The 15 Foundational CMMC 2.0 Level 1 Requirements

Navigating cybersecurity for your shop can seem like a labyrinth, especially for manufacturers handling Federal Contract Information (FCI). With the DOD’s CMMC 2.0 final rule posted, we’re here to help simplify the process.

CMMC 2.0 Level 1 is the entry point for compliance, focusing on securing Federal Contract Information (FCI). Unlike higher levels, Level 1 allows for self-assessment, which must be completed annually and reported to the Supplier Performance Risk System (SPRS). To complete a CMMC 2.0 Level 1 self-assessment, manufacturers must follow 15 foundational practices outlined in FAR Clause 52.204-21 and ensure they are implemented across all systems.

To ensure you’re on the easiest path to success, check out our on-demand webinar, How to Streamline Your CMMC 2.0 Compliance. Then, download our comprehensive CMMC 2.0 Level 1 checklist to start your journey toward compliance. The checklist outlines the 15 foundational practices focused on cyber hygiene across your systems. Implementing these controls ensures your shop is mitigating risks and indoctrinating a foundational layer of security to protect FCI.

Get the Checklist

Key Dates to Remember

This phased approach provides contractors with a clear roadmap for achieving compliance while minimizing disruptions*.

Prepare for Phase 1 Assessment: January 2025
Get ready, self-assessments will become mandatory for all organizations handling FCI or CUI data. Contractors will need to demonstrate compliance with basic cyber hygiene practices or NIST SP 800-171 controls. Download a checklist of CMMC 2.0 Level 1 requirements.
Phase 1 Implementation Begins: November 10, 2025
New DoD solicitations/contract awards can start requiring CMMC clauses. Self‑assessments (for Level 1 and Level 2) become required in applicable contracts; in some cases, Level 2 third‑party assessments may be inserted at DoD’s discretion. Learn more about the 48‑CFR rule here.
Phase 2 Begins: November 10, 2026
Approximately one year after Phase 1 starts, Phase 2 begins. Level 2 requires third-party assessments (C3PAO) in more contracts, as per DoD discretion, and is becoming more standardized.
Phase 3 Full CMMC 2.0 Compliance: November 10, 2027
Higher requirements come in (Level 3 assessments, perhaps for contracts with very sensitive data). Also, more existing contracts or options may need to comply.
Phase 4: November 10, 2028
Full implementation across the Defense Industrial Base for solicitations/contracts that require it. At this point, CMMC requirements will be widespread as a condition of contract, including for most new solicitations.

Start Your Free Assessment

If you’re preparing for CMMC 2.0 Level 1 compliance, our technology partner, Carbide, offers a free Self-Assessment Tool to help you navigate the process. This tool provides step-by-step guidance and generates a report identifying any gaps that must be addressed to meet the requirements.

START YOUR FREE ASSESSMENT

*For more guidance, consult resources such as the DoD’s CMMC documentation and self-assessment guides.

INTRODUCING

Advanced G-Code Management & DNC Platform

The ultimate platform for traceability, compliance, and control so you make it right every time.

Learn More

Top Manufacturing Insights: What Manufacturers Are Struggling With

At Datanomix, we spend a lot of time talking with manufacturers about the daily challenges they face. Recently, we surveyed shops across the industry to gauge their most pressing pain points. The responses were honest, sometimes surprising, and always insightful. Here are a few things we learned.