What contracts will be subject to CMMC Level 1?

CMMC Level 1 will apply to all DoD contracts where the contractor will receive Federal Contract Information (“FCI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Types of documents that could contain FCI include contracts, modifications, statements of work, technical drawings, and government communications to the contractor. Given the broad definition of FCI, contractors can expect that nearly all non-COTS, DoD contracts will involve FCI and will therefore be subject to CMMC Level 1.

What are the requirements of CMMC Level 1?

CMMC Level 1 requires contractors to implement the 15 security requirements identified in FAR 52.204-21(b)(1), Basic Safeguarding of Covered Contractor Information Systems, for contractor information systems that process, store, or transmit FCI. These requirements include limiting system access, user authentication, system sanitization, and protection against malicious code. Most companies that conduct business with the federal government should have already implemented these 15 security requirements because they have been in place since 2016.

Contractors must also perform an annual self-assessment of each information system that stores, processes, or transmits FCI for compliance with the CMMC Level 1 security requirements. Contractors can only achieve CMMC Level 1 compliance by meeting all 15 security requirements identified in FAR 52.204-21(b)(1). If a contractor fails even one security requirement, then the contractor is not compliant with CMMC Level 1 and is ineligible for contracts requiring CMMC Level 1 compliance. After conducting each self-assessment, contractors must enter the results of the assessment into DoD’s Supplier Performance Risk System (“SPRS”). A “senior official” from the contractor must also affirm compliance with the CMMC Level 1 security requirements on an annual basis in SPRS.

Does CMMC Level 1 apply to subcontractors?

CMMC Level 1 applies to all subcontractors, at all tiers, if those subcontractors will store, process, or transmit FCI through their information systems. If a subcontractor can perform without FCI, then it may not need to comply with CMMC Level 1.

When will DoD begin incorporating CMMC Level 1 requirements into contracts?

CMMC Level 1 will become a condition for contract award as soon as the final CMMC rule goes into effect. The comment period on the CMMC proposed rule is slated to close on February 26, 2024. DoD takes on average about one year to issue a final rule after comments close. This means that DoD could begin requiring CMMC Level 1 compliance in late 2024 or early 2025. DoD expects that compliance will be straightforward since contractors are already required to comply with the CMMC Level 1 security requirements under FAR 52.204-21(b)(1). The only additional step contractors will need to take to achieve CMMC Level 1 compliance is to conduct the self-assessment and upload the assessment score and affirmation to SPRS.

[View source.]