← Custodia

CMMC Level 1 Is Binary. There Is No Score. Here's What That Means.

CMMC Level 1 produces a single MET / NOT MET result, not a 0-110 score. Every one of the 15 FAR 52.204-21 safeguarding requirements must be MET to pass. No partial credit, no POA&M, no curve. Here's what that actually means in practice.

By David Fuentes· Compliance Officer, CustodiaMay 11, 20268 min read

Two minutes on a federal contracting forum will leave you convinced that “everyone needs a SPRS score of 88 or above.” That's true at Level 2. It's false at Level 1, where most small DoD contractors actually live. This post explains how the Level 1 grading regime actually works, what “binary” means in plain English, and the only legitimate escape valve in the rule.

TL;DR, the rule in one sentence

What “binary” actually means

Three things, in the order they matter:

  1. Per requirement, the finding is one of three values: MET, NOT MET, or NOT APPLICABLE. There is no “mostly MET,” “MET except on one laptop,” or “MET if you don't look at the warehouse PC.” The finding applies to your scope as a whole.
  2. No numbers anywhere. No 0 to 110 scale, no percentages, no weights. The Level 1 self-assessment is a checklist of 15 items.
  3. The overall result is the rollup.All 15 MET → assessment MET. Any NOT MET → assessment NOT MET. The senior official cannot truthfully file a MET affirmation if any requirement is actually NOT MET.

The 15 requirements you have to MET

These are the safeguarding requirements at FAR 52.204-21(b)(1)(i), (xv), grouped by the six CMMC Level 1 domains. Every one of them must be MET on every system that touches FCI.

Access Control, 4 requirements
  • AC.L1-3.1.1Limit access to authorized users
  • AC.L1-3.1.2Limit functions per user
  • AC.L1-3.1.20Control external connections
  • AC.L1-3.1.22Control public information
Identification & Auth, 2 requirements
  • IA.L1-3.5.1Identify users & devices
  • IA.L1-3.5.2Authenticate users & devices
Media Protection, 1 requirement
  • MP.L1-3.8.3Sanitize media before disposal
Physical Protection, 4 requirements
  • PE.L1-3.10.1Limit physical access
  • PE.L1-3.10.3Escort & monitor visitors
  • PE.L1-3.10.4Physical access logs
  • PE.L1-3.10.5Manage physical access devices
System & Comms, 2 requirements
  • SC.L1-3.13.1Monitor communications at boundary
  • SC.L1-3.13.5Public-system subnetworks
System & Info Integrity, 2 requirements
  • SI.L1-3.14.1Identify & correct system flaws
  • SI.L1-3.14.2Malicious code protection
The 15 FAR 52.204-21(b)(1) safeguarding requirements, grouped by the six CMMC Level 1 domains. Source: 48 CFR §52.204-21; DoD CMMC Scoping Guide, Level 1, v2.13 (Sept 2024).

That's the entire program. Most are common-sense business hygiene a well-run small company is already doing in some form, the Level 1 assessment just asks you to do them deliberately and document the evidence.

Why Level 2 has a score and Level 1 doesn't

Two different problems, two different grading regimes.

PropertyLevel 1Level 2
Requirement count15110
SourceFAR 52.204-21(b)(1)NIST SP 800-171 Rev. 2/3
ScoringBinary, MET / NOT METNumeric, −203 to +110
Minimum to passAll 15 MET88/110 (with POA&M)
POA&M permittedNoYes (close in 180 days)
Who assessesYourself, annuallyC3PAO, every 3 years
Why scored this waySmall fixed set, either you do them or you don'tLarge set, partial implementation is meaningful info for the government

Binary scoring at Level 1 is not a quirk, it's the regulator's design choice. With only 15 requirements and every requirement being a non-negotiable basic hygiene item, a numeric score would just be misleading. Either you patch your systems or you don't. Either you run anti-malware or you don't. There is no “75 percent of a patch.”

The one escape valve: NOT APPLICABLE

Under the CMMC Assessment Guide, Level 1, a requirement can be marked NOT APPLICABLE rather than NOT MET in a narrow case: the requirement does not apply to your environment. The standard example is the requirement to manage physical access devices (PE.L1-3.10.5) in a fully remote company that has no office. You document the reason; you do not magically pass.

What an audit failure actually costs

Level 1 has no C3PAO; the audit is your own self-assessment. So what's the consequence of failing? Three real scenarios:

  1. You honestly find one requirement NOT MET. Remediate it, re-test, and affirm. This is the system working as designed. Most first-year Level 1 contractors hit this loop once or twice.
  2. You affirm MET when one is actually NOT MET. A federal false statement under 18 U.S.C. § 1001 with False Claims Act exposure under 31 U.S.C. § 3729. The DOJ's Civil Cyber-Fraud Initiative has produced settlements between $1M and $9M+ against contractors who misrepresented cybersecurity posture. The affirming official is named personally.
  3. You miss the annual affirmation deadline. Your status in SPRS lapses. Contracts that condition award on a current affirmation become ineligible for you. The fix is to affirm; there is no penalty beyond lost eligibility, but the eligibility loss is real.

What to do this week

  1. Take the 4-minute SPRS readiness quiz to see how you stand on each of the 15 requirements right now.
  2. If you haven't scoped your environment, take the free CMMC check first.
  3. Read FAR 52.204-21(b)(1) yourself, the entire clause fits on a single page.
  4. Subscribe to the Monday Bid Digest for weekly Level 1-fit federal opportunities.

FAQ

What score do you need to pass CMMC Level 1?

There is no score. Level 1 is binary, every one of the 15 requirements must be MET. The 0 to 110 score belongs to Level 2.

Can Level 1 use a POA&M?

No. 32 CFR § 170.21(a) requires every requirement to be MET at the time of the annual affirmation. POA&M is a Level 2 feature.

What if one requirement is NOT MET?

The whole assessment is NOT MET. Remediate, re-test, then affirm. Don't file MET when something is NOT MET.

Is there partial credit?

No. Each requirement is MET, NOT MET, or NOT APPLICABLE. Anything short of MET counts as NOT MET for the rollup.

Is binary scoring harder than Level 2's score?

Easier overall for small contractors, fewer requirements, no C3PAO, no SSP-to-objectives mapping. The per-requirement bar is strict, but the total surface area is much smaller.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    How to Do CMMC Level 1 Yourself (Free, Complete Guide), 2026

    CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.

    Read →
  3. CMMC Level 1
    The CMMC Level 1 Self-Assessment Checklist (Free, Printable PDF), 2026

    Every CMMC Level 1 requirement, in plain English, on a printable page. No email gate. No upsell. Just the checklist.

    Read →
Free · Every Monday

Get the federal bids a small business can win, in your inbox.

The Monday Bid Digest: brand-new SAM.gov solicitations matched to your NAICS, pre-filtered to Level 1 fit, with the CMMC gate called out on every one. Two minutes, no spam.

Get the Monday Bid Digest
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)