Overview
If your firm produces architectural and design packages for federal buildings and installations, your contracts, schedules, submittals, and design deliverables are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Architecture sits close to the CUI line because facility design data can be marked, especially for secure facilities, security systems, and critical infrastructure. General design work from unmarked packages is Level 1. When the agency or prime marks drawings as CUI under DFARS 252.204-7012, that project is Level 2 and needs a controlled environment.
Design firms run CAD and BIM tools, document management, and an email tenant. Level 1 covers the systems that hold federal design FCI, which means named accounts, MFA, controlled access to drawings, and a clear boundary.
Typical contracts you'll see
- Architecture and engineering design contracts for federal facilities
- Renovation and modernization design task orders
- Subcontracts under an A and E or construction prime
- Design support for USACE, NAVFAC, AFCEC, and GSA projects
- Set aside design contracts (8(a), WOSB, SDVOSB, HUBZone)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Treating all facility drawings as CUI, or none of them. CUI must be explicitly marked.
- Sharing CAD and BIM files on an open drive readable by everyone, which fails FAR 52.204-21 (b)(1)(iii).
- Letting designers use personal, unencrypted laptops with no MFA.
- Continuing at Level 1 after receiving marked secure facility drawings, which is Level 2.
- Publishing project renderings or details before the agency clears them, which fails (b)(1)(iv).
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Scope each project: FCI only or does it involve marked secure facility drawings. Confirm in writing.
- 02Keep FCI only design work at Level 1 and place any CUI marked project into a controlled enclave.
- 03Move federal design work onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 04Set CAD, BIM, and document access to least privilege per project, and give each designer a named account.
- 05Encrypt every workstation and laptop used for federal design and protect remote access with MFA.
- 06Write a one to two page boundary description naming the systems that hold design FCI and how CUI work is kept separate.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 541310Architectural Services
- 541320Landscape Architectural Services
- 541330Engineering Services
- 541350Building Inspection Services
- 541340Drafting Services
Frequently asked questions
Q.Is architecture for federal buildings always Level 2?
No. Design work is Level 1 when it involves only Federal Contract Information. It becomes Level 2 when the agency or prime marks drawings as CUI under DFARS 252.204-7012, which commonly happens for secure facilities, security systems, and critical infrastructure. General facility design from unmarked packages is Level 1.
Q.How do I know if a drawing is CUI?
CUI is explicitly marked with a CUI banner and category. Unmarked design drawings and submittals you produce or receive under the contract are FCI. If a drawing for a sensitive facility should be marked but is not, ask the contracting officer rather than guessing.
Q.Can I keep most of my firm at Level 1 if one project has CUI?
Yes. Scope the CUI project into a separate, controlled environment and keep the rest of the firm at Level 1. Document the boundary clearly so a reviewer can see which systems hold CUI and which hold only FCI.
Q.Do I need an SSP for the Level 1 part of my work?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. The Level 2 work does. For Level 1 you need evidence the 15 practices are met, a short boundary description, and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.