What is CMMC Level 1?

CMMC Level 1 (Foundational) is the entry tier of the Cybersecurity Maturity Model Certification program. It applies to Department of Defense contractors and subcontractors that handle Federal Contract Information (FCI) — non-public information provided by, or generated for, the government under contract — but do not handle Controlled Unclassified Information (CUI). Level 1 requires implementation of the 17 basic safeguarding practices defined in FAR 52.204-21 and an annual self-assessment posted to the Supplier Performance Risk System (SPRS).

How is CMMC Level 1 different from NIST SP 800-171?

CMMC Level 1 maps to the 17 basic safeguarding practices in FAR 52.204-21. NIST SP 800-171 is the full 110-control framework for protecting CUI, and aligns with CMMC Level 2. Level 1 is a subset focused on baseline cyber hygiene; Level 2 adds substantial controls around audit logging, incident response, configuration management, and assessment rigor. A supplier sized for Level 1 may not be appropriate for a contract that flows down CUI and requires Level 2.

Does my subcontractor need CMMC?

Yes, if the subcontractor will process, store, or transmit FCI or CUI on your behalf. DFARS 252.204-7012 and the CMMC program both flow down: a prime cannot pass FCI to a non-compliant sub. Awarding FCI-handling work to a sub that has not self-attested to CMMC Level 1 (or higher when CUI is involved) creates contractual risk for the prime. Olympus Machining is sized and scoped for Level 1 subcontract work for prime contractors handling FCI.

Is CMMC Level 1 self-assessed or third-party certified?

Level 1 is self-assessed. Contractors perform the assessment annually against the 17 practices, score themselves, and submit the result to SPRS. Level 2 contracts can be either self-assessed (for non-prioritized acquisitions) or require a Certified Third-Party Assessor Organization (C3PAO) assessment. Level 3 is government-led. Olympus performs the Level 1 self-assessment annually and maintains the SPRS submission as a supplier-qualification artifact.

How does Olympus handle FCI in a CNC machining context?

Drawings and program-related correspondence flowed down by primes are treated as FCI by default. They are stored on access-controlled file shares, transmitted via encrypted email or secure file-transfer when leaving Olympus, and access is restricted to named employees with a documented need-to-know. Removable-media writes from FCI-handling endpoints are prohibited. On program completion, FCI is retained per contract requirements and disposed of per the media-disposal practice.

What does Olympus need to provide to add us to a prime's approved supplier list?

For Level 1 work, the standard package is: SPRS confirmation of current self-assessment, ITAR registration letter from DDTC, CAGE Code (9V9P0), W-9, and signed acceptance of the prime's quality flow-down clauses. AS9102 sample FAI report available on request. Most prime supplier-qualification packages can be completed within 5 business days of the request.

When will Olympus pursue CMMC Level 2?

Olympus Machining is positioned to evaluate CMMC Level 2 once our AS9100 quality system rollout is complete and the cybersecurity controls required by NIST SP 800-171 are fully integrated. Customers with active CUI-handling programs should contact us to discuss interim arrangements and joint roadmap planning; we will identify scope mismatch at quote review rather than at award.

Back to Compliance

CMMC Level 1 Compliance for DoD CNC Machining Suppliers

The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense's framework for safeguarding sensitive information in the defense industrial base. CMMC Level 1 — the Foundational tier — applies to contractors and subcontractors that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). Olympus Machining LLC, an ITAR-registered precision CNC machine shop in Hanover, Pennsylvania (CAGE code 9V9P0, York County), maintains practices aligned with CMMC Level 1 and FAR 52.204-21.

What CMMC Level 1 Means for a DoD Subcontractor

CMMC Level 1 is built on the 17 basic safeguarding practices defined in FAR 52.204-21. Any contractor or subcontractor processing, storing, or transmitting FCI on behalf of the federal government is contractually required to meet these practices. For a precision CNC machine shop, FCI typically includes program-related information shared by a prime contractor — purchase orders, drawings marked as FCI, schedules, and technical correspondence.

Level 1 does not address CUI. Programs that flow down CUI require Level 2 (which adds the NIST SP 800-171 control set). Olympus Machining is sized and scoped for Level 1 work and does not currently bid programs that require Level 2 / SP 800-171 certification.

Implementation Table: 17 Practices, FAR Clause, Olympus Implementation, Evidence

Practice-by-practice mapping of FAR 52.204-21 controls to Olympus implementation and the evidence artifact available to prime supplier-quality teams. No FCI-specific or environment-specific details are disclosed publicly; this is the supplier-qualification-level summary.

Control ID	FAR Clause	Olympus Implementation	Evidence Artifact
AC.L1-3.1.1 Authorized Access Control	FAR 52.204-21(b)(1)(i) — Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.	Active Directory / Microsoft 365 account provisioning per named employee. Workstation login requires individual credentials. Shared accounts prohibited on any system that touches FCI.	Account-provisioning record, joiner/mover/leaver log, workstation policy.
AC.L1-3.1.2 Transaction & Function Control	FAR 52.204-21(b)(1)(ii) — Limit information system access to the types of transactions and functions that authorized users are permitted to execute.	Role-based access groups on file shares and ERP. Admin rights restricted to a named subset; standard users cannot install software or alter system configuration.	Role-permission matrix, file-share ACL export.
AC.L1-3.1.20 External Connections	FAR 52.204-21(b)(1)(iii) — Verify and control/limit connections to and use of external information systems.	Outbound business-service connections (banking, ERP, email) are vetted and documented. No personal cloud-storage or removable-media writes from FCI-handling endpoints.	Approved-services list, USB-policy enforcement record.
AC.L1-3.1.22 Public Information Posting	FAR 52.204-21(b)(1)(iv) — Control information posted or processed on publicly accessible information systems.	Public website and social channels are reviewed before publication. Customer-controlled material, drawings, FCI, or any program-identifying information is never published.	Marketing approval workflow, public-posting policy.
IA.L1-3.5.1 Identification	FAR 52.204-21(b)(1)(v) — Identify information system users, processes acting on behalf of users, or devices.	Each employee assigned a unique user account. Service accounts named and inventoried. No shared logins on FCI-handling systems.	User-account inventory, service-account register.
IA.L1-3.5.2 Authentication	FAR 52.204-21(b)(1)(vi) — Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access.	Password complexity policy enforced via Group Policy. Multi-factor authentication (MFA) required on all remote access and on Microsoft 365.	GPO export, MFA enrollment report.
MP.L1-3.8.3 Media Disposal	FAR 52.204-21(b)(1)(vii) — Sanitize or destroy information system media containing FCI before disposal or release for reuse.	Retired hard drives are wiped to NIST SP 800-88 Clear/Purge level or physically destroyed. Removable media containing FCI is destroyed in-house.	Media-destruction log with serial numbers and dates.
PE.L1-3.10.1 Limit Physical Access	FAR 52.204-21(b)(1)(viii) — Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.	Facility locked outside business hours. Production floor accessible only via badged or key entry. Server hardware in locked space.	Facility access policy, key/badge issuance log.
PE.L1-3.10.3 Escort Visitors	FAR 52.204-21(b)(1)(ix) — Escort visitors and monitor visitor activity.	Visitors sign in at reception, receive a badge, and are escorted at all times in production, inspection, and office areas.	Visitor log, escort policy.
PE.L1-3.10.4 Physical Access Logs	FAR 52.204-21(b)(1)(x) — Maintain audit logs of physical access.	Visitor sign-in records retained per the document-control procedure. Reviewed periodically as part of internal audit.	Retained visitor log, document-control retention record.
PE.L1-3.10.5 Manage Physical Access	FAR 52.204-21(b)(1)(xi) — Control and manage physical access devices.	Keys and access badges are issued, tracked, and recovered on employee separation. Lost badges deactivated immediately.	Badge issuance/recovery log, separation checklist.
SC.L1-3.13.1 Boundary Protection	FAR 52.204-21(b)(1)(xii) — Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems.	Business-grade firewall at network perimeter with default-deny inbound. Outbound filtering on known-malicious categories.	Firewall rule-set export, perimeter diagram.
SC.L1-3.13.5 Public-Access System Separation	FAR 52.204-21(b)(1)(xiii) — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.	Public-facing services (website, guest Wi-Fi) are logically separated from the internal shop network. Guest Wi-Fi cannot reach internal subnets.	Network segmentation diagram, VLAN configuration.
SI.L1-3.14.1 Flaw Remediation	FAR 52.204-21(b)(1)(xiv) — Identify, report, and correct information and information system flaws in a timely manner.	OS and application updates applied on a managed schedule. Critical security patches prioritized.	Patch-management report, monthly status summary.
SI.L1-3.14.2 Malicious Code Protection	FAR 52.204-21(b)(1)(xv) — Provide protection from malicious code at appropriate locations within organizational information systems.	Endpoint protection deployed on every workstation and server. Email gateway scans attachments and URLs.	Endpoint deployment report, EDR console export.
SI.L1-3.14.4 Update Malicious Code Protection	FAR 52.204-21(b)(1)(xvi) — Update malicious code protection mechanisms when new releases are available.	Automatic signature/definition updates configured. Engine updates applied per vendor cadence.	EDR update-status report.
SI.L1-3.14.5 System & File Scanning	FAR 52.204-21(b)(1)(xvii) — Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.	Real-time scanning enabled. Scheduled full-system scans run weekly. Removable-media scans on insertion.	Scheduled-scan log, scan-result summaries.

SPRS Scoring Explained

The Supplier Performance Risk System (SPRS) is the DoD database that hosts contractor cybersecurity self-assessment scores. For Level 1, the assessment is a binary check: each of the 17 practices is either fully implemented (MET) or not (NOT MET). A contractor that achieves MET on all 17 practices is considered Level 1 compliant. Unlike Level 2 (NIST SP 800-171), there is no negative-point scoring at Level 1 — partial implementation does not yield partial credit.

Prime supplier-quality teams reviewing a sub in SPRS see four fields per assessment: the date of the most recent self-assessment, the scope of the assessment (enterprise, enclave, or specific contract), the result, and the date by which any Plan of Action & Milestones (POA&M) items will be closed. Olympus Machining performs the self-assessment on an enterprise scope and re-assesses annually or whenever a material change to the IT environment occurs.

Material changes that trigger a between-cycle review include: new vendor system connections (ERP, accounting), endpoint refresh that changes the firewall or EDR posture, organizational changes that affect role-based access, and any reported security event. The annual self-assessment is approved by management before submission to SPRS.

Flow-Down Clause Language for Primes

Prime contractors purchasing CNC-machined components from Olympus Machining can incorporate the following clause (or equivalent) into the purchase order to flow down FAR 52.204-21 / CMMC Level 1 requirements:

Cybersecurity Flow-Down (FAR 52.204-21 / CMMC Level 1).

Seller shall implement and maintain the basic safeguarding requirements of FAR 52.204-21 with respect to all Federal Contract Information (FCI) processed, stored, or transmitted under this Purchase Order. Seller represents that it has performed and submitted a current CMMC Level 1 self-assessment to the Supplier Performance Risk System (SPRS), and shall provide written confirmation of its current SPRS posting upon request.

Seller shall promptly notify Buyer of any cyber incident affecting FCI handled under this Purchase Order, and shall preserve relevant records for not less than ninety (90) days following discovery. Seller shall flow down equivalent requirements to any lower-tier supplier that will process, store, or transmit FCI on Seller's behalf.

This clause does not impose Controlled Unclassified Information (CUI) handling, NIST SP 800-171 / CMMC Level 2, or DFARS 252.204-7012 obligations unless separately invoked in writing by Buyer.

Olympus Machining will execute this language as-written for Level 1 subcontract work. Programs that require CUI handling, NIST SP 800-171, or DFARS 252.204-7012 should be routed to suppliers sized for that scope; we will identify scope mismatch at quote review rather than at award.

Annual Self-Assessment and SPRS Posting

Olympus Machining performs the self-assessment annually and maintains the SPRS submission as part of our supplier qualification record. A copy of our current SPRS confirmation is available to prime contractors on request.

Self-assessment is not a one-time exercise. Practice implementation is reviewed and any deficiencies are corrected before the score is submitted.

Roadmap to CMMC Level 2

CMMC Level 2 (Advanced) applies to contractors handling Controlled Unclassified Information (CUI) and requires implementation of the 110 controls defined in NIST SP 800-171. For prioritized acquisitions, Level 2 also requires a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO) rather than a self-assessment.

Olympus Machining is positioned to evaluate Level 2 once our AS9100 quality system rollout is complete and the additional cybersecurity controls — audit logging, incident response, configuration management, and assessment rigor — are fully integrated. Customers with active CUI-handling programs should contact us to discuss interim arrangements and joint roadmap planning.

ITAR Registration and CAGE 9V9P0

Olympus Machining is registered with the U.S. Department of State Directorate of Defense Trade Controls (DDTC) under the International Traffic in Arms Regulations (ITAR). Our Commercial and Government Entity (CAGE) code is 9V9P0, registered to our Hanover, Pennsylvania facility. ITAR registration and CMMC Level 1 alignment together cover the baseline supplier-qualification requirements for the majority of Level-1 defense subcontracting work.