Basic Safeguarding Requirements FCI: All 15 Safeguards and the Evidence to Prove Them
By The Defense Compliance Report Editorial Team · Last reviewed July 2026 · Last verified: July 17, 2026
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the U.S. Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
The basic safeguarding requirements FCI systems must meet are the 15 security controls in FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” When your contract also carries a CMMC Level 1 requirement, you self-assess against those same 15 controls and post the result — plus an annual affirmation — in SPRS. The July 2026 CMMC suspension did not remove either duty.
You found a clause. Maybe it was buried in a solicitation, maybe a prime emailed it to you, maybe a buyer asked whether you’ve posted anything in SPRS yet. Either way, the words basic safeguardingare now your problem — and you need to know how big a problem.
We read the actual clause, the CMMC Program Rule (32 CFR Part 170), the DoD CMMC Level 1 Assessment and Scoping Guides, and the July 13, 2026 suspension memo ourselves. Here’s what most pages get wrong, and what we’ll settle below: some sources say 15 requirements, some say 17; a few will tell you to hire a third-party assessor you don’t need at Level 1; almost none of them separate the FAR safeguarding duty from the CMMC self-assessmentduty; and a lot of guidance still hasn’t caught up with the July 2026 suspension.
We’ll give you all 15 requirements, the evidence that makes each one actually hold up, and a checklist you can run this week — without sending us a single sensitive file. If you handle CUI (Controlled Unclassified Information), not just FCI, this is the wrong finish line, and we’ll point you to the right one.
What are the basic safeguarding requirements FCI systems must meet?
The basic safeguarding requirements FCI systems must meet are the 15 controls in FAR 52.204-21, covering six areas: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. They apply to any covered contractor information system that processes, stores, or transmits Federal Contract Information (FCI) whenever that clause is in your contract. They are the same 15 controls a CMMC Level 1 self-assessment checks.
FCI is nonpublic information a contract generates, or that the government gives you, to deliver a product or service — not information already made public, and not simple transactional data like payment processing. FAR 52.204-21 has been on the books since 2016 (81 FR 30446, May 16, 2016; amended November 4, 2021). It is not new, and it is not optional. Primary source: FAR 52.204-21 on the eCFR.
The 15 fall into six families:
| Family | Requirements | What it protects |
|---|---|---|
| Access Control | 4 | Who — and which systems — can reach FCI |
| Identification & Authentication | 2 | Proving users, processes, and devices are who they claim to be |
| Media Protection | 1 | FCI surviving on discarded or reused media |
| Physical Protection | 2 | Physical access to systems, and a record of it |
| System & Communications Protection | 2 | Your network boundary, and separating public systems |
| System & Information Integrity | 4 | Fixing flaws and stopping malicious code |
Here’s the quick-fit read before you spend another minute:
| Your situation | Where you start | Your path | Is this page for you? |
|---|---|---|---|
| Your contract requires Level 1 and you handle FCI but not CUI | The 15 basic safeguards | Annual self-assessment + affirmation in SPRS | Yes |
| Your contract requires Level 2, or you handle CUI | NIST SP 800-171 Rev. 2 (110 requirements) | Level 2 self- or third-party assessment | No — use our Level 2 guide |
| You’ve been selected for a critical program or high-value asset | Level 3 (selected NIST SP 800-172 requirements) | DIBCAC-led assessment | No — see the Level 3 path |
| You’re unsure whether your data is FCI, CUI, or neither | Read the actual contract and trace the data | Resolve before you affirm | Read the scope section, then get qualified help |
At a glance — CMMC Level 1 (Self):
- Safeguarding baseline: FAR 52.204-21(b)(1), or the applicable deviation clause (FAR 52.240-93) if that’s what your instrument uses — 15 requirements.
- CMMC assessment and status rules: 32 CFR §§170.14–170.15, plus the applicable DFARS CMMC provisions (252.204-7021 and -7025).
- Applies to: any system that processes, stores, or transmits FCI — primes and subcontractors.
- Assessment: annual self-assessment. A third party may help, but no C3PAO certification assessment or official Level 1 certificate is produced.
- Findings: every applicable requirement must be MET or N/A — there is no POA&M at Level 1.
- Reporting (when a CMMC requirement applies): results, a SPRS-issued CMMC unique identifier (UID), and an affirmation go into SPRS.
- Records: keep your evidence for six years from the status date (32 CFR §170.15(c)(2)).
- Status after the July 2026 suspension: still required.
Does FAR 52.204-21 by itself require a CMMC Level 1 SPRS submission?
No. FAR 52.204-21 establishes the 15 safeguarding duties when it’s incorporated into your contract. A separate CMMC requirement — the solicitation provision DFARS 252.204-7025 and the contract clause DFARS 252.204-7021 — is what triggers the Level 1 self-assessment, the SPRS result, the CMMC unique identifier, and the annual affirmation. The two are related, but they are not the same trigger.
This distinction saves real money and prevents real mistakes, so it’s worth 30 seconds.
- The safeguarding duty (FAR 52.204-21). If this clause is in your contract, you must implementthe 15 controls on the systems that touch FCI. That’s it — the clause itself says nothing about self-assessing or posting a score anywhere.
- The CMMC duty (DFARS 252.204-7021 / -7025). When a DoD solicitation names a CMMC level, you must self-assess against those same 15 controls, post the result and an affirmation in SPRS, and provide a SPRS-issued CMMC UID for each in-scope system in your proposal. See DFARS 252.204-7025 on the eCFR.
In practice, DoD FCI work in the current phase increasingly carries both: the FAR safeguarding clause and the CMMC clause requiring a Level 1 (Self) result in SPRS. But if you’re on a civilian-agency contract, or a DoD contract that hasn’t picked up the CMMC clause yet, you may owe the safeguards without owing an SPRS submission. Read the actual instrument to know which you’re dealing with.
Did the July 2026 CMMC suspension change any of this?
No. CMMC Phase 1 began November 10, 2025 and was originally scheduled to run through November 9, 2026. On July 13, 2026, the U.S. Department of Defense suspended the transition to Phase 2 — which had been scheduled for November 10, 2026 and would have expanded the use of Level 2 C3PAO assessment requirements. The official direction kept Phase 1 self-assessment requirements in place, and as of July 17, 2026 no replacement Phase 2 start date had been announced.
We read the implementation memo (issued by the DoD, published under its “Department of War” secondary title, publication case 26-P-1023, dated July 13, 2026). During the review, it directs DoD program managers and requiring activities to use only Level 1 (Self) or Level 2 (Self)for new requirements — not Level 2 with a third-party assessor (C3PAO) or Level 3 (assessed by DCMA DIBCAC). It defines Level 1 the same way this page does: the self-assessment for “the basic safeguarding requirements” in FAR 52.204-21 (or, in current deviation instruments, FAR 52.240-93).
What was suspended, and what remains
| Item | Before July 13, 2026 | After the suspension | Effect on your FCI obligation |
|---|---|---|---|
| FAR 52.204-21 — the 15 FCI safeguards | Required | Required | None — still required |
| CMMC Level 1 (Self) | Required | Required, and one of only two levels DoD may designate for new requirements | None — still required |
| CMMC Level 2 (C3PAO) / Level 3 (DIBCAC) | Phasing in Nov 10, 2026 | Suspended | Not applicable to FCI-only work |
| DFARS 252.204-7012 (safeguarding CUI, incident reporting) | In effect | In effect | Applies only if you also handle CUI |
Two things worth internalizing. This was done by memo, not by rulemaking — 32 CFR Part 170 and the CMMC clause (DFARS 252.204-7021) are still on the books, unchanged. Suspended is not repealed, and a 60-day review is underway; we’re tracking it. And don’t read “suspended” as “relaxed.” For work currently scoped at Level 1 (Self), the CMMC path stays refreshingly simple — implement the 15 safeguards, self-assess, and affirm. Just read your actual contract, because other cybersecurity clauses may still apply.
Does the suspension change an existing solicitation or contract?
Not automatically. The memo governs what program managers may put into new requirements during the review; it does not by itself rewrite every already-issued solicitation, contract, modification, or subcontract. The direction is that the government will amend active solicitations and modifyexisting contracts to remove Level 2 (C3PAO) and Level 3 (DIBCAC) requirements — but until that amendment or modification actually issues, the instrument you signed still controls. If your contract currently requires a Level 2 (C3PAO) result and you have not yet received a modification, get written clarification from your contracting officer before you stop preparing.
Is it 15 requirements or 17?
Fifteen is the controlling CMMC Level 1 count. You’ll also see 17, because those 15 map to 17 NIST SP 800-171 security requirements — one requirement (visitors and physical access) maps to three. Older CMMC materials listed Level 1 as 17 “practices” for the same reason. Same obligations, different tally. Underneath all of it sit 59 individual assessment objectives — the specific statements an assessor actually checks.
- 15is the number that matters for “how many requirements.” FAR 52.204-21(b)(1) lists 15 lettered controls, (i)–(xv), and the CMMC Program Rule confirms it: 32 CFR §170.4 defines “CMMC Security Requirements” as the 15 Level 1 requirements listed in 48 CFR 52.204-21(b)(1), the 110 Level 2 requirements from NIST SP 800-171 Rev. 2, and the 24 Level 3 requirements selected from NIST SP 800-172.
- 17is what you get when the 15 map to NIST SP 800-171 practices: 14 map one-to-one, but requirement (ix) — escort visitors, keep physical-access logs, and control access devices — maps to three practices (3.10.3, 3.10.4, 3.10.5). 14 + 3 = 17. That’s also the number the original CMMC 1.0 model used for Level 1. Same body of work.
- 59is the number we count, because it’s where “MET” is actually won or lost. Each requirement breaks into lettered assessment objectives in NIST SP 800-171A. We counted them ourselves and got 59 — our reproducible count, which you can verify against the DoD CMMC Assessment Guide – Level 1.
| Requirement (FAR ref → NIST practice) | Assessment objectives |
|---|---|
| (i) → 3.1.1 — authorized access | 6 |
| (ii) → 3.1.2 — permitted transactions/functions | 2 |
| (iii) → 3.1.20 — external systems and connections | 6 |
| (iv) → 3.1.22 — public-facing systems | 5 |
| (v) → 3.5.1 — identification | 3 |
| (vi) → 3.5.2 — authentication | 3 |
| (vii) → 3.8.3 — media disposal | 2 |
| (viii) → 3.10.1 — physical access | 4 |
| (ix) → 3.10.3, 3.10.4, 3.10.5 — visitors, logs, access devices | 6 |
| (x) → 3.13.1 — boundary protection | 8 |
| (xi) → 3.13.5 — public-system separation | 2 |
| (xii) → 3.14.1 — flaw remediation | 6 |
| (xiii) → 3.14.2 — malicious-code protection | 2 |
| (xiv) → 3.14.4 — malicious-code updates | 1 |
| (xv) → 3.14.5 — periodic and real-time scanning | 3 |
| Total | 59 |
Why this matters to you and not just to auditors: the scoring rule is unforgiving. Under 32 CFR §170.24, if any one applicable objective is NOT MET, the entire requirement is NOT MET— and per 32 CFR §170.21, a Plan of Action and Milestones (POA&M) is not permitted at any timefor Level 1 self-assessments. There’s no “we’re 80% there” and no buying time to finish later.
There is one narrow, legitimate nuance, and it is not a loophole: the rule treats a documented enduring exception(a system where full compliance isn’t feasible — think certain operational technology — recorded in your system security plan) and a temporary deficiency(something that broke after implementation, tracked in an “operational plan of action”) as assessable MET. An operational plan of action is explicitly nota POA&M — it carries no remediation timeline — and neither one lets you defer the initial implementation of a safeguard. So the honest bottom line stands: you either have the 59 objectives covered where they apply, or you’re not ready to affirm.
Micro-check:before you read further, pull up your current documentation and mentally test it against the 59 objectives — not the 15 headlines. If you can’t point to real evidence for each one, that’s your gap list. The matrix below turns it into a plan.
The 15 basic safeguarding requirements, with the evidence that proves each one
Below is every one of the 15 requirements in plain English, with the kind of evidence that supports a MET finding and the common gap to check on each. The requirement language and NIST mappings come from FAR 52.204-21 and 32 CFR Part 170 (official). The “evidence” and “common gap” notes are our editorial guidance — examples, not a government-prescribed artifact list.
How you prove any of these: the official method (NIST SP 800-171A, used by the Level 1 guide) gives an assessor three tools — examine (documents, configurations, records), interview (ask the responsible person), and test(verify the mechanism behaves as claimed). A written policy is a start, but a policy alone is weak evidence — the rule is explicit that draft or unofficial policies don’t support a MET finding. The strongest package connects the policy, the record that shows it’s implemented, and the test that proves it works.
| # | Requirement (FAR · NIST · objectives) | What it means in practice | Evidence that proves MET (editorial) | Common gap to check (editorial) |
|---|---|---|---|---|
| 1 | (i) · 3.1.1 · 6 — Limit access to authorized users | Only authorized people, processes, and devices can touch FCI systems. | User list, device inventory, service-account inventory, access approvals, offboarding records, an access test. | Shared logins; departed employees still enabled; unmanaged devices. |
| 2 | (ii) · 3.1.2 · 2 — Limit access to permitted functions | Each user can do only what their role allows. | Role/permission matrix, admin-account list, a test of a standard user against admin functions. | Everyone is a local admin "to save time." |
| 3 | (iii) · 3.1.20 · 6 — Control external connections | External systems and their use are identified, verified, and limited. | Approved-service list, remote-access and BYOD rules, VPN config, SaaS inventory, connection logs. | Personal devices and consumer cloud apps quietly touching FCI. |
| 4 | (iv) · 3.1.22 · 5 — Control public-facing information | A repeatable process keeps FCI off public sites, portals, and repos. | Authorized-publisher list, pre-publication review step, public-asset inventory, a removal procedure. | Anyone can publish; no review; FCI ends up in a public repo. |
| 5 | (v) · 3.5.1 · 3 — Identify users, processes, devices | Everything and everyone gets a unique identity before access is considered. | Directory export, endpoint inventory, service-account registry, naming standard. | Generic or shared "office" accounts with no owner. |
| 6 | (vi) · 3.5.2 · 3 — Authenticate identities | The system verifies those identities before granting access. | Authentication/credential policy, identity-provider settings, sign-in logs, a login test. | A shared drive with no real authentication in front of it. |
| 7 | (vii) · 3.8.3 · 2 — Sanitize or destroy media | FCI is wiped or destroyed before media is discarded or reused — including paper and printers. | Sanitization procedure, disposal/destruction logs, vendor certificates of destruction. | Old drives donated or recycled without being wiped. |
| 8 | (viii) · 3.10.1 · 4 — Limit physical access | Physical access to in-scope systems and spaces is limited to authorized people. | Authorized-access list, badge/key assignments, server-room controls, home-office notes. | The "server" is a tower in an unlocked closet. |
| 9 | (ix) · 3.10.3–3.10.5 · 6 — Escort visitors; log access; control devices | Visitors escorted and monitored, physical access logged, keys/badges controlled. | Visitor log, escort procedure, badge/key inventory with issue/revoke records. | No visitor log; keys handed out and never returned. |
| 10 | (x) · 3.13.1 · 8 — Protect the boundary | Communications monitored, controlled, and protected at external and key internal boundaries. | Network/data-flow diagram, firewall/router config and rule reviews, segmentation records. | A flat network with a diagram that no longer matches reality. |
| 11 | (xi) · 3.13.5 · 2 — Separate public systems | Publicly accessible components are separated from internal systems. | Public-asset inventory, DMZ/segmentation diagram, firewall rules. N/A may apply if you host nothing public — document the basis. | A public web server sitting on the internal LAN. |
| 12 | (xii) · 3.14.1 · 6 — Fix flaws in time | You identify, report, and correct flaws within timeframes you've defined. | Patch/vuln reports, ticketing, remediation policy, exception records, closure evidence. | "Auto-update is on" — with no check for failures or unsupported gear. |
| 13 | (xiii) · 3.14.2 · 2 — Stop malicious code | Malicious-code protection is deployed where it belongs. | Endpoint/server/email protection reports, an agent-coverage dashboard, a sample test. | A few machines silently uncovered by the AV/EDR console. |
| 14 | (xiv) · 3.14.4 · 1 — Keep protection updated | Those mechanisms update when new releases come out. | Update configuration, version/status dashboard, a stale-agent report. | Offline or broken agents no one is watching. |
| 15 | (xv) · 3.14.5 · 3 — Scan, periodically and in real time | Systems scanned on a schedule; external files scanned in real time as downloaded, opened, or executed. | Scheduled-scan config and reports, real-time protection settings, an external-file test. | Real-time scanning turned off "for performance." |
What actually counts as proof — and how to see your own gaps
Evidence can come from examining records, interviewing the people responsible, testing the mechanism, or a combination. It must be final and sufficient — drafts and “trust me, it’s configured” don’t support a MET finding. N/A is a real finding that needs a documented reason, not a shortcut.
Three rules keep an FCI-only contractor out of trouble:
- One NOT MET objective sinks the requirement.No partial credit. If 5 of 6 objectives are covered and the sixth isn’t, that requirement is NOT MET.
- N/A is a finding, not an escape hatch.The cleanest example is requirement 11 (separating public systems): if your scope genuinely contains no publicly accessible systems, N/A is legitimate — as long as you record why. An N/A objective is treated the same as MET.
- A policy that isn’t operating is a liability, not evidence.The policy sets the rule; the configuration or record shows it’s real; the test proves it works. An assessor — and your own Affirming Official — should be able to follow that chain.
This is where a static article stops being enough. You don’t need the 15 requirements re-explained; you need to know which of the 59 objectives you can support today, who owns each, and where the evidence lives.
FAR 52.204-21 or FAR 52.240-93 — which one do you follow?
Follow the clause and date actually written into your instrument. Both numbers point to the same requirement. Under a DoD class deviation (Class Deviation 2026-O0025) tied to the Revolutionary FAR Overhaul, affected DoD solicitations and contracts use the revised FAR Part 40 model and FAR 52.240-93. The codified FAR still contains FAR 52.204-21, and the current CMMC rule still references it.
The government is rewriting the FAR under the Revolutionary FAR Overhaul (RFO). Ahead of formal rulemaking, DoD issued class deviations that renumber several cybersecurity clauses: FAR 52.204-21 became FAR 52.240-93 in the affected deviation path (same title, same 15 basic safeguarding paragraphs), the old standalone self-assessment provision DFARS 252.204-7019 is omitted, and DFARS 252.240-7997 is used in place of DFARS 252.204-7020. Affected DoD solicitations began using the new numbers on February 1, 2026.
The catch: this is a deviation path, not a universal codified change. The codified FAR still contains FAR 52.204-21, the codified DFARS still contains 252.204-7019 and 252.204-7020, and the CMMC Program Rule (32 CFR Part 170) still defines Level 1 by pointing at 52.204-21. So both numbers circulate, often for the same clause.
| Question | FAR 52.204-21 | FAR 52.240-93 |
|---|---|---|
| Where you'll see it | Codified FAR; CMMC rule references | Affected DoD solicitations issued under the class deviation (since Feb 1, 2026) |
| Title | Basic Safeguarding of Covered Contractor Information Systems | Same |
| The 15 requirements | Yes | Yes — same paragraphs in the current deviation text |
| CMMC Level 1 reference | This is the number the current rule uses | Not the number the CMMC rule uses |
| What to do | Don't ignore it because a newer document uses 52.240-93 | Don't assume a checklist citing 52.204-21 is outdated — cross-check the substance |
The practical move:record what your specific instrument says — the clause number, the clause date, the section, the required CMMC status, and your CAGE code(s). Where the numbering is ambiguous, get written clarification from the contracting party. A web checklist — including this one — does not amend your contract.
Do you actually have FCI — and what’s in scope?
FCI is nonpublic information provided by or generated for the government under a contract to develop or deliver a product or service — excluding information already made public and simple transactional data like payment processing. Systems that process, store, or transmit FCI are generally in your Level 1 assessment scope; systems that never touch FCI are not. The rule also carves out qualifying virtual-desktop endpoints and certain specialized assets from the assessment — but those are assessment-scope rules, not exemptions from the safeguarding duty.
Start with the definition, because most over- and under-scoping comes from skipping it. FAR 52.204-21 defines FCI as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public … or simple transactional information, such as necessary to process payments.”
Run your data through these questions:
- Was it provided by, or generated for, the government under a contract?
- Does it relate to delivering a product or service on that contract?
- Is it not intended for public release?
- Has the government already made it public? (If so, it’s not FCI.)
- Is it merely simple transactional information, like payment data? (If so, it’s not FCI.)
- Is it separately marked or governed as CUI? (If so, you’re past Level 1 — see below.)
Depending on the contract, content, source, and public-release status, FCI may appear in purchase orders, emailed statements of work, nonpublic delivery schedules, quotes, status reports, email, file shares, ERP or accounting systems, ticketing systems, and collaboration tools. Each of those can be in scope.
A caution on drawings and technical data:don’t reflexively label every drawing “FCI.” Technical data and engineering drawings are frequently CUI, which triggers a much heavier standard. Treatment is determined by applicable law, regulation, governmentwide policy, agency designation, the contract terms, authoritative handling instructions, and the substance of the information. Markings are important signals — but they are not the sole legal source of CUI status.
Level 1 assessment scope, precisely
The Level 1 scope rules live in 32 CFR §170.19(b) and the DoD CMMC Level 1 Scoping Guide. Four categories matter:
| Asset category | Relationship to FCI | Level 1 assessment treatment |
|---|---|---|
| FCI assets | Process, store, or transmit FCI (and aren't specialized assets) | In scope — assessed against the 15 requirements |
| Out-of-scope assets | Don't process, store, or transmit FCI | Out of scope; no documentation requirements |
| Qualifying VDI endpoint | A virtual-desktop client configured to allow no processing/storage/transmission of FCI beyond keyboard/video/mouse | Out of scope under §170.19(b)(2)(i) |
| Specialized assets | Can process, store, or transmit FCI but can't be fully secured — IoT, IIoT, OT, Government Furnished Equipment, Restricted Information Systems, Test Equipment | Not part of the Level 1 assessment scope; not assessed against CMMC requirements (§170.19(b)(2)(ii)) |
One critical caveat, because it’s exactly where contractors get burned: these are CMMC assessment-scope rules — not blanket exemptions from the FAR 52.204-21 safeguarding duty or other incorporated clauses.The safeguarding clause doesn’t contain these carve-outs. So a specialized asset can be outside yourassessmentwhile the underlying obligation to protect FCI still applies. Scoping also has to account for people, technology, facilities, and external service providers (ESPs) — an ESP is external people, technology, or facilities you rely on, including cloud, managed service, or managed security providers.
On enclaves:concentrating FCI in a bounded environment can shrink scope, but only if the boundary is real. Calling something an enclave doesn’t create one; the identities, endpoints, support tools, and connected services that reach into it are still in play.
Policies, an SSP, and the POA&M question at Level 1
Policies help support your evidence, but they don’t prove a safeguard is running. A System Security Plan (SSP) is recommended for Level 1 as a best practice, not required to obtain your status. And a CMMC POA&M is not permitted at Level 1 — every applicable requirement must be MET or N/A before you affirm.
| Mechanism | What it is | Level 1 treatment |
|---|---|---|
| CMMC POA&M | A plan to close NOT MET items after an assessment (180-day closeout) | Not permitted at Level 1 (32 CFR §170.21) |
| Internal remediation task list | Your own project tracking before you affirm | Fine as project management — but it does not let you claim MET on an unimplemented safeguard |
| Temporary deficiency | Something that broke after implementation, with a known fix in process, documented in an operational plan of action | Assessable as MET (32 CFR §170.24); an operational plan of action is not a POA&M |
| Enduring exception | A system where full compliance isn't feasible (e.g., certain OT), documented in the SSP | Assessable as MET (32 CFR §170.24) |
On the SSP: the DoD Level 1 guide recommends one as good practice, not as a prerequisite for your status. We recommend writing one anyway, because it can consolidate your scope, responsibilities, implementation, and recurring-review evidence in one place — which makes next year’s re-assessment far easier. Just don’t treat it as a hidden sixteenth requirement.
How to complete the self-assessment and post it in SPRS
Define your scope, assess all 15 requirements at the objective level, remediate anything unmet, review your final evidence, then — when a CMMC requirement applies — enter the result in SPRS and have an authorized official affirm it. The record must be renewed annually, and you keep the evidence for six years.
SPRS is the DoD supplier-risk system used to record CMMC assessment results and affirmations, among other supplier performance and risk data. You reach it through the PIEE portal.
| Step | What you do | Proof you finished it |
|---|---|---|
| 1 | Confirm the actual contract/solicitation requirement and clause | Clause and required-status record |
| 2 | Identify FCI; flag any possible CUI before proceeding | Data-classification and contract-review notes |
| 3 | Define the assessment scope | Scope statement, system list, data-flow diagram |
| 4 | Assess all 15 requirements against their objectives | Completed objective worksheet |
| 5 | Remediate applicable NOT MET findings | Closed tickets + final implementation evidence |
| 6 | Do a final evidence review | Evidence index + owner sign-off |
| 7 | Enter the required result in SPRS and record your CMMC UID(s) | Submission record |
| 8 | Complete the affirmation; schedule the annual renewal | Affirmation record + calendar reminder |
- What the rule requires in your Level 1 SPRS entry(32 CFR §170.15): your CMMC level, the CMMC status date, the assessment scope, all associated CAGE codes, and the compliance result. Note what’s notthere — a numeric score. Level 1 produces a Final Level 1 (Self) status and a compliance result, not the 110-point score associated with Level 2.
- The CMMC UID.Under DFARS 252.204-7025, when a solicitation names a CMMC level, the offeror must provide the SPRS-issued CMMC unique identifier (UID) for each information system that will process, store, or transmit FCI or CUI during performance — and update the list when new UIDs are generated.
- Don’t confuse two different “scores.”A NIST SP 800-171 DoD Assessment summary score — the Basic/Medium/High score posted under DFARS 252.204-7019/-7020 for CUI work — is notthe same thing as a CMMC Level 1 compliance result. If a buyer asks for one, don’t answer with the other.
- Who affirms. The rule requires an Affirming Official — a senior representative responsible for ensuring the contractor’s continuing compliance with the security requirements associated with the CMMC status — with the affirmation entered in SPRS after the assessment and annually thereafter (32 CFR §170.22).
- Records. Retain your assessment artifacts for six years from the CMMC status date (32 CFR §170.15(c)(2)).
- And this gates awards.Under DFARS 252.204-7025, when a solicitation requires Level 1, you must post your self-assessment result in SPRS before award; and under DFARS 252.204-7021, contracting officers can’t award, exercise an option, or extend a contract unless SPRS reflects the required CMMC status.
Do the requirements flow down to your subcontractors?
Yes — and there are two distinct flow-downs, which competitors often blur. FAR 52.204-21(c) flows the safeguarding clause down to subcontracts (including commercial products and services, but excluding true COTS items) where FCI may reside in or transit the subcontractor’s system. Separately, when a CMMC requirement applies, the CMMC-status flow-down under 32 CFR §170.23 and DFARS 252.204-7021 requires applicable subcontractors to hold and affirm the required CMMC status.
| Flow-down | Authority | What it obligates | COTS |
|---|---|---|---|
| Safeguarding clause | FAR 52.204-21(c) | Sub must apply the 15 safeguards to systems with FCI | Excluded (true COTS) |
| CMMC status | 32 CFR §170.23 / DFARS 252.204-7021 | Applicable sub must achieve and affirm the required CMMC status in SPRS | Follows the CMMC clause’s applicability |
If you’re the prime, before you flow anything down: does the sub receive or generate FCI? Will FCI reside in or transit their systems? Is the buy limited to true COTS? What FAR/DFARS language is in your prime contract? What CMMC status is required, and by when? How will you verify it?
If you’re the subcontractoron the receiving end of a “you need CMMC” email, ask for specifics before you spend a dime: the exact clause language, the required status, the effective date, the CAGE-code expectation, guidance on identifying the data, and any prime-specific evidence requirements. A prime’s email is not a substitute for understanding the clause, the data, the scope, and the timing. See our CMMC flow-down letter template for a starting point.
Do you need GCC High, a C3PAO, FedRAMP, or a provider for Level 1?
Not automatically. The 15 Level 1 safeguards do not, by themselves, mandate a specific Microsoft cloud, a CUI enclave, a FedRAMP-authorized service, or a third-party assessor. What you actually need depends on your contract, your data type, your environment, and whether you can do the work in-house. Level 1 is designed to be self-assessed, and an FCI-only shop with competent IT support can often handle it internally.
- Do you need a C3PAO? No, not for Level 1. Level 1 is a self-assessment. A third party can help you prepare and even run through it with you, but the DoD Level 1 guide is explicit that the engagement remains a self-assessment and does not produce a certification. Anyone presenting a paid readiness deliverable as an official CMMC Level 1 certificateis mischaracterizing it — Level 1 produces a status and an affirmation, not a C3PAO-issued certificate.
- Do you need GCC High?Not as a blanket rule. GCC High may fit some CUI and export-controlled workloads, but fit depends on the contract, export-control jurisdiction, licensed services, configuration, integrations, identity architecture, and responsibility matrix. For FCI-only Level 1, the requirement is that your systems meet the 15 safeguards — not that they live in a specific tenant.
- Do you need FedRAMP?Not for FCI alone. FedRAMP becomes a firm requirement for cloud service providers under DFARS 252.204-7012 when covered defense information (a CUI concept) is processed. If your contract doesn’t carry that clause and you’re handling only FCI, the FedRAMP mandate doesn’t automatically follow.
- Do you need an RPO or MSP?Not required, but often practical. An RPO (Registered Practitioner Organization) advises on CMMC readiness; an MSP can operate compliant infrastructure. Whether you need outside help is a function of your current state, your team’s capacity, and your timeline — not the level number.
This is the logic behind The CMMC Path Framework— our named approach that maps your required CMMC level, FCI-vs-CUI handling, assessment type, IT/cloud environment, and contract timeline to the provider category most likely to fit. It routes you to a category, not a named provider, and it is not a score, a ranking, or compliance advice. Access it through the Find My CMMC Path tool.
A note on NIST versions, so nobody sells you the wrong standard: NIST released SP 800-171 Revision 3 in 2024 and has continued updating the 800-172 family, but the current CMMC rule still incorporates NIST SP 800-171 Revision 2 for Level 2 and selected requirements from the February 2021 edition of NIST SP 800-172for Level 3 — unless and until DoD amends the governing rule or your contract requirements. If a provider quotes you Rev. 3 as the CMMC standard, that’s a flag to ask questions.
What changes if you discover CUI?
Stop treating the Level 1 checklist as the finish line. If your work involves CUI, Level 1 is not sufficient. The contract may require Level 2 — currently the 110 requirements of NIST SP 800-171 Revision 2, organized across 14 families — or, for selected critical programs or high-value assets, Level 3, which adds selected requirements from the February 2021 edition of NIST SP 800-172 and a DIBCAC-led assessment. During the July 2026 suspension, procurements may require Level 2 (Self), while Level 2 (C3PAO) and Level 3 (DIBCAC) designations are paused.
CUI is a step up in sensitivity from FCI. When DFARS 252.204-7012is incorporated, it imposes adequate-security, cyber-incident-reporting, malicious-software, media-preservation, government-access, and flow-down duties for covered defense information — a much larger lift than the 15 FCI safeguards. (Note: the presence of some CUI doesn’t automatically insert that clause; the contract does.)
If you find CUI, do this:
- Do not paste or upload the suspected information into any questionnaire or routing form.
- Preserve the contract, the marking, the source, and any handling instruction.
- Determine the authoritative CUI category and what the contract actually requires.
- Identify which systems and people have already been exposed to it.
- Review the relevant DFARS obligations.
- Get qualified scoping and contractual guidance.
- Move to the Level 2 readiness path.
And unlearn a few myths: a drawing is not automatically “just FCI,” technical files are not automatically CUI, and company size does not set your level. The solicitation, contract, or applicable subcontract requirement — and the authoritative treatment of the information — control your path. See our FCI vs. CUI guide and our CUI requirements for federal contractors guide where this one leaves off.
What drives Level 1 cost — and what to do this week
There’s no honest universal price for Level 1. Cost is driven by your assessment scope, the state of your current systems, the number of physical locations, how much remediation you need, and whether you use outside help. What we can give you is where the money and time actually go, and how to make real progress in seven days without buying anything first.
We won’t hand you a made-up dollar range — a number you can’t stand behind is worse than no number. The biggest cost driver, by far, is remediation: a shop that already runs managed endpoints, unique accounts, and a real firewall is close; a shop with shared logins and a flat network has more to do. For a grounded, source-backed treatment, use our dedicated Level 1 cost guide rather than a vendor’s generic figure.
Here’s a realistic first week:
- Day 1 — Contract and data.
- Save the relevant clauses, note the required status, and sort your information into known FCI, possible CUI, public, and simple transactions. List open questions.
- Day 2 — Flow and scope.
- Map where FCI enters, rests, moves, and leaves — email, endpoints, servers, file shares, ERP, cloud, backups, remote access, printers, paper, external providers, subcontractors. Draft your scope statement.
- Day 3 — Access and identity.
- Export users, devices, groups, permissions, service accounts, and recent terminations. Test standard and admin access.
- Day 4 — Physical, media, public.
- Review disposal records, visitor logs, key/badge inventories, and your public websites and repositories.
- Day 5 — Boundary and integrity.
- Review network diagrams, firewall rules, endpoint coverage, patch reports, and scanning — and hunt for update failures.
- Day 6 — Findings.
- Mark each objective MET, NOT MET, or N/A. Document N/A reasons. Close supportable gaps. Don't treat an unfinished task list as a POA&M — there isn't one at Level 1.
- Day 7 — Final review.
- Approve final documents, retest mechanisms, complete your evidence index, and prepare the SPRS entry and affirmation. Then set your annual and change-triggered reminders.
The pre-affirmation checklist: mistakes that sink a Level 1 self-assessment
An unsupported Level 1 result usually comes down to a gap between what you claimed, what your systems actually do, and what evidence you kept. These are the checks we’d run before anyone signs the affirmation — each one is findable in your own work product, and each maps to a rule or a row in the matrix above.
Run this list before you affirm:
- Calling it “17 controls” without understanding the current 15-requirement structure (or the reverse).
- Marking a requirement MET while one applicable objective is unsupported.
- Using draft policies as final evidence (the rule rejects draft and unofficial policies).
- Relying only on interviews — no configurations, no records, no tests.
- Excluding email, printers, remote work, cloud tools, or paper without actually tracing the FCI flow.
- Treating “automatic updates are enabled” as proof every system is current.
- Never reconciling your security console’s coverage against your real asset inventory.
- Overusing N/A to make requirements disappear.
- Presenting third-party readiness help as a “Level 1 certification.”
- Treating an internal remediation list as a permitted POA&M.
- Not retaining evidence for six years.
- Failing to obtain a new assessment after significant architectural or boundary changes — such as a network expansion or a merger or acquisition — while treating ordinary operational changes within the existing boundary (covered by your annual affirmation) as if they required one.
- Ignoring subcontractor flow-down — either the FAR safeguarding clause or the CMMC status.
- Assuming the July 2026 Phase 2 suspension eliminated Phase 1 self-assessments. (It didn’t.)
- Signing the affirmation before the evidence package is actually final.
- Publishing screenshots that expose FCI, credentials, or sensitive architecture.
A simple internal control that prevents most of these — our recommendation, not a government rule: before submission, get four people to acknowledge the package — the scope owner, the IT/security owner, the contracts/compliance owner, and the Affirming Official. It catches problems while they’re still cheap to fix.
What we verified for this guide
We built this from the primary sources, and we kept our editorial guidance clearly separate from the government’s requirements. Here’s exactly what we checked and when.
| Source | What we confirmed | Verified |
|---|---|---|
| FAR 52.204-21 (eCFR / Acquisition.gov) | FCI definition, all 15 requirements (i)–(xv), subcontract flow-down, COTS exception | July 17, 2026 |
| 32 CFR §170.4 | The current 15 / 110 / 24 structure; enduring-exception and temporary-deficiency definitions | July 17, 2026 |
| 32 CFR §170.14–170.15 | Annual self-assessment, required SPRS fields, six-year retention | July 17, 2026 |
| 32 CFR §170.19(b) | Level 1 scope: in-scope FCI assets, out-of-scope assets, qualifying VDI endpoint, specialized-asset exclusions | July 17, 2026 |
| 32 CFR §170.21 | No POA&M permitted at any time for Level 1 self-assessments | July 17, 2026 |
| 32 CFR §170.22 | Affirming Official and annual affirmation requirement | July 17, 2026 |
| 32 CFR §170.23 | CMMC-status flow-down to applicable subcontractors | July 17, 2026 |
| 32 CFR §170.24 | MET/NOT MET/N/A findings; enduring exceptions and temporary deficiencies assessable as MET; drafts not acceptable | July 17, 2026 |
| DoD CMMC Assessment Guide – Level 1 | Third-party-assistance-is-still-self-assessment; evidence methods; MET/N/A on all requirements | July 17, 2026 |
| NIST SP 800-171A | Our reproducible count of 59 assessment objectives across the 15 requirements | July 17, 2026 |
| DFARS 252.204-7021 | Current-status, affirmation, UID-update, and flow-down terms; unchanged by the suspension | July 17, 2026 |
| DFARS 252.204-7025 | Notice provision; Level 1/2 self-assessment posting before award; CMMC UID in the proposal | July 17, 2026 |
| DFARS 252.204-7012 | FedRAMP-Moderate-equivalent duty for CSPs handling covered defense information; incident reporting | July 17, 2026 |
| DFARS 252.204-7019/-7020 | Legacy NIST SP 800-171 DoD Assessment score — distinct from a CMMC Level 1 result | July 17, 2026 |
| DoD Class Deviation 2026-O0025 (RFO Part 40) | 52.204-21 → 52.240-93 in affected DoD solicitations; codified FAR/DFARS unchanged | July 17, 2026 |
| DoD implementation memo, pub. case 26-P-1023 (July 13, 2026) | Phase 2 suspended; Phase 1 self-assessments continue; only Level 1 (Self)/Level 2 (Self) designations for new requirements | July 17, 2026 |
| Executive Order 14347 (Sept 5, 2025) | "Department of War" is a secondary title; legal name remains U.S. Department of Defense | July 17, 2026 |
| Cyber AB ecosystem definitions | RPO = Registered Practitioner Organization; RPOs advise, C3PAOs assess | July 17, 2026 |
| NIST SP 800-171 Rev. 3 / SP 800-172 status | Released, but not the versions the current CMMC rule incorporates | July 17, 2026 |
Byline:The Defense Compliance Report Editorial Team — independent CMMC and Defense Industrial Base compliance research. This article has not been publicly attributed to a named CMMC Subject Matter Advisor. This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP) or Registered Practitioner Organization (RPO), or a qualified federal-contracts attorney, before you act. The solicitation, contract, or applicable subcontract requirement — and your CUI/FCI handling — set your level; a checklist does not.
Frequently asked questions about the basic safeguarding requirements for FCI
- Are there 15 or 17 CMMC Level 1 requirements?
- There are 15 current Level 1 requirements, listed in FAR 52.204-21(b)(1) and confirmed in 32 CFR §170.4. You'll also see 17 because those 15 map to 17 NIST SP 800-171 practices — one requirement (visitors and physical access) maps to three. Same work, two ways of counting.
- Does FAR 52.204-21 by itself require a CMMC Level 1 SPRS submission?
- No. FAR 52.204-21 requires you to implement the 15 safeguards when it's in your contract. The Level 1 self-assessment, SPRS result, CMMC UID, and affirmation are triggered separately by the CMMC clauses, DFARS 252.204-7021 and -7025.
- Is CMMC Level 1 a certification?
- No. Level 1 is a self-assessment that produces a status and an affirmation in SPRS, not a certificate issued by a third party. A consultant may help, but the DoD Level 1 guide states the engagement remains a self-assessment.
- Can a third party perform or help with the Level 1 self-assessment?
- Yes, they can assist — but the result is still a self-assessment, and you remain responsible for the scope, the findings, the evidence, and the affirmation.
- Does CMMC Level 1 have a numeric SPRS score?
- No. Level 1 records a compliance result and a Final Level 1 (Self) status. The 110-point score applies to Level 2. Every applicable Level 1 requirement must be MET or N/A.
- Can you use a POA&M at Level 1?
- No. A POA&M is not permitted at any time for Level 1 self-assessments (32 CFR §170.21). That's separate from the rule's narrow treatment of documented enduring exceptions and temporary deficiencies, which can be assessed as MET.
- Which Level 1 assets may handle FCI but stay outside the assessment scope?
- Under 32 CFR §170.19(b), specialized assets — IoT, IIoT, operational technology, Government Furnished Equipment, Restricted Information Systems, and Test Equipment — can process, store, or transmit FCI but are not part of the Level 1 assessment scope. A qualifying virtual-desktop endpoint is also out of scope. These are assessment-scope carve-outs, not exemptions from the FAR safeguarding duty.
- Is an SSP required for CMMC Level 1?
- The DoD Level 1 guide recommends a System Security Plan as a best practice but does not make it a prerequisite for your status. We recommend writing one anyway to consolidate your evidence.
- What is a CMMC UID, and when do I need it?
- A CMMC unique identifier (UID) is issued by SPRS for each assessed information system. Under DFARS 252.204-7025, when a solicitation names a CMMC level, you provide the UID for each system that will handle FCI or CUI in your proposal, and update the list when new UIDs are generated.
- Is MFA or encryption a Level 1 requirement?
- Neither appears as a separately numbered safeguard in the 15. Both can still be the right way to meet the access or communications requirements, or be required by another clause. Their absence from the list is not permission to skip them where they're warranted.
- Does handling FCI mean I need GCC High or a FedRAMP cloud?
- Not automatically. The 15 safeguards don't name a specific cloud. FedRAMP becomes a firm requirement for cloud providers when DFARS 252.204-7012 applies to covered defense information — a CUI question, not an FCI-only Level 1 one. Confirm which regime your contract puts you in.
- How long must Level 1 evidence be kept?
- Six years from the CMMC status date (32 CFR §170.15(c)(2)).
- Did the July 2026 Phase 2 suspension pause Level 1?
- No. The July 13, 2026 memo suspended the transition to third-party assessments (Phase 2) but expressly kept Phase 1 self-assessments in place.
- Does the suspension change a contract I already hold?
- Not by itself. The government is directed to amend solicitations and modify contracts to remove Level 2 (C3PAO) and Level 3 (DIBCAC) requirements, but until that amendment or modification issues, follow the instrument you signed.
- Should my documentation cite FAR 52.204-21 or FAR 52.240-93?
- Record whichever appears in your actual contract. The codified FAR and the current CMMC rule reference 52.204-21; affected DoD solicitations issued under the current class deviation use 52.240-93. They point to the same requirements.
- Do the FCI safeguarding requirements flow down to subcontractors?
- Yes — and there are two flow-downs. FAR 52.204-21(c) flows the safeguarding clause down (excluding true COTS). Separately, when a CMMC requirement applies, 32 CFR §170.23 and DFARS 252.204-7021 require applicable subcontractors to hold and affirm the required CMMC status.
- Does NIST SP 800-171 Revision 3 control CMMC yet?
- No. The current CMMC rule still incorporates NIST SP 800-171 Revision 2 for Level 2 and selected requirements from the February 2021 edition of NIST SP 800-172 for Level 3, unless and until DoD amends the rule.