CMMC-Level-1-Checklist.md

← Back
# CMMC 2.0 Level 1 Checklist — Foundational (17 Practices)

**Source:** FAR 52.204-21 / NIST SP 800-171 Rev 2
**Applies To:** Contractors handling Federal Contract Information (FCI)
**Assessment Type:** Annual Self-Assessment

> **How to use:** Mark each practice ✅ Implemented | 🔄 In Progress | ❌ Not Implemented | N/A Not Applicable

---

## Domain 1: Access Control (AC)

| # | Practice ID | Requirement | Status | Notes |
|---|---|---|---|---|
| 1 | AC.L1-3.1.1 | Limit system access to authorized users, processes, and devices | ☐ | |
| 2 | AC.L1-3.1.2 | Limit system access to the types of transactions and functions authorized users are permitted to execute | ☐ | |
| 3 | AC.L1-3.1.20 | Verify and control all connections to external systems | ☐ | |
| 4 | AC.L1-3.1.22 | Control CUI posted or processed on publicly accessible systems | ☐ | |

---

## Domain 2: Identification & Authentication (IA)

| # | Practice ID | Requirement | Status | Notes |
|---|---|---|---|---|
| 5 | IA.L1-3.5.1 | Identify information system users, processes, and devices | ☐ | |
| 6 | IA.L1-3.5.2 | Authenticate the identities of users, processes, or devices before allowing access | ☐ | |

---

## Domain 3: Media Protection (MP)

| # | Practice ID | Requirement | Status | Notes |
|---|---|---|---|---|
| 7 | MP.L1-3.8.3 | Sanitize or destroy system media before disposal or reuse | ☐ | |

---

## Domain 4: Physical Protection (PE)

| # | Practice ID | Requirement | Status | Notes |
|---|---|---|---|---|
| 8 | PE.L1-3.10.1 | Limit physical access to systems to authorized individuals | ☐ | |
| 9 | PE.L1-3.10.3 | Escort visitors and monitor visitor activity | ☐ | |
| 10 | PE.L1-3.10.4 | Maintain audit logs of physical access | ☐ | |
| 11 | PE.L1-3.10.5 | Control and manage physical access devices | ☐ | |

---

## Domain 5: System & Communications Protection (SC)

| # | Practice ID | Requirement | Status | Notes |
|---|---|---|---|---|
| 12 | SC.L1-3.13.1 | Monitor, control, and protect communications at external boundaries and key internal boundaries | ☐ | |
| 13 | SC.L1-3.13.5 | Implement subnetworks for publicly accessible system components | ☐ | |

---

## Domain 6: System & Information Integrity (SI)

| # | Practice ID | Requirement | Status | Notes |
|---|---|---|---|---|
| 14 | SI.L1-3.14.1 | Identify, report, and correct system flaws in a timely manner | ☐ | |
| 15 | SI.L1-3.14.2 | Provide protection from malicious code at appropriate locations | ☐ | |
| 16 | SI.L1-3.14.4 | Update malicious code protection mechanisms when new releases are available | ☐ | |
| 17 | SI.L1-3.14.5 | Perform periodic scans and real-time scans of files from external sources | ☐ | |

---

## Summary Score

| Status | Count |
|---|---|
| ✅ Implemented | /17 |
| 🔄 In Progress | /17 |
| ❌ Not Implemented | /17 |
| N/A | /17 |

**Score:** ___/110 (using SPRS scoring methodology)

---

## Next Steps

- [ ] Document all implemented controls in your System Security Plan (SSP)
- [ ] Create POA&M entries for all gaps
- [ ] Set remediation target dates
- [ ] Submit SPRS score at [piee.eb.mil](https://piee.eb.mil)

---

*For Level 2 assessment, see `CMMC-Level-2-Checklist.md`*
*Questions? Contact FraterIT Enterprises — info@fraterit.com*
Screenshot when done, then I'll give you File 2 of 3 for cmmc-checklist.
🕸️ Ada Research Browser
