CMMC Level 1 draws from Federal Acquisition Regulation (FAR) 52.204-21, which does not use the NIST 800-171 domain structure. To maintain consistency across the model, the 15 Level 1 safeguards are aligned to 6 of the 14 NIST 800-171 domains.
Level 1 contains 15 controls, all sourced directly from FAR 52.204-21(b)(1). These are considered the minimum security requirements for any contractor who processes, stores, or transmits Federal Contract Information (FCI).
Across the 15 controls, Level 1 includes 30 assessment objectives. Each control is unpacked into one or more objective-level actions that you must demonstrate during a self-assessment.
The official FAR clause lists 15 safeguards, but CMMC documentation often references 17 practices. Here is why:
CMMC inherited the DoD’s earlier mapping from the DFARS 252.204-21 “Basic Safeguarding” table, where two of the FAR requirements were split into multiple CMMC practice IDs during modeling. They are not additional requirements—just a structural carryover from the original DoD-to-NIST mapping exercise.