CMMC Level 1 and FCI: What Basic Safeguarding Looks Like

What Level 1 is about

CMMC Level 1 is the entry level of the program. It is focused on basic safeguarding of Federal Contract Information (FCI) — the non-public information you receive or create under a federal contract that is not intended for public release. The baseline for Level 1 is FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, which sets out a short list of basic safeguarding requirements.

This article is generic and educational. It describes the kinds of capabilities and evidence commonly associated with this level — it does not interpret the regulation for you, recommend products, or determine whether your organization meets any requirement. Read the requirements at the source and decide what applies to your environment.

The capability areas it touches

Basic safeguarding maps to a handful of everyday security capability areas. You do not need any particular vendor or tool — what matters is that the capability exists and that you can show it:

• Identity and access — limiting who can sign in, and using multi-factor authentication.
• Endpoint protection — anti-malware on the devices you use.
• Patch management — keeping systems and applications updated.
• Firewall and perimeter — restricting inbound network access.
• Basic logging — being able to review key security events.
• Backup and recovery — being able to restore after data loss.
• Email security — filtering malicious mail.
• Asset inventory — knowing what devices and software you have.
• Security awareness — helping people recognize threats.
• Policies and documentation — written procedures, kept current.

The evidence you would organize

Level 1 is usually self-assessed, which means the burden is on you to keep the evidence that shows each capability is in place. For a small DIB team, that evidence is rarely exotic — it is screenshots, exports, and records you already could produce:

• a setting or report showing MFA is required;
• evidence that endpoint protection is deployed;
• patch or update records;
• firewall rules and a simple network description;
• a hardware and software inventory;
• backup configuration and a restore-test record;
• training completion records;
• your written policies, with a review date.

The challenge is almost never that the evidence does not exist — it is that it is scattered across email, tickets, and individual desktops. A consistent evidence folder structure and an owner for each artifact turn that scramble into something you can find on demand.

Give each artifact an owner and a date

Two habits do most of the work at this level. First, assign an owner to each piece of evidence — the person responsible for producing and refreshing it. Second, date everything in a sortable format so staleness is obvious. A screenshot from two years ago does not show what is true today.

Where to read the requirements

Go to the authoritative sources rather than a summary:

• FAR 52.204-21 — the basic safeguarding requirements: https://www.acquisition.gov/far/52.204-21
• 32 CFR Part 170 — the CMMC Program Rule: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170

For a fuller map of authoritative CMMC, DFARS, and NIST sources, see our regulatory sources guide.

Organizing it

You can keep all of this in a shared folder with a naming convention. If you would rather start from a standardized set of folders, checklists, and inventories built for exactly this, that is what the DIBStack Evidence Binder provides — a self-service kit you run on your side. It helps you organize evidence; it does not determine whether your organization is compliant.