-assessments (Level 1 and Level 2) are required as a condition of award for applicable contracts. The DoD has discretion to require third-party (C3PAO) Level 2 certification on prioritized contracts during this phase. Learn more about the 48-CFR rule here.
- Phase 2 — November 10, 2026: Third-party C3PAO-assessed Level 2 becomes the default for contracts involving CUI. Self-assessments stop counting for CUI work. Level 3 assessments become available at DoD’s discretion.
- Phase 3 — November 10, 2027: Level 2 (C3PAO) becomes a condition for option exercises on existing contracts, not just new awards. Level 3 (DIBCAC) assessment requirements become mandatory in applicable solicitations.
- Phase 4 — November 10, 2028: Full implementation. CMMC requirements apply to all applicable DoD contracts, solicitations, and option periods above the micro-purchase threshold that handle FCI or CUI.
Start Your Free Assessment
If you’re preparing for CMMC 2.0 Level 1 compliance, our technology partner, Carbide, offers a free Self-Assessment Tool to help you navigate the process. This tool provides step-by-step guidance and generates a report identifying any gaps that must be addressed to meet the requirements.
*For more guidance, consult resources such as the DoD’s CMMC documentation and self-assessment guides.
BUILT FOR CMMC 2.0
G-Code Management & DNC Platform
The G-code piece of your CMMC plan. Traceability, compliance, and control — all in a GovCloud-hosted platform.
