High-level security areas used to organize requirements.
Level 1 assesses practices across 6 of the 14 domains.
Basic security practices required to protect Federal Contract Information (FCI).
FAR 52.204-21 defines 17 safeguarding requirements.
15 are assessed under CMMC Level 1, while the remaining 2 requirements are enforced through DFARS contract obligations and are not directly assessed as CMMC practices.
Across the 15 controls, Level 1 includes 30 assessment objectives. Each control is unpacked into one or more objective-level actions that you must demonstrate during a self-assessment.
The official FAR clause lists 15 safeguards, but CMMC documentation often references 17 practices. Here is why:
CMMC inherited the DoD’s earlier mapping from the DFARS 252.204-21 “Basic Safeguarding” table, where two of the FAR requirements were split into multiple CMMC practice IDs during modeling. They are not additional requirements—just a structural carryover from the original DoD-to-NIST mapping exercise.