Protect Federal Contract Information. Maintain DoD contract eligibility. palmiq delivers the FCI scoping, gap analysis, control implementation, and self-assessment preparation you need to meet all 15 FAR 52.204-21 practices and submit to SPRS with confidence.
CMMC Level 1 (Foundational) is the first tier of the Department of Defense’s Cybersecurity Maturity Model Certification program. It requires defense contractors and subcontractors to implement 15 basic cybersecurity practices derived from FAR Clause 52.204-21 to protect Federal Contract Information (FCI).
FCI is any non-public information provided by or generated for the government under a contract. This includes contract numbers, delivery schedules, budgets, project status reports, proposals, and invoices. If your organization handles FCI but not Controlled Unclassified Information (CUI), Level 1 is your compliance target.
Unlike CMMC Level 2, Level 1 uses a self-assessment model — no third-party audit is required. However, compliance is all-or-nothing: every practice must be fully implemented before you can submit your results to the Supplier Performance Risk System (SPRS). Plans of Action & Milestones (POA&Ms) are not permitted at Level 1.
15
Required Practices FAR 52.204-21
6
Security Domains Across All Practices
63%
of DIB Estimated to Need Level 1
0
No POA&Ms Allowed Pass or Fail Only
⚠
Enforcement Is Live
CMMC Level 1 requirements began appearing in DoD solicitations and contracts on November 10, 2025. Contractors without a current CMMC status in SPRS risk losing eligibility for existing and new DoD contracts.
Sound Familiar?
These are the problems defense contractors bring to palmiq when preparing for CMMC Level 1.
“We Don’t Know What Counts as FCI or What’s in Scope.”
palmiq maps your FCI data flows, identifies every system, person, facility, and service provider that processes, stores, or transmits FCI, and defines the precise assessment boundary — minimizing scope without missing assets.
“It’s Pass/Fail and We Can’t Afford to Get It Wrong.”
No POA&Ms are allowed at Level 1. Every practice must be MET before you can submit to SPRS. palmiq conducts a thorough gap analysis and closes every gap before your self-assessment so there are no surprises.
“We Don’t Have Documentation or Evidence.”
Even though Level 1 doesn’t require a System Security Plan, you need verifiable evidence for every practice. palmiq creates your information security policy, gathers evidence (screenshots, configs, logs, access lists), and builds an audit-ready package.
“We Don’t Have IT Staff to Implement the Controls.”
As a full-service MSP, palmiq doesn’t just assess — we implement. Access controls, MFA, antivirus, firewalls, media sanitization, visitor management: we handle all 15 practices and manage them ongoing.
Six Domains of CMMC Level 1
All 15 practices are organized across six security domains derived from FAR 52.204-21. Every practice must be fully MET — no exceptions.
Access Control
- Limit system access to authorized users - Limit access to authorized transaction types and functions - Verify and control connections to external systems - Control information on publicly accessible systems
Identification & Authentication
- Identify system users, processes, and devices - Authenticate identities before granting system access
Media Protection
- Sanitize or destroy media containing FCI before disposal or reuse
Physical Protection
- Limit physical access to authorized individuals - Escort visitors and monitor visitor activity - Maintain audit logs of physical access - Control and manage physical access devices
System & Communications Protection
- Monitor, control, and protect communications at system boundaries - Implement subnetworks for publicly accessible system components
System & Information Integrity
- Identify, report, and correct system flaws in a timely manner - Provide protection from malicious code at designated locations
What palmiq’s CMMC Level 1 Services Include
Everything you need to go from uncertainty to a clean self-assessment and current CMMC status in SPRS.
1. FCI Scoping & Asset Inventory
-
Map FCI data flows across people, systems, and facilities
-
Identify all in-scope assets that process, store, or transmit FCI
-
Determine enclave vs. enterprise scope strategy
-
Identify specialized assets excluded from assessment
-
Document assessment boundary and scope rationale
2. Gap Analysis & Remediation
-
Evaluate all 15 practices against assessment objectives
-
Document MET/NOT MET status for each practice
-
Identify every gap blocking a passing self-assessment
-
Deliver prioritized remediation plan with timelines
-
Close all gaps before self-assessment (no POA&Ms allowed)
3. Control Implementation
-
Access control: user account management, least privilege, MFA
Physical security: visitor logs, badge access, media destruction
-
Identity management: user identification, authentication enforcement
4. Self-Assessment & SPRS Submission
-
Conduct formal self-assessment per NIST 800-171A objectives
-
Compile evidence package for all 15 practices
-
Prepare senior official affirmation documentation
-
Guide SPRS submission and reporting
-
Establish annual reassessment and affirmation process
Where Level 1 Fits in the CMMC Framework
CMMC 2.0 has three tiers. Level 1 is the foundational baseline required for any DoD contractor handling FCI.
Level 1 — Foundational
Protects FCI
- 15 practices from FAR 52.204-21 - 6 security domains - Annual self-assessment - Senior official affirmation - No POA&Ms permitted - SPRS submission required - ~63% of DIB needs Level 1
RECOMMENDED
Level 2 — Advanced
Protects CUI
- 110 practices from NIST 800-171 Rev. 2 - 14 security domains - Self-assessment or C3PAO audit - SPRS score (max 110) - POA&Ms allowed with conditions - SSP and POA&M required - Maps to DFARS 7012
Level 3 — Expert
Protects CUI Against APTs
- 110 + subset of NIST 800-172 - Government-led assessment (DIBCAC) - Highest assurance tier - Advanced persistent threat focus - Requires Level 2 certification first - Most restrictive DoD contracts - Phase 3 implementation (2027)
From Gap Analysis to SPRS Submission
A proven process that takes defense contractors from initial assessment to a current CMMC Level 1 status — typically in 3 to 6 months.
SecurityFCI Identification & Scoping: Protects systems and data against unauthorized access, disclosure, and damage. Covers access control, risk assessment, monitoring, incident response, and change management. This is the foundation for every SOC 2 audit and serves as the common criteria shared across all other TSC categories.
Gap Analysis Against 15 Practices: palmiq evaluates each of the 15 FAR 52.204-21 practices against the NIST 800-171A assessment objectives. Every practice is documented as MET or NOT MET with specific findings.
Remediation & Control Implementation: Our engineering team closes every gap: access controls, identity management, firewalls, endpoint protection, physical security, media sanitization, and network boundary protections. All 15 practices must be MET before proceeding.
Policy & Evidence Documentation: palmiq creates your information security policy, gathers evidence for each practice (screenshots, configurations, access lists, visitor logs), and builds a complete, auditable compliance package.
Self-Assessment & SPRS Submission: We conduct the formal self-assessment, prepare the senior official affirmation, and guide you through the SPRS reporting process to establish your current CMMC Level 1 status.
Ongoing Compliance & Annual Reassessment: CMMC Level 1 requires an annual self-assessment and affirmation. palmiq provides ongoing monitoring, quarterly access reviews, and annual reassessment support to keep your CMMC status current.
Your CMMC Level 1 Partner from Assessment to Compliance
Assess + Implement + Manage
We don’t just identify gaps — we close them. palmiq implements and operates the controls your organization needs as part of your ongoing managed services.
Government & DIB Focus
Years of experience serving defense contractors, government agencies, and regulated industries. We understand FCI, CUI, DFARS, and the CMMC assessment methodology inside and out.
Entra ID, Defender, Intune
Expert deployment of the Microsoft security stack for identity management, endpoint protection, and access control practices required at Level 1.
Endpoint & Backup
Enterprise-grade antivirus, anti-malware, and backup solutions that directly satisfy System & Information Integrity practices at Level 1.
Ashburn, Virginia
Certified women-owned small business in the heart of the defense corridor. No long-term contracts required. Built for the DIB.
English & Spanish
Full service delivery in English and Spanish, supporting defense contractors and subcontractors across the Americas.
"palmiq took us from zero documentation to a clean CMMC Level 1 self-assessment in under four months. They scoped our FCI, implemented every control, and walked us through the SPRS submission. We’re now bidding on contracts we couldn’t touch before."
— Owner, Small Defense Subcontractor
Frequently Asked Questions
What is the difference between FCI and CUI?
What is the difference between FCI and CUI?
Do we need a third-party audit for CMMC Level 1?
Do we need a third-party audit for CMMC Level 1?
Can we use POA&Ms at Level 1?
Can we use POA&Ms at Level 1?
How long does CMMC Level 1 compliance take?
How long does CMMC Level 1 compliance take?
What is SPRS and how do we submit?
What is SPRS and how do we submit?
When did CMMC Level 1 enforcement start?
When did CMMC Level 1 enforcement start?
Don’t Lose Your DoD Contracts
CMMC Level 1 enforcement is live. palmiq gives you a clear, managed path from gap analysis to a current CMMC status in SPRS — typically in 3 to 6 months.
