Federal acquisition regulation 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems” includes 15 security controls. CMMC level one draws it’s security practices from FAR 52.204-21.
With FAR 52.204-21 contractors are expected to implement the 15 required security controls. There are no documentation requirements such as a plan of action & milestone or system security plan. FAR 52.203-21 applies to what is known as “covered contractor information systems”. Those are systems that process, store, or transmit federal contract information.
CMMC Level one and FAR 52.204-21
CMMC level one draws its requirements from FAR 52.204-21. Like FAR 52.204-21, CMMC level one doesn’t have any documentation requirements. Companies with a CMMC level one requirement are simply responsible for implementing the 17 CMMC practices.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.