Cybersecurity CMMC Compliance

FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

CMMC Level 1 establishes a baseline of cyber hygiene for companies that handle Federal Contract Information (FCI). It draws from 15 safeguarding requirements in FAR Clause 52.204-21. Compliance is self-assessed annually and results are submitted to the Supplier Performance Risk System (SPRS).

This level does not require a C3PAO assessment. But “self-assessed” does not mean “easy”, and submitting an inaccurate result to SPRS carries real contractual and legal risk. Getting it right matters.

There are 15 requirements across six practice areas:

Access Control (AC)	Control who and what can access systems holding FCI. Manage external connections. Separate public-facing systems from internal networks.
Identification & Authentication (IA)	Every user and device must have a unique identifier. No shared or default credentials. Authenticate before access is granted.
Media Protection (MP)	Sanitize or destroy media containing FCI before disposal or reuse.
Physical Protection (PE)	Limit and log physical access to systems that store or process FCI.
System & Communications Protection (SC)	Sanitize or destroy media containing FCI before disposal or reuse.
System & Information Integrity (SI)	Keep systems patched. Run antivirus. Protect against malicious code.

*The 15 requirements come directly from FAR Clause 52.204-21. They are not optional guidance
they are legal obligations for companies that handle FCI on federal contracts.

Where do you stand?

Find Out In Less Than Five Minutes.

Answer a few questions about your current environment and practices. We’ll tell you your readiness tier, what it means for your contract eligibility, and what it would take to get compliant.

*By submitting this form, you agree to be contacted by ResilientTech Advisors about your results and CMMC compliance services.

Tier 1

Tier 2

Tier 3

Ready to move forward?

Whether you're starting from scratch or finalizing your SPRS submission, RTA has a fixed-price path designed for exactly where you are. Every engagement is led by a principal with CCA credentials. You'll know what you're paying before we start.

CMMC Level 1 Readiness

FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

Where do you stand?

Find Out In Less Than Five Minutes.

Ready to move forward?

Whether you're starting from scratch or finalizing your SPRS submission, RTA has a fixed-price path designed for exactly where you are. Every engagement is led by a principal with CCA credentials. You'll know what you're paying before we start.

Clarity over jargon. Substance over spin. Integrity, always.

The 2025 DBIR Paradoxes CISOs Need to Decode

What 2024 Taught Us About Cybercrime

Why Your CISO Keeps Pushing for “SIEM” & “SOAR”

Message to Executives: AI Won’t Fix That

AI is Only as Good as its Data

Leveraging the White House’s July 2025 AI Action Plan

Smarter Use of AI & Data for State Government Efficiency

CMMC Explainer

How to Work With a CISO Who Always Says No

The 2025 DBIR Paradoxes CISOs Need to Decode

What 2024 Taught Us About Cybercrime

Why Your CISO Keeps Pushing for “SIEM” & “SOAR”

Message to Executives: AI Won’t Fix That

AI is Only as Good as its Data

Leveraging the White House’s July 2025 AI Action Plan

Leveraging the White House’s July 2025 AI Action Plan

Smarter Use of AI & Data for State Government Efficiency

Smarter Use of AI & Data for State Government Efficiency

Building a Culture of Social Engineering Awareness for Higher Ed.

Rising DRAM Prices Are Silently Reshaping Cybersecurity

What the FedRAMP RFCs Mean for Your Business

Yes, You Have Shadow AI. This Is How You Fix It.

1

1. Do you have any active contracts or solicitations that reference FAR 52.204-21, DFARS 252.204-7012, or specifically require CMMC Level 1?

2. Does your company create, receive, store, or transmit Federal Contract Information (FCI)?

3. Have you identified which systems, devices, and people in your environment process, store, or transmit that FCI?

4. Are system accounts managed so that only authorized users and devices can access the systems that handle FCI — and access is removed when someone leaves or changes roles?

5. Does every person and device that accesses systems holding FCI use a unique identifier and authenticate before gaining access — with no shared or default credentials in use?

6. Are connections between your FCI environment and external networks identified, controlled, and limited to what is authorized?

7. Are your internal networks protected by a firewall or equivalent, and separated from any publicly accessible systems?

8. Do you have a process to ensure FCI is never posted or published on publicly accessible systems?

9. Is physical access to the areas and equipment where FCI is handled limited to authorized individuals — with visitors escorted and access logs maintained?

10. Before disposing of or repurposing devices, drives, or paper records that contained FCI, do you sanitize or destroy them?

11. Do systems that handle FCI have antivirus or anti-malware software installed, kept current, and configured to run periodic and real-time scans?

12. Is there a defined process to identify software and firmware vulnerabilities and patch them within a documented time frame?

13. Have you ever conducted a formal review of your systems against the 15 FAR 52.204-21 requirements?

14. Have you submitted a CMMC Level 1 self-assessment result and affirmation of continuous compliance to SPRS?

You’re on the right track. Some gaps remain before your SPRS submission is defensible.

Recommended Path

Investment Range

Your environment is ready. Let’s make sure your SPRS submission is airtight.

Recommended Path

Investment Range

Your FCI environment has gaps that put contract eligibility at risk.

Recommended Path

Investment Range