April 29, 2026
Self-Assessing L1 is Harder Than You Think
While it's true that FAR 52.204-21 governing the protection of Federal Contract Information (FCI) is entitled "Basic Safeguarding of Covered Contractor Information Systems," it's important to keep in mind it was written by government officials with little understanding of how small- and medium-size businesses (SMB) actually operate.
I've heard it poo-pooed as "it's just antivirus and stuff like that" and while some of the controls are truly basic cyber hygiene, many of them are definitely not SOP in the average SMB. It's also true that there is no requirement for written documentation to self-assess L1, but it's virtually impossible to implement some controls -- and produce evidence -- without written documentation.
I've been working with a couple of SMB clients recently on their L1 self-assessment, and I confess that even I have been surprised at the level of rigor required to implement and provide proof for all 59 Assessment Objectives (AOs) in the L1 Self-Assessment Guide.
Let's look at a few examples:
AC.L1-B.1.I – AUTHORIZED ACCESS CONTROL [FCI DATA]
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if:
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
I'm sure your first thought is "My MSP/IT guy handles that." Okay, why don't you ask them a couple of questions (remember, "identified" means a decision has been made and recorded somewhere):
- What is your procedure for determining which processes are authorized to run on behalf of individual users or system accounts? (e.g., STIGs, manufacturer or SANS recommendations, etc.)
- What is your procedure for determining that there are no unauthorized processes running (i.e., not Windows default services but user applications)? (e.g., periodic audit? conmon with alerts? application whitelisting? Please describe)
You might be surprised at the answer you get (or don't get).
Here's another favorite of mine:
AC.L1-B.1.IV – CONTROL PUBLIC INFORMATION [FCI DATA]
Control information posted or processed on publicly accessible information systems.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if:
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure [FCI] is not posted or processed on publicly accessible
systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include [FCI]; and
[e] mechanisms are in place to remove and address improper posting of [FCI].
Does your organization actually have all these procedures in place before your website is updated, a social media post is made, a press release is published, a slide deck is to be presented at a public event? Can you provide proof that these reviews are happening as they should?
Finally, the one that is most difficult IMO for many SMBs to do:
PE.L1-B.1.IX – MANAGE VISITORS & PHYSICAL ACCESS [FCI DATA]
Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if:
[a] visitors are escorted;
[b] visitor activity is monitored;
[c] audit logs of physical access are maintained;
[d] physical access devices are identified;
[e] physical access devices are controlled; and
[f] physical access devices are managed.
Most SMBs have some sort of visitor policy, but do you currently maintain audit logs of physical access? That means everyone, not just visitors. Have you identified all physical access devices? Do you know how many keys to your facility exist and who has one? Do you have a procedure for changing locks when necessary? Can you prove that this is done when needed?
This isn't a comprehensive list of all that's actually difficult in L1, just the top three that I find are difficult for SMBs.
What's the answer? Well, if you have an enclave for CUI, try to put all your FCI in there too. This avoids having to implement L1 on your enterprise network, with annual self-assessment required.
If you have to self-assess L1, I would suggest the following:
- Read and re-read the L1 Self-Assessment Guide and the L1 Scoping Guide. (Note: at least scoping for L1 is much easier than for L2, with no requirement for logical or physical separation to put assets out of scope.)
- Do your best to limit the scope of FCI.
- Update your Employee Handbook, or whatever your written employment policy is called, to include the specifics required for protecting FCI.
- Develop written procedures for things like posting to publicly accessable systems.
- Come up with a self-assessment plan and list of evidence that can be reproduced each year.
Need help? Reach out.
Sincerely,
Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107