The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

Basic Safeguarding Requirements FCI: All 15 Safeguards and the Evidence to Prove Them

By The Defense Compliance Report Editorial Team · Last reviewed July 2026 · Last verified: July 17, 2026

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the U.S. Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

The basic safeguarding requirements FCI systems must meet are the 15 security controls in FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” When your contract also carries a CMMC Level 1 requirement, you self-assess against those same 15 controls and post the result — plus an annual affirmation — in SPRS. The July 2026 CMMC suspension did not remove either duty.


You found a clause. Maybe it was buried in a solicitation, maybe a prime emailed it to you, maybe a buyer asked whether you’ve posted anything in SPRS yet. Either way, the words basic safeguardingare now your problem — and you need to know how big a problem.

We read the actual clause, the CMMC Program Rule (32 CFR Part 170), the DoD CMMC Level 1 Assessment and Scoping Guides, and the July 13, 2026 suspension memo ourselves. Here’s what most pages get wrong, and what we’ll settle below: some sources say 15 requirements, some say 17; a few will tell you to hire a third-party assessor you don’t need at Level 1; almost none of them separate the FAR safeguarding duty from the CMMC self-assessmentduty; and a lot of guidance still hasn’t caught up with the July 2026 suspension.

We’ll give you all 15 requirements, the evidence that makes each one actually hold up, and a checklist you can run this week — without sending us a single sensitive file. If you handle CUI (Controlled Unclassified Information), not just FCI, this is the wrong finish line, and we’ll point you to the right one.


What are the basic safeguarding requirements FCI systems must meet?

The basic safeguarding requirements FCI systems must meet are the 15 controls in FAR 52.204-21, covering six areas: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. They apply to any covered contractor information system that processes, stores, or transmits Federal Contract Information (FCI) whenever that clause is in your contract. They are the same 15 controls a CMMC Level 1 self-assessment checks.

FCI is nonpublic information a contract generates, or that the government gives you, to deliver a product or service — not information already made public, and not simple transactional data like payment processing. FAR 52.204-21 has been on the books since 2016 (81 FR 30446, May 16, 2016; amended November 4, 2021). It is not new, and it is not optional. Primary source: FAR 52.204-21 on the eCFR.

The 15 fall into six families:

FamilyRequirementsWhat it protects
Access Control4Who — and which systems — can reach FCI
Identification & Authentication2Proving users, processes, and devices are who they claim to be
Media Protection1FCI surviving on discarded or reused media
Physical Protection2Physical access to systems, and a record of it
System & Communications Protection2Your network boundary, and separating public systems
System & Information Integrity4Fixing flaws and stopping malicious code

Here’s the quick-fit read before you spend another minute:

Your situationWhere you startYour pathIs this page for you?
Your contract requires Level 1 and you handle FCI but not CUIThe 15 basic safeguardsAnnual self-assessment + affirmation in SPRSYes
Your contract requires Level 2, or you handle CUINIST SP 800-171 Rev. 2 (110 requirements)Level 2 self- or third-party assessmentNo — use our Level 2 guide
You’ve been selected for a critical program or high-value assetLevel 3 (selected NIST SP 800-172 requirements)DIBCAC-led assessmentNo — see the Level 3 path
You’re unsure whether your data is FCI, CUI, or neitherRead the actual contract and trace the dataResolve before you affirmRead the scope section, then get qualified help

At a glance — CMMC Level 1 (Self):


Does FAR 52.204-21 by itself require a CMMC Level 1 SPRS submission?

No. FAR 52.204-21 establishes the 15 safeguarding duties when it’s incorporated into your contract. A separate CMMC requirement — the solicitation provision DFARS 252.204-7025 and the contract clause DFARS 252.204-7021 — is what triggers the Level 1 self-assessment, the SPRS result, the CMMC unique identifier, and the annual affirmation. The two are related, but they are not the same trigger.

This distinction saves real money and prevents real mistakes, so it’s worth 30 seconds.

In practice, DoD FCI work in the current phase increasingly carries both: the FAR safeguarding clause and the CMMC clause requiring a Level 1 (Self) result in SPRS. But if you’re on a civilian-agency contract, or a DoD contract that hasn’t picked up the CMMC clause yet, you may owe the safeguards without owing an SPRS submission. Read the actual instrument to know which you’re dealing with.


Did the July 2026 CMMC suspension change any of this?

No. CMMC Phase 1 began November 10, 2025 and was originally scheduled to run through November 9, 2026. On July 13, 2026, the U.S. Department of Defense suspended the transition to Phase 2 — which had been scheduled for November 10, 2026 and would have expanded the use of Level 2 C3PAO assessment requirements. The official direction kept Phase 1 self-assessment requirements in place, and as of July 17, 2026 no replacement Phase 2 start date had been announced.

We read the implementation memo (issued by the DoD, published under its “Department of War” secondary title, publication case 26-P-1023, dated July 13, 2026). During the review, it directs DoD program managers and requiring activities to use only Level 1 (Self) or Level 2 (Self)for new requirements — not Level 2 with a third-party assessor (C3PAO) or Level 3 (assessed by DCMA DIBCAC). It defines Level 1 the same way this page does: the self-assessment for “the basic safeguarding requirements” in FAR 52.204-21 (or, in current deviation instruments, FAR 52.240-93).

What was suspended, and what remains

ItemBefore July 13, 2026After the suspensionEffect on your FCI obligation
FAR 52.204-21 — the 15 FCI safeguardsRequiredRequiredNone — still required
CMMC Level 1 (Self)RequiredRequired, and one of only two levels DoD may designate for new requirementsNone — still required
CMMC Level 2 (C3PAO) / Level 3 (DIBCAC)Phasing in Nov 10, 2026SuspendedNot applicable to FCI-only work
DFARS 252.204-7012 (safeguarding CUI, incident reporting)In effectIn effectApplies only if you also handle CUI

Two things worth internalizing. This was done by memo, not by rulemaking — 32 CFR Part 170 and the CMMC clause (DFARS 252.204-7021) are still on the books, unchanged. Suspended is not repealed, and a 60-day review is underway; we’re tracking it. And don’t read “suspended” as “relaxed.” For work currently scoped at Level 1 (Self), the CMMC path stays refreshingly simple — implement the 15 safeguards, self-assess, and affirm. Just read your actual contract, because other cybersecurity clauses may still apply.

Does the suspension change an existing solicitation or contract?

Not automatically. The memo governs what program managers may put into new requirements during the review; it does not by itself rewrite every already-issued solicitation, contract, modification, or subcontract. The direction is that the government will amend active solicitations and modifyexisting contracts to remove Level 2 (C3PAO) and Level 3 (DIBCAC) requirements — but until that amendment or modification actually issues, the instrument you signed still controls. If your contract currently requires a Level 2 (C3PAO) result and you have not yet received a modification, get written clarification from your contracting officer before you stop preparing.


Is it 15 requirements or 17?

Fifteen is the controlling CMMC Level 1 count. You’ll also see 17, because those 15 map to 17 NIST SP 800-171 security requirements — one requirement (visitors and physical access) maps to three. Older CMMC materials listed Level 1 as 17 “practices” for the same reason. Same obligations, different tally. Underneath all of it sit 59 individual assessment objectives — the specific statements an assessor actually checks.

Requirement (FAR ref → NIST practice)Assessment objectives
(i) → 3.1.1 — authorized access6
(ii) → 3.1.2 — permitted transactions/functions2
(iii) → 3.1.20 — external systems and connections6
(iv) → 3.1.22 — public-facing systems5
(v) → 3.5.1 — identification3
(vi) → 3.5.2 — authentication3
(vii) → 3.8.3 — media disposal2
(viii) → 3.10.1 — physical access4
(ix) → 3.10.3, 3.10.4, 3.10.5 — visitors, logs, access devices6
(x) → 3.13.1 — boundary protection8
(xi) → 3.13.5 — public-system separation2
(xii) → 3.14.1 — flaw remediation6
(xiii) → 3.14.2 — malicious-code protection2
(xiv) → 3.14.4 — malicious-code updates1
(xv) → 3.14.5 — periodic and real-time scanning3
Total59

Why this matters to you and not just to auditors: the scoring rule is unforgiving. Under 32 CFR §170.24, if any one applicable objective is NOT MET, the entire requirement is NOT MET— and per 32 CFR §170.21, a Plan of Action and Milestones (POA&M) is not permitted at any timefor Level 1 self-assessments. There’s no “we’re 80% there” and no buying time to finish later.

There is one narrow, legitimate nuance, and it is not a loophole: the rule treats a documented enduring exception(a system where full compliance isn’t feasible — think certain operational technology — recorded in your system security plan) and a temporary deficiency(something that broke after implementation, tracked in an “operational plan of action”) as assessable MET. An operational plan of action is explicitly nota POA&M — it carries no remediation timeline — and neither one lets you defer the initial implementation of a safeguard. So the honest bottom line stands: you either have the 59 objectives covered where they apply, or you’re not ready to affirm.

Micro-check:before you read further, pull up your current documentation and mentally test it against the 59 objectives — not the 15 headlines. If you can’t point to real evidence for each one, that’s your gap list. The matrix below turns it into a plan.

The 15 basic safeguarding requirements, with the evidence that proves each one

Below is every one of the 15 requirements in plain English, with the kind of evidence that supports a MET finding and the common gap to check on each. The requirement language and NIST mappings come from FAR 52.204-21 and 32 CFR Part 170 (official). The “evidence” and “common gap” notes are our editorial guidance — examples, not a government-prescribed artifact list.

How you prove any of these: the official method (NIST SP 800-171A, used by the Level 1 guide) gives an assessor three tools — examine (documents, configurations, records), interview (ask the responsible person), and test(verify the mechanism behaves as claimed). A written policy is a start, but a policy alone is weak evidence — the rule is explicit that draft or unofficial policies don’t support a MET finding. The strongest package connects the policy, the record that shows it’s implemented, and the test that proves it works.

#Requirement (FAR · NIST · objectives)What it means in practiceEvidence that proves MET (editorial)Common gap to check (editorial)
1(i) · 3.1.1 · 6 — Limit access to authorized usersOnly authorized people, processes, and devices can touch FCI systems.User list, device inventory, service-account inventory, access approvals, offboarding records, an access test.Shared logins; departed employees still enabled; unmanaged devices.
2(ii) · 3.1.2 · 2 — Limit access to permitted functionsEach user can do only what their role allows.Role/permission matrix, admin-account list, a test of a standard user against admin functions.Everyone is a local admin "to save time."
3(iii) · 3.1.20 · 6 — Control external connectionsExternal systems and their use are identified, verified, and limited.Approved-service list, remote-access and BYOD rules, VPN config, SaaS inventory, connection logs.Personal devices and consumer cloud apps quietly touching FCI.
4(iv) · 3.1.22 · 5 — Control public-facing informationA repeatable process keeps FCI off public sites, portals, and repos.Authorized-publisher list, pre-publication review step, public-asset inventory, a removal procedure.Anyone can publish; no review; FCI ends up in a public repo.
5(v) · 3.5.1 · 3 — Identify users, processes, devicesEverything and everyone gets a unique identity before access is considered.Directory export, endpoint inventory, service-account registry, naming standard.Generic or shared "office" accounts with no owner.
6(vi) · 3.5.2 · 3 — Authenticate identitiesThe system verifies those identities before granting access.Authentication/credential policy, identity-provider settings, sign-in logs, a login test.A shared drive with no real authentication in front of it.
7(vii) · 3.8.3 · 2 — Sanitize or destroy mediaFCI is wiped or destroyed before media is discarded or reused — including paper and printers.Sanitization procedure, disposal/destruction logs, vendor certificates of destruction.Old drives donated or recycled without being wiped.
8(viii) · 3.10.1 · 4 — Limit physical accessPhysical access to in-scope systems and spaces is limited to authorized people.Authorized-access list, badge/key assignments, server-room controls, home-office notes.The "server" is a tower in an unlocked closet.
9(ix) · 3.10.3–3.10.5 · 6 — Escort visitors; log access; control devicesVisitors escorted and monitored, physical access logged, keys/badges controlled.Visitor log, escort procedure, badge/key inventory with issue/revoke records.No visitor log; keys handed out and never returned.
10(x) · 3.13.1 · 8 — Protect the boundaryCommunications monitored, controlled, and protected at external and key internal boundaries.Network/data-flow diagram, firewall/router config and rule reviews, segmentation records.A flat network with a diagram that no longer matches reality.
11(xi) · 3.13.5 · 2 — Separate public systemsPublicly accessible components are separated from internal systems.Public-asset inventory, DMZ/segmentation diagram, firewall rules. N/A may apply if you host nothing public — document the basis.A public web server sitting on the internal LAN.
12(xii) · 3.14.1 · 6 — Fix flaws in timeYou identify, report, and correct flaws within timeframes you've defined.Patch/vuln reports, ticketing, remediation policy, exception records, closure evidence."Auto-update is on" — with no check for failures or unsupported gear.
13(xiii) · 3.14.2 · 2 — Stop malicious codeMalicious-code protection is deployed where it belongs.Endpoint/server/email protection reports, an agent-coverage dashboard, a sample test.A few machines silently uncovered by the AV/EDR console.
14(xiv) · 3.14.4 · 1 — Keep protection updatedThose mechanisms update when new releases come out.Update configuration, version/status dashboard, a stale-agent report.Offline or broken agents no one is watching.
15(xv) · 3.14.5 · 3 — Scan, periodically and in real timeSystems scanned on a schedule; external files scanned in real time as downloaded, opened, or executed.Scheduled-scan config and reports, real-time protection settings, an external-file test.Real-time scanning turned off "for performance."

What actually counts as proof — and how to see your own gaps

Evidence can come from examining records, interviewing the people responsible, testing the mechanism, or a combination. It must be final and sufficient — drafts and “trust me, it’s configured” don’t support a MET finding. N/A is a real finding that needs a documented reason, not a shortcut.

Three rules keep an FCI-only contractor out of trouble:

  1. One NOT MET objective sinks the requirement.No partial credit. If 5 of 6 objectives are covered and the sixth isn’t, that requirement is NOT MET.
  2. N/A is a finding, not an escape hatch.The cleanest example is requirement 11 (separating public systems): if your scope genuinely contains no publicly accessible systems, N/A is legitimate — as long as you record why. An N/A objective is treated the same as MET.
  3. A policy that isn’t operating is a liability, not evidence.The policy sets the rule; the configuration or record shows it’s real; the test proves it works. An assessor — and your own Affirming Official — should be able to follow that chain.

This is where a static article stops being enough. You don’t need the 15 requirements re-explained; you need to know which of the 59 objectives you can support today, who owns each, and where the evidence lives.


FAR 52.204-21 or FAR 52.240-93 — which one do you follow?

Follow the clause and date actually written into your instrument. Both numbers point to the same requirement. Under a DoD class deviation (Class Deviation 2026-O0025) tied to the Revolutionary FAR Overhaul, affected DoD solicitations and contracts use the revised FAR Part 40 model and FAR 52.240-93. The codified FAR still contains FAR 52.204-21, and the current CMMC rule still references it.

The government is rewriting the FAR under the Revolutionary FAR Overhaul (RFO). Ahead of formal rulemaking, DoD issued class deviations that renumber several cybersecurity clauses: FAR 52.204-21 became FAR 52.240-93 in the affected deviation path (same title, same 15 basic safeguarding paragraphs), the old standalone self-assessment provision DFARS 252.204-7019 is omitted, and DFARS 252.240-7997 is used in place of DFARS 252.204-7020. Affected DoD solicitations began using the new numbers on February 1, 2026.

The catch: this is a deviation path, not a universal codified change. The codified FAR still contains FAR 52.204-21, the codified DFARS still contains 252.204-7019 and 252.204-7020, and the CMMC Program Rule (32 CFR Part 170) still defines Level 1 by pointing at 52.204-21. So both numbers circulate, often for the same clause.

QuestionFAR 52.204-21FAR 52.240-93
Where you'll see itCodified FAR; CMMC rule referencesAffected DoD solicitations issued under the class deviation (since Feb 1, 2026)
TitleBasic Safeguarding of Covered Contractor Information SystemsSame
The 15 requirementsYesYes — same paragraphs in the current deviation text
CMMC Level 1 referenceThis is the number the current rule usesNot the number the CMMC rule uses
What to doDon't ignore it because a newer document uses 52.240-93Don't assume a checklist citing 52.204-21 is outdated — cross-check the substance

The practical move:record what your specific instrument says — the clause number, the clause date, the section, the required CMMC status, and your CAGE code(s). Where the numbering is ambiguous, get written clarification from the contracting party. A web checklist — including this one — does not amend your contract.


Do you actually have FCI — and what’s in scope?

FCI is nonpublic information provided by or generated for the government under a contract to develop or deliver a product or service — excluding information already made public and simple transactional data like payment processing. Systems that process, store, or transmit FCI are generally in your Level 1 assessment scope; systems that never touch FCI are not. The rule also carves out qualifying virtual-desktop endpoints and certain specialized assets from the assessment — but those are assessment-scope rules, not exemptions from the safeguarding duty.

Start with the definition, because most over- and under-scoping comes from skipping it. FAR 52.204-21 defines FCI as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public … or simple transactional information, such as necessary to process payments.”

Run your data through these questions:

  1. Was it provided by, or generated for, the government under a contract?
  2. Does it relate to delivering a product or service on that contract?
  3. Is it not intended for public release?
  4. Has the government already made it public? (If so, it’s not FCI.)
  5. Is it merely simple transactional information, like payment data? (If so, it’s not FCI.)
  6. Is it separately marked or governed as CUI? (If so, you’re past Level 1 — see below.)

Depending on the contract, content, source, and public-release status, FCI may appear in purchase orders, emailed statements of work, nonpublic delivery schedules, quotes, status reports, email, file shares, ERP or accounting systems, ticketing systems, and collaboration tools. Each of those can be in scope.

A caution on drawings and technical data:don’t reflexively label every drawing “FCI.” Technical data and engineering drawings are frequently CUI, which triggers a much heavier standard. Treatment is determined by applicable law, regulation, governmentwide policy, agency designation, the contract terms, authoritative handling instructions, and the substance of the information. Markings are important signals — but they are not the sole legal source of CUI status.

Level 1 assessment scope, precisely

The Level 1 scope rules live in 32 CFR §170.19(b) and the DoD CMMC Level 1 Scoping Guide. Four categories matter:

Asset categoryRelationship to FCILevel 1 assessment treatment
FCI assetsProcess, store, or transmit FCI (and aren't specialized assets)In scope — assessed against the 15 requirements
Out-of-scope assetsDon't process, store, or transmit FCIOut of scope; no documentation requirements
Qualifying VDI endpointA virtual-desktop client configured to allow no processing/storage/transmission of FCI beyond keyboard/video/mouseOut of scope under §170.19(b)(2)(i)
Specialized assetsCan process, store, or transmit FCI but can't be fully secured — IoT, IIoT, OT, Government Furnished Equipment, Restricted Information Systems, Test EquipmentNot part of the Level 1 assessment scope; not assessed against CMMC requirements (§170.19(b)(2)(ii))

One critical caveat, because it’s exactly where contractors get burned: these are CMMC assessment-scope rules — not blanket exemptions from the FAR 52.204-21 safeguarding duty or other incorporated clauses.The safeguarding clause doesn’t contain these carve-outs. So a specialized asset can be outside yourassessmentwhile the underlying obligation to protect FCI still applies. Scoping also has to account for people, technology, facilities, and external service providers (ESPs) — an ESP is external people, technology, or facilities you rely on, including cloud, managed service, or managed security providers.

On enclaves:concentrating FCI in a bounded environment can shrink scope, but only if the boundary is real. Calling something an enclave doesn’t create one; the identities, endpoints, support tools, and connected services that reach into it are still in play.


Policies, an SSP, and the POA&M question at Level 1

Policies help support your evidence, but they don’t prove a safeguard is running. A System Security Plan (SSP) is recommended for Level 1 as a best practice, not required to obtain your status. And a CMMC POA&M is not permitted at Level 1 — every applicable requirement must be MET or N/A before you affirm.

MechanismWhat it isLevel 1 treatment
CMMC POA&MA plan to close NOT MET items after an assessment (180-day closeout)Not permitted at Level 1 (32 CFR §170.21)
Internal remediation task listYour own project tracking before you affirmFine as project management — but it does not let you claim MET on an unimplemented safeguard
Temporary deficiencySomething that broke after implementation, with a known fix in process, documented in an operational plan of actionAssessable as MET (32 CFR §170.24); an operational plan of action is not a POA&M
Enduring exceptionA system where full compliance isn't feasible (e.g., certain OT), documented in the SSPAssessable as MET (32 CFR §170.24)

On the SSP: the DoD Level 1 guide recommends one as good practice, not as a prerequisite for your status. We recommend writing one anyway, because it can consolidate your scope, responsibilities, implementation, and recurring-review evidence in one place — which makes next year’s re-assessment far easier. Just don’t treat it as a hidden sixteenth requirement.


How to complete the self-assessment and post it in SPRS

Define your scope, assess all 15 requirements at the objective level, remediate anything unmet, review your final evidence, then — when a CMMC requirement applies — enter the result in SPRS and have an authorized official affirm it. The record must be renewed annually, and you keep the evidence for six years.

SPRS is the DoD supplier-risk system used to record CMMC assessment results and affirmations, among other supplier performance and risk data. You reach it through the PIEE portal.

StepWhat you doProof you finished it
1Confirm the actual contract/solicitation requirement and clauseClause and required-status record
2Identify FCI; flag any possible CUI before proceedingData-classification and contract-review notes
3Define the assessment scopeScope statement, system list, data-flow diagram
4Assess all 15 requirements against their objectivesCompleted objective worksheet
5Remediate applicable NOT MET findingsClosed tickets + final implementation evidence
6Do a final evidence reviewEvidence index + owner sign-off
7Enter the required result in SPRS and record your CMMC UID(s)Submission record
8Complete the affirmation; schedule the annual renewalAffirmation record + calendar reminder

Do the requirements flow down to your subcontractors?

Yes — and there are two distinct flow-downs, which competitors often blur. FAR 52.204-21(c) flows the safeguarding clause down to subcontracts (including commercial products and services, but excluding true COTS items) where FCI may reside in or transit the subcontractor’s system. Separately, when a CMMC requirement applies, the CMMC-status flow-down under 32 CFR §170.23 and DFARS 252.204-7021 requires applicable subcontractors to hold and affirm the required CMMC status.

Flow-downAuthorityWhat it obligatesCOTS
Safeguarding clauseFAR 52.204-21(c)Sub must apply the 15 safeguards to systems with FCIExcluded (true COTS)
CMMC status32 CFR §170.23 / DFARS 252.204-7021Applicable sub must achieve and affirm the required CMMC status in SPRSFollows the CMMC clause’s applicability

If you’re the prime, before you flow anything down: does the sub receive or generate FCI? Will FCI reside in or transit their systems? Is the buy limited to true COTS? What FAR/DFARS language is in your prime contract? What CMMC status is required, and by when? How will you verify it?

If you’re the subcontractoron the receiving end of a “you need CMMC” email, ask for specifics before you spend a dime: the exact clause language, the required status, the effective date, the CAGE-code expectation, guidance on identifying the data, and any prime-specific evidence requirements. A prime’s email is not a substitute for understanding the clause, the data, the scope, and the timing. See our CMMC flow-down letter template for a starting point.


Do you need GCC High, a C3PAO, FedRAMP, or a provider for Level 1?

Not automatically. The 15 Level 1 safeguards do not, by themselves, mandate a specific Microsoft cloud, a CUI enclave, a FedRAMP-authorized service, or a third-party assessor. What you actually need depends on your contract, your data type, your environment, and whether you can do the work in-house. Level 1 is designed to be self-assessed, and an FCI-only shop with competent IT support can often handle it internally.

This is the logic behind The CMMC Path Framework— our named approach that maps your required CMMC level, FCI-vs-CUI handling, assessment type, IT/cloud environment, and contract timeline to the provider category most likely to fit. It routes you to a category, not a named provider, and it is not a score, a ranking, or compliance advice. Access it through the Find My CMMC Path tool.

A note on NIST versions, so nobody sells you the wrong standard: NIST released SP 800-171 Revision 3 in 2024 and has continued updating the 800-172 family, but the current CMMC rule still incorporates NIST SP 800-171 Revision 2 for Level 2 and selected requirements from the February 2021 edition of NIST SP 800-172for Level 3 — unless and until DoD amends the governing rule or your contract requirements. If a provider quotes you Rev. 3 as the CMMC standard, that’s a flag to ask questions.

What changes if you discover CUI?

Stop treating the Level 1 checklist as the finish line. If your work involves CUI, Level 1 is not sufficient. The contract may require Level 2 — currently the 110 requirements of NIST SP 800-171 Revision 2, organized across 14 families — or, for selected critical programs or high-value assets, Level 3, which adds selected requirements from the February 2021 edition of NIST SP 800-172 and a DIBCAC-led assessment. During the July 2026 suspension, procurements may require Level 2 (Self), while Level 2 (C3PAO) and Level 3 (DIBCAC) designations are paused.

CUI is a step up in sensitivity from FCI. When DFARS 252.204-7012is incorporated, it imposes adequate-security, cyber-incident-reporting, malicious-software, media-preservation, government-access, and flow-down duties for covered defense information — a much larger lift than the 15 FCI safeguards. (Note: the presence of some CUI doesn’t automatically insert that clause; the contract does.)

If you find CUI, do this:

  1. Do not paste or upload the suspected information into any questionnaire or routing form.
  2. Preserve the contract, the marking, the source, and any handling instruction.
  3. Determine the authoritative CUI category and what the contract actually requires.
  4. Identify which systems and people have already been exposed to it.
  5. Review the relevant DFARS obligations.
  6. Get qualified scoping and contractual guidance.
  7. Move to the Level 2 readiness path.

And unlearn a few myths: a drawing is not automatically “just FCI,” technical files are not automatically CUI, and company size does not set your level. The solicitation, contract, or applicable subcontract requirement — and the authoritative treatment of the information — control your path. See our FCI vs. CUI guide and our CUI requirements for federal contractors guide where this one leaves off.


What drives Level 1 cost — and what to do this week

There’s no honest universal price for Level 1. Cost is driven by your assessment scope, the state of your current systems, the number of physical locations, how much remediation you need, and whether you use outside help. What we can give you is where the money and time actually go, and how to make real progress in seven days without buying anything first.

We won’t hand you a made-up dollar range — a number you can’t stand behind is worse than no number. The biggest cost driver, by far, is remediation: a shop that already runs managed endpoints, unique accounts, and a real firewall is close; a shop with shared logins and a flat network has more to do. For a grounded, source-backed treatment, use our dedicated Level 1 cost guide rather than a vendor’s generic figure.

Here’s a realistic first week:

Day 1 — Contract and data.
Save the relevant clauses, note the required status, and sort your information into known FCI, possible CUI, public, and simple transactions. List open questions.
Day 2 — Flow and scope.
Map where FCI enters, rests, moves, and leaves — email, endpoints, servers, file shares, ERP, cloud, backups, remote access, printers, paper, external providers, subcontractors. Draft your scope statement.
Day 3 — Access and identity.
Export users, devices, groups, permissions, service accounts, and recent terminations. Test standard and admin access.
Day 4 — Physical, media, public.
Review disposal records, visitor logs, key/badge inventories, and your public websites and repositories.
Day 5 — Boundary and integrity.
Review network diagrams, firewall rules, endpoint coverage, patch reports, and scanning — and hunt for update failures.
Day 6 — Findings.
Mark each objective MET, NOT MET, or N/A. Document N/A reasons. Close supportable gaps. Don't treat an unfinished task list as a POA&M — there isn't one at Level 1.
Day 7 — Final review.
Approve final documents, retest mechanisms, complete your evidence index, and prepare the SPRS entry and affirmation. Then set your annual and change-triggered reminders.

The pre-affirmation checklist: mistakes that sink a Level 1 self-assessment

An unsupported Level 1 result usually comes down to a gap between what you claimed, what your systems actually do, and what evidence you kept. These are the checks we’d run before anyone signs the affirmation — each one is findable in your own work product, and each maps to a rule or a row in the matrix above.

Run this list before you affirm:

A simple internal control that prevents most of these — our recommendation, not a government rule: before submission, get four people to acknowledge the package — the scope owner, the IT/security owner, the contracts/compliance owner, and the Affirming Official. It catches problems while they’re still cheap to fix.


What we verified for this guide

We built this from the primary sources, and we kept our editorial guidance clearly separate from the government’s requirements. Here’s exactly what we checked and when.

SourceWhat we confirmedVerified
FAR 52.204-21 (eCFR / Acquisition.gov)FCI definition, all 15 requirements (i)–(xv), subcontract flow-down, COTS exceptionJuly 17, 2026
32 CFR §170.4The current 15 / 110 / 24 structure; enduring-exception and temporary-deficiency definitionsJuly 17, 2026
32 CFR §170.14–170.15Annual self-assessment, required SPRS fields, six-year retentionJuly 17, 2026
32 CFR §170.19(b)Level 1 scope: in-scope FCI assets, out-of-scope assets, qualifying VDI endpoint, specialized-asset exclusionsJuly 17, 2026
32 CFR §170.21No POA&M permitted at any time for Level 1 self-assessmentsJuly 17, 2026
32 CFR §170.22Affirming Official and annual affirmation requirementJuly 17, 2026
32 CFR §170.23CMMC-status flow-down to applicable subcontractorsJuly 17, 2026
32 CFR §170.24MET/NOT MET/N/A findings; enduring exceptions and temporary deficiencies assessable as MET; drafts not acceptableJuly 17, 2026
DoD CMMC Assessment Guide – Level 1Third-party-assistance-is-still-self-assessment; evidence methods; MET/N/A on all requirementsJuly 17, 2026
NIST SP 800-171AOur reproducible count of 59 assessment objectives across the 15 requirementsJuly 17, 2026
DFARS 252.204-7021Current-status, affirmation, UID-update, and flow-down terms; unchanged by the suspensionJuly 17, 2026
DFARS 252.204-7025Notice provision; Level 1/2 self-assessment posting before award; CMMC UID in the proposalJuly 17, 2026
DFARS 252.204-7012FedRAMP-Moderate-equivalent duty for CSPs handling covered defense information; incident reportingJuly 17, 2026
DFARS 252.204-7019/-7020Legacy NIST SP 800-171 DoD Assessment score — distinct from a CMMC Level 1 resultJuly 17, 2026
DoD Class Deviation 2026-O0025 (RFO Part 40)52.204-21 → 52.240-93 in affected DoD solicitations; codified FAR/DFARS unchangedJuly 17, 2026
DoD implementation memo, pub. case 26-P-1023 (July 13, 2026)Phase 2 suspended; Phase 1 self-assessments continue; only Level 1 (Self)/Level 2 (Self) designations for new requirementsJuly 17, 2026
Executive Order 14347 (Sept 5, 2025)"Department of War" is a secondary title; legal name remains U.S. Department of DefenseJuly 17, 2026
Cyber AB ecosystem definitionsRPO = Registered Practitioner Organization; RPOs advise, C3PAOs assessJuly 17, 2026
NIST SP 800-171 Rev. 3 / SP 800-172 statusReleased, but not the versions the current CMMC rule incorporatesJuly 17, 2026

Byline:The Defense Compliance Report Editorial Team — independent CMMC and Defense Industrial Base compliance research. This article has not been publicly attributed to a named CMMC Subject Matter Advisor. This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP) or Registered Practitioner Organization (RPO), or a qualified federal-contracts attorney, before you act. The solicitation, contract, or applicable subcontract requirement — and your CUI/FCI handling — set your level; a checklist does not.


Frequently asked questions about the basic safeguarding requirements for FCI

Are there 15 or 17 CMMC Level 1 requirements?
There are 15 current Level 1 requirements, listed in FAR 52.204-21(b)(1) and confirmed in 32 CFR §170.4. You'll also see 17 because those 15 map to 17 NIST SP 800-171 practices — one requirement (visitors and physical access) maps to three. Same work, two ways of counting.
Does FAR 52.204-21 by itself require a CMMC Level 1 SPRS submission?
No. FAR 52.204-21 requires you to implement the 15 safeguards when it's in your contract. The Level 1 self-assessment, SPRS result, CMMC UID, and affirmation are triggered separately by the CMMC clauses, DFARS 252.204-7021 and -7025.
Is CMMC Level 1 a certification?
No. Level 1 is a self-assessment that produces a status and an affirmation in SPRS, not a certificate issued by a third party. A consultant may help, but the DoD Level 1 guide states the engagement remains a self-assessment.
Can a third party perform or help with the Level 1 self-assessment?
Yes, they can assist — but the result is still a self-assessment, and you remain responsible for the scope, the findings, the evidence, and the affirmation.
Does CMMC Level 1 have a numeric SPRS score?
No. Level 1 records a compliance result and a Final Level 1 (Self) status. The 110-point score applies to Level 2. Every applicable Level 1 requirement must be MET or N/A.
Can you use a POA&M at Level 1?
No. A POA&M is not permitted at any time for Level 1 self-assessments (32 CFR §170.21). That's separate from the rule's narrow treatment of documented enduring exceptions and temporary deficiencies, which can be assessed as MET.
Which Level 1 assets may handle FCI but stay outside the assessment scope?
Under 32 CFR §170.19(b), specialized assets — IoT, IIoT, operational technology, Government Furnished Equipment, Restricted Information Systems, and Test Equipment — can process, store, or transmit FCI but are not part of the Level 1 assessment scope. A qualifying virtual-desktop endpoint is also out of scope. These are assessment-scope carve-outs, not exemptions from the FAR safeguarding duty.
Is an SSP required for CMMC Level 1?
The DoD Level 1 guide recommends a System Security Plan as a best practice but does not make it a prerequisite for your status. We recommend writing one anyway to consolidate your evidence.
What is a CMMC UID, and when do I need it?
A CMMC unique identifier (UID) is issued by SPRS for each assessed information system. Under DFARS 252.204-7025, when a solicitation names a CMMC level, you provide the UID for each system that will handle FCI or CUI in your proposal, and update the list when new UIDs are generated.
Is MFA or encryption a Level 1 requirement?
Neither appears as a separately numbered safeguard in the 15. Both can still be the right way to meet the access or communications requirements, or be required by another clause. Their absence from the list is not permission to skip them where they're warranted.
Does handling FCI mean I need GCC High or a FedRAMP cloud?
Not automatically. The 15 safeguards don't name a specific cloud. FedRAMP becomes a firm requirement for cloud providers when DFARS 252.204-7012 applies to covered defense information — a CUI question, not an FCI-only Level 1 one. Confirm which regime your contract puts you in.
How long must Level 1 evidence be kept?
Six years from the CMMC status date (32 CFR §170.15(c)(2)).
Did the July 2026 Phase 2 suspension pause Level 1?
No. The July 13, 2026 memo suspended the transition to third-party assessments (Phase 2) but expressly kept Phase 1 self-assessments in place.
Does the suspension change a contract I already hold?
Not by itself. The government is directed to amend solicitations and modify contracts to remove Level 2 (C3PAO) and Level 3 (DIBCAC) requirements, but until that amendment or modification issues, follow the instrument you signed.
Should my documentation cite FAR 52.204-21 or FAR 52.240-93?
Record whichever appears in your actual contract. The codified FAR and the current CMMC rule reference 52.204-21; affected DoD solicitations issued under the current class deviation use 52.240-93. They point to the same requirements.
Do the FCI safeguarding requirements flow down to subcontractors?
Yes — and there are two flow-downs. FAR 52.204-21(c) flows the safeguarding clause down (excluding true COTS). Separately, when a CMMC requirement applies, 32 CFR §170.23 and DFARS 252.204-7021 require applicable subcontractors to hold and affirm the required CMMC status.
Does NIST SP 800-171 Revision 3 control CMMC yet?
No. The current CMMC rule still incorporates NIST SP 800-171 Revision 2 for Level 2 and selected requirements from the February 2021 edition of NIST SP 800-172 for Level 3, unless and until DoD amends the rule.