← Custodia
CMMC Level 1 · Construction & facilities

CMMC Level 1 for construction, facilities & base-services subcontractors

Subcontractors performing construction, facility maintenance, janitorial, landscaping, fuel handling, and other base-services work for USACE, NAVFAC, AFCEC, and the GSA Public Buildings Service sit overwhelmingly at CMMC Level 1. The contract paperwork, drawings, and schedules are FCI; CUI is rare unless the project touches a sensitive facility, security system, or critical-infrastructure design.

Overview

If you build, repair, clean, mow, fuel, repaint, or otherwise maintain a DoD installation, your contracts almost always sit at CMMC Level 1. The award documents, set-aside paperwork, base-access requests, schedules, RFIs, submittals, and pay applications are all Federal Contract Information (FCI) — and that triggers FAR 52.204-21 and a Level 1 self-assessment.

CUI only enters this world in narrow cases: secure-facility design drawings (SCIFs, weapons storage, command centers), critical-infrastructure protection plans, certain ICS / SCADA documentation, and anti-terrorism / force-protection details. Most concrete pours, roofing replacements, grass cuts, and HVAC tune-ups never see CUI.

USACE, NAVFAC, and AFCEC contracting officers have started flowing the CMMC Level 1 self-assessment requirement into solicitations under the 48 CFR CMMC acquisition rule. Subs that show up to a kickoff without a posted SPRS affirmation are increasingly being told to fix it before they can mobilize.

Typical contracts you'll see

  • USACE MATOC / IDIQ task orders for construction, repair, and renovation
  • NAVFAC Atlantic / Pacific O&M and minor-construction contracts
  • AFCEC base operations support and facility-sustainment contracts
  • GSA PBS Region task orders on federal buildings co-located with DoD tenants
  • Subcontracts under a large facility-services prime (Fluor, KBR, Vectrus, V2X, J&J Worldwide)
  • 8(a), HUBZone, WOSB, SDVOSB set-asides for small-dollar construction and trades

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Award documents, modifications, and pay applications
Project schedules, three-week look-aheads, and progress photos sent to the contracting officer
RFIs, submittals, and as-built drawings that are not marked controlled
Base-access requests, badge rosters, and visitor lists
Daily reports, QC inspection records, and safety logs

Common pitfalls in this industry

  • Sending RFIs and submittals from a personal Gmail or a shared crew@ inbox — fails FAR 52.204-21 (b)(1)(i)–(iii).
  • Using a single shared laptop in the job trailer with no per-user login — fails (b)(1)(i) and (b)(1)(viii) physical access controls.
  • Storing pay applications and base-access rosters in an unlocked file cabinet in the trailer — fails (b)(1)(viii).
  • Letting subs and 1099 trades log into the company tenant with the owner's credentials — fails (b)(1)(i)–(ii).
  • Assuming that because the work is "just dirt and concrete" CMMC doesn't apply — it does, the moment FCI flows.
  • Mistaking a secure-facility project as Level 1 — if the drawings are marked CUI, the project is Level 2 and the trailer needs a real boundary.

Your Level 1 action plan

  1. 01Inventory the contracts: which prime, which contracting agency, any -7012 flow-down, any marked CUI? Most won't have any.
  2. 02Move project email off personal accounts onto a Microsoft 365 or Google Workspace tenant with MFA enforced — including for the PM, the estimator, and the office manager.
  3. 03Lock down the trailer laptop: per-user login, screen lock after 15 minutes, antivirus on, drive encrypted.
  4. 04Pick one cloud folder (SharePoint, OneDrive, Google Drive) for submittals / RFIs / schedules and restrict access to the project team.
  5. 05Lock the file cabinet that holds pay applications and base-access paperwork; keep a log of who has the key.
  6. 06Write a one-page boundary description: which laptops, which tenant, which trailer, which file cabinet. This is your scoping artifact.
  7. 07Run the 15-practice self-assessment, then have the company's senior official post the SPRS score and affirm — and re-affirm annually.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

  • 236220Commercial & Institutional Building Construction
  • 237110Water & Sewer Line & Related Structures Construction
  • 237310Highway, Street & Bridge Construction
  • 238210Electrical Contractors & Other Wiring Installation
  • 238220Plumbing, Heating & Air-Conditioning Contractors
  • 561210Facilities Support Services
  • 561720Janitorial Services
  • 561730Landscaping Services

Frequently asked questions

Q.I just mow grass on an Air Force base. Do I really need CMMC?

If your contract is with the federal government (directly or as a sub to a prime that holds a federal contract), then yes — the award documents, your invoices, and your base-access roster are Federal Contract Information, and FAR 52.204-21 applies. That means a CMMC Level 1 self-assessment and an annual SPRS affirmation. The 15 practices are basic IT hygiene; they apply to the laptop and email you use to send invoices, not to the lawn mower.

Q.Our project is on a SCIF / weapons storage / sensitive facility. Are we still Level 1?

Probably not. If the design drawings, anti-terrorism / force-protection plans, or facility security details are marked CUI under DFARS 252.204-7012, that contract is Level 2 and needs a real CUI boundary — usually a separate folder structure with restricted access and often a GCC High or equivalent tenant. The rest of your portfolio (non-sensitive projects) can stay at Level 1.

Q.We're a sub on a USACE MATOC. Does the prime's CMMC level cover us?

No. CMMC flows down. If you receive FCI from the prime — RFIs, submittals, schedules, daily reports — you have your own FAR 52.204-21 obligation and need your own SPRS affirmation. The prime cannot affirm on your behalf. For Level 2 contracts the same flow-down applies via DFARS 252.204-7012.

Q.Can I keep using personal Gmail for project email if I'm only Level 1?

No. FAR 52.204-21 (b)(1)(i) and (iii) require you to identify users and limit access to authorized users and the information they need. Personal Gmail accounts shared across a crew fail both. The fix is cheap: a paid Google Workspace or Microsoft 365 tenant with MFA on every account, around $6–$15 per user per month.

Q.What does the trailer / job-site physical security requirement actually mean?

FAR 52.204-21 (b)(1)(viii) requires you to limit physical access to systems and information. In practice for a job trailer: lock the trailer when nobody's in it, lock the file cabinet that holds pay apps and rosters, don't leave the laptop logged in and unattended, and keep a simple visitor log if subs are coming through. That's the standard.

Related clauses

FAR 52.204-21
Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements
48 CFR CMMC Acquisition Rule
DFARS Amendment Inserting the CMMC Clause into DoD Contracts

Related terms

Read more in the Library

Other Level 1 industries
Machine shops & precision manufacturers
Read the machine shops guide →
SBIR Phase I awardees
Read the sbir phase i winners guide →
← Back to all industries
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)