CMMC Password Requirements: What Level 1 Actually Asks For
If you've gone looking for "CMMC password requirements," you've probably found a wall of rules: twelve-character minimums, special characters, forced rotation, no reusing old passwords, multi-factor authentication everywhere. It's enough to make a small shop think they need to overhaul every login in the building.
Here's the part that gets lost: almost none of that applies at Level 1.
Those detailed password rules come from the requirements for protecting Controlled Unclassified Information, and they live at Level 2. If you're a Level 1 contractor handling Federal Contract Information, what you actually have to do is much simpler — and worth getting exactly right, because the real Level 1 gap is one most people don't expect.
What Level 1 actually requires
Level 1 has just two requirements that touch logins and passwords, and they're both straightforward:
- Everyone and everything gets a unique identity. Each person who uses your systems needs their own account. Same goes for devices and any automated process. You have to be able to say who (or what) is accessing your systems at any given moment.
- Identities have to be verified before access. People must prove who they are before they get in — and in practice, that means a password. You can't just let someone claim to be an authorized user and wave them through.
That's it. Unique accounts, and a login step that verifies the person. A standard password on each individual account satisfies the Level 1 requirement.
What Level 1 does not require
This is where the relief comes in. At Level 1, there is no mandated:
- Minimum password length
- Complexity rule (mix of symbols, numbers, capitals)
- Forced password rotation or expiration schedule
- Ban on reusing old passwords
- Multi-factor authentication
Every one of those is a Level 2 requirement, tied to protecting CUI. If you only handle FCI, you are not obligated to enforce them to meet Level 1. So the elaborate password policy you may have been told you need? For Level 1, you don't.
The Level 1 gap small shops actually trip on
If there's one place Level 1 catches small contractors, it isn't weak passwords — it's shared ones.
Plenty of shops run a single shared login on the front-office computer, or one password that the whole team uses for a shared account. That's convenient, and it's exactly what the unique-identity requirement rules out. If three people share one login, you can't say who accessed what, and you don't meet the requirement.
The fix is simple and free: give each person their own account. No shared logins on systems that touch FCI. It's usually a config change, not a purchase — and it's the single most common Level 1 authentication gap worth checking first.
For the domain-level view of how identity and authentication fit together across Level 1, see CMMC Identification & Authentication, in Plain English.
A low bar isn't a reason to set a weak one
Level 1 asks little here, but that's not a license to use "password123" on everything. A weak password is still a weak password, and a break-in doesn't care which CMMC level you're at.
The good news is that better security is cheap and, these days, less annoying than it used to be. Current security guidance has moved away from short-but-complex passwords that you're forced to change every 90 days, and toward longer passphrases you rarely have to rotate. A memorable phrase of several words beats a scrambled eight characters on both security and sanity. And turning on multi-factor authentication — even though Level 1 doesn't require it — is one of the highest-value protections you can add in a few minutes.
There's also a practical reason to build good habits now: if your work ever moves to Level 2, strong passwords and MFA stop being optional. Setting them up today means nothing to redo later.
The bottom line
For CMMC Level 1, the password requirement comes down to this: give everyone their own account, make sure people authenticate before they get access, and document that you've done it. The strict length, complexity, rotation, and MFA rules belong to Level 2 and the protection of CUI.
Don't over-engineer Level 1 to satisfy requirements that aren't yours — and don't use that as an excuse to leave genuinely weak passwords in place. The bar is low, but a little good hygiene on top of it costs you almost nothing.
Sorting out which of the 15 Level 1 requirements you already meet, and which need a small fix, is far easier when they're laid out plainly, one question at a time.
See exactly where you stand on CMMC Level 1.
CMMCheck walks you through every Level 1 requirement as plain-English yes / no / not-sure questions — no consultant, no jargon — and hands you a clear report showing what's done and what's left.
→ Start your Level 1 self-assessment at cmmcheck.com