The 15 CMMC Level 1 Practices Explained (With Examples)

CMMC Level 1 has 15 security practices. Every organization that handles Federal Contract Information (FCI) under a Department of Defense (redesignated the Department of War by executive order, September 2025) (DoD) contract must implement all 15. They are derived directly from FAR Clause 52.204-21 and cover six security domains.

This article walks through each of the 15 practices, explains what each one requires in plain language, and gives a concrete example of what implementation looks like. If you are working toward Level 1 compliance, this is your checklist.

How the 15 Practices Are Organized

The 15 practices span six domains. Each practice has a CMMC identifier in the format [Domain].[Level]-b.[FAR paragraph]:

Access Control (AC): 4 Practices

AC.L1-b.1.i — Authorized Access Control

Requirement: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

What it means: Only people who are supposed to have access to your systems and data should have it. Shared accounts, guest accounts left active, and former employees who still have credentials are the most common failures.

What implementation looks like:

• Active directory or identity management system with individual user accounts
• Documented list of authorized users per system
• Offboarding process that disables accounts on the day of employee departure
• No shared or generic accounts (such as "admin" or "IT") used for regular access

AC.L1-b.1.ii — Transaction and Function Control

Requirement: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

What it means: Users should only be able to do what their job requires. An accountant does not need administrative access to servers. A warehouse employee does not need access to contract data repositories.

What implementation looks like:

• Role-based access control, with roles defined by job function
• Standard users do not have local administrator rights on their workstations
• Principle of least privilege applied: each user has only the access their role requires
• Documented review of user roles and permissions at least annually

AC.L1-b.1.iii — External Connections

Requirement: Verify and control/limit connections to and use of external information systems.

What it means: You need visibility and control over how your systems connect to outside systems and how external systems connect to yours. This includes employee use of personal devices to access work resources and connections from vendors or external service providers.

What implementation looks like:

• Firewall rules that control inbound and outbound network connections
• Documented approval process for connecting external systems to your environment
• VPN required for remote access rather than direct RDP or other uncontrolled access
• Policy governing acceptable use of external/personal devices

AC.L1-b.1.iv — Control Public Information

Requirement: Control information posted or processed on publicly accessible information systems.

What it means: If your organization has a website, social media presence, or any publicly accessible system, you must have controls to ensure FCI does not end up there. Someone has to be responsible for reviewing what goes onto public systems before it is posted.

What implementation looks like:

• A documented policy or procedure for content review before public posting
• Designated approver for publicly posted content
• Training or awareness for employees who manage public communications
• Regular review of publicly accessible content to identify and remove anything that should not be public

Identification and Authentication (IA): 2 Practices

IA.L1-b.1.v — Identification

Requirement: Identify information system users, processes acting on behalf of users, and devices.

What it means: Every user, automated process, and device accessing your systems must have a unique identity. You need to know who (or what) is accessing your systems at any given time.

What implementation looks like:

• Unique user accounts for every individual (no shared accounts)
• Device certificates or registration for managed endpoints
• Service accounts for automated processes, separate from human user accounts
• Inventory of all user accounts and service accounts with documented owners

IA.L1-b.1.vi — Authentication

Requirement: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

What it means: Knowing who a user is means verifying it, not just assuming it. Passwords are the minimum. This practice requires that authentication happens before access is granted.

What implementation looks like:

• Password authentication enforced for all system access (no open or passwordless access)
• Password complexity and length requirements configured in your identity system
• No accounts with empty or default passwords
• Session timeouts that require re-authentication after periods of inactivity

Note: Level 1 requires authentication but does not mandate multi-factor authentication (MFA). MFA is a Level 2 requirement. At Level 1, strong passwords with proper management satisfy this practice.

Media Protection (MP): 1 Practice

MP.L1-b.1.vii — Media Disposal

Requirement: Sanitize or destroy information system media containing Federal Contract Information before disposal or reuse.

What it means: Before a hard drive, USB drive, laptop, workstation, or any storage media leaves your control, you must ensure FCI on it cannot be recovered. This applies to end-of-life equipment, returns to manufacturers, trade-ins, and repurposing old hardware.

What implementation looks like:

• Documented media sanitization policy (referencing NIST 800-88 or equivalent)
• Use of certified data wiping tools before device disposal or reuse
• Physical destruction of media that cannot be reliably wiped (failed drives, damaged media)
• Certificate of destruction or sanitization log for each disposed media item
• Contract requirements for cloud providers or MSPs to sanitize storage before repurposing

Physical Protection (PE): 2 Practices

PE.L1-b.1.viii — Limit Physical Access

Requirement: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

What it means: Physical access to your systems and the spaces where they operate must be controlled. Unauthorized individuals should not be able to walk up to a server, workstation, or network closet without a barrier.

What implementation looks like:

• Locked server room or network closet with access restricted to IT personnel
• Locked workstation areas or office spaces for after-hours security
• Badge or key access controls for server rooms
• No unattended, unlocked workstations in common areas
• Equipment inventory with documented physical locations

PE.L1-b.1.ix — Manage Visitors and Physical Access

Requirement: Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices (e.g., keys, locks, combinations, and card readers).

What it means: When people who are not employees visit your facility, you need to manage their access. You also need records of who accessed what spaces and when, and you need to manage the keys and badges that control that access.

What implementation looks like:

• Visitor log at the entrance to the facility or controlled areas
• Visitor badges or identification that distinguishes non-employees
• Escort policy for visitors in areas with IT equipment
• Audit log for electronic access control systems (badge readers)
• Process for revoking physical access credentials (badges, keys) when access is no longer authorized

System and Communications Protection (SC): 2 Practices

SC.L1-b.1.x — Boundary Protection

Requirement: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

What it means: Your network needs a protected perimeter. Traffic coming in and going out should be controlled and monitored. This is fundamentally about having and maintaining a firewall with appropriate rules.

What implementation looks like:

• Firewall deployed at the internet boundary with documented rule sets
• Default-deny posture (block all unless explicitly permitted)
• Logging of firewall activity
• Regular review of firewall rules to remove outdated or unnecessary permissions
• DNS filtering or web proxy to control outbound web access

SC.L1-b.1.xi — Public-Access System Separation

Requirement: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

What it means: If your organization runs any publicly accessible systems (a web server, public file share, or external-facing application), those systems must be separated from your internal network. They should not be on the same network segment as your workstations and internal servers.

What implementation looks like:

• Web servers and public-facing systems hosted in a DMZ (demilitarized zone) separate from the internal network
• VLAN separation between public and internal network segments
• Firewall rules that prevent direct communication from the DMZ to the internal network
• For organizations using cloud hosting for public systems: the cloud environment hosting public-facing assets is logically separate from the corporate network

System and Information Integrity (SI): 4 Practices

SI.L1-b.1.xii — Flaw Remediation

Requirement: Identify, report, and correct information and information system flaws in a timely manner.

What it means: Software vulnerabilities need to be found and patched. This applies to operating systems, applications, firmware, and any other software running on your systems. "Timely" is not defined with a specific number of days in Level 1, but the intent is a systematic process, not ad hoc patching.

What implementation looks like:

• Automated patch management for operating systems and major applications
• Documented patching schedule (e.g., critical patches within 30 days, non-critical within 90 days)
• Vulnerability scanning to identify unpatched systems
• Process for end-of-life software that no longer receives security updates

SI.L1-b.1.xiii — Malicious Code Protection

Requirement: Provide protection from malicious code at appropriate locations within organizational information systems.

What it means: Antivirus and endpoint protection must be deployed on your systems. The standard is protection at "appropriate locations," which means at minimum on endpoints and servers.

What implementation looks like:

• Endpoint protection (antivirus/EDR) deployed on all workstations and servers
• Real-time scanning enabled (not just scheduled scans)
• Protection against multiple malware categories (viruses, ransomware, trojans, spyware)
• Centralized management for visibility across the environment

SI.L1-b.1.xiv — Update Malicious Code Protection

Requirement: Update malicious code protection mechanisms when new releases are available.

What it means: Antivirus definitions and endpoint protection software must be kept current. A six-month-old antivirus signature database does not protect against current threats.

What implementation looks like:

• Automatic definition updates configured on all endpoint protection tools
• Software version updates applied within a reasonable timeframe after release
• Centralized monitoring to confirm definition freshness across the environment
• Alerts for endpoints that fall behind on definition updates

SI.L1-b.1.xv — System and File Scanning

Requirement: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

What it means: Two types of scanning are required: scheduled scans of the full system, and real-time scanning of files as they enter your environment (downloads, email attachments, USB files). Most modern endpoint protection tools handle both automatically.

What implementation looks like:

• Scheduled full system scans (weekly at minimum)
• Real-time file scanning enabled for all endpoints
• Email gateway scanning for attachments and links
• Removable media scanning triggered on device insertion
• Logging of scan results and any detections

Putting It All Together: Level 1 Readiness Assessment

Use this quick checklist to estimate your current Level 1 posture:

For most organizations, the technical controls (firewall, antivirus, patch management) are either present or straightforward to implement. The gaps are usually in documentation, process, and the edge cases: the server room that is always unlocked, the retired employee whose account was never disabled, the old laptop sitting in a closet that was never wiped.

Key Takeaways

• CMMC Level 1 has exactly 15 practices, all from FAR Clause 52.204-21
• Six domains: AC (4), IA (2), MP (1), PE (2), SC (2), SI (4)
• All 15 must be Met for a clean Level 1 self-assessment
• Most Level 1 gaps are in documentation and process, not major technical controls
• Level 1 requires annual self-assessment and senior official affirmation

Learn More

For the full CMMC program overview, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.

Related articles in this series:

• CMMC Level 1 vs Level 2 vs Level 3: Which One Do You Need?
• SPRS 101: How to Submit Your CMMC Self-Assessment Score
• FCI vs CUI: How to Know Which Type of Data You Handle

Working through Level 1 compliance and need help getting to a clean score? NR Labs provides guided Level 1 gap assessments and SPRS submission support for defense contractors. Contact us to schedule a conversation.

‍