← Custodia
CMMC Level 1 · Cybersecurity services

CMMC Level 1 for cybersecurity & it security services firms

Small cybersecurity firms that assess, monitor, or support federal clients can be CMMC Level 1 for their own environment when their federal work is Federal Contract Information (FCI) only. Scoping is delicate: the moment you store, process, or administer a client's marked Controlled Unclassified Information (CUI) or security systems, that work is Level 2 and your environment falls into the client's assessment scope as an External Service Provider.

Overview

If you provide security assessments, monitoring, vulnerability scanning, or compliance support to federal clients, your contracts, reports, findings, and program correspondence are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation for your own systems.

Cybersecurity is the trickiest vertical to scope honestly. If your engagement only involves FCI, you are Level 1. But security work frequently reaches into CUI: if you store, process, or administer a client's CUI systems, run a security operations function over them, or receive marked CUI in your findings, that work is Level 2, and your relevant environment is in scope for that client's Level 2 assessment as an External Service Provider.

The disciplined answer is to scope every engagement up front, keep FCI only work at Level 1, and treat any CUI touching engagement as Level 2 with a controlled enclave. Selling security is not a reason to be sloppy about your own.

Typical contracts you'll see

  • Security assessments and audits for federal offices that handle FCI
  • Vulnerability scanning and monitoring for FCI only environments
  • Compliance and policy support engagements
  • Subcontracts to a cybersecurity or IT prime where no CUI is flowed down
  • Set aside security services contracts (8(a), HUBZone, SDVOSB)

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Contracts, task orders, and statements of work
Assessment reports and findings that are not marked CUI
Scan results and remediation plans for FCI only systems
Project schedules, status reports, and correspondence
Invoices and acceptance documents

Common pitfalls in this industry

  • Assuming all security work is Level 2, when FCI only assessment and advisory work is Level 1.
  • Missing the moment you store or administer a client's CUI, which makes your environment part of their Level 2 scope.
  • Holding client findings, credentials, and scan data under shared logins, which fails FAR 52.204-21 (b)(1)(i) and (ii).
  • Storing sensitive client reports in a consumer cloud drive open to the whole team, which fails (b)(1)(iii).
  • Leaving testing and management tooling on weak or shared credentials.
  • Letting the annual SPRS affirmation lapse while advising clients to keep theirs current.

Your Level 1 action plan

  1. 01Scope each engagement: FCI only or does it involve client CUI or CUI systems. Confirm in writing.
  2. 02Keep FCI only work at Level 1 and place any CUI touching work into a documented Level 2 boundary, recognizing your External Service Provider role.
  3. 03Give every consultant a named account with MFA and protect testing and management tooling with least privilege.
  4. 04Set report and findings access to least privilege so only the engagement team can read client data.
  5. 05Encrypt every laptop and protect remote access, since your tooling can reach many clients at once.
  6. 06Write a one to two page boundary description naming the systems that hold federal FCI and how CUI work is kept separate.
  7. 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

  • 541519Other Computer Related Services
  • 541512Computer Systems Design Services
  • 541690Other Scientific & Technical Consulting Services
  • 561621Security Systems Services (except Locksmiths)
  • 541611Administrative Management & General Management Consulting Services

Frequently asked questions

Q.We do cybersecurity work, so are we automatically Level 2?

No. The tier depends on the data, not the field. If your federal engagement only involves Federal Contract Information, you are Level 1. You reach Level 2 when you store, process, or administer a client's marked CUI or CUI systems. Many security firms run Level 1 for FCI only advisory work and Level 2 for engagements that touch CUI.

Q.We monitor a client's CUI systems. What does that make us?

When you administer or operate systems that store or process a client's CUI, your relevant environment is in scope for that client's Level 2 assessment as an External Service Provider, and you must meet the applicable NIST SP 800-171 requirements for that work. That is separate from your own FAR 52.204-21 Level 1 obligation for FCI only work.

Q.How do we keep our own house in order at Level 1?

Apply the 15 practices to the systems that hold federal FCI: named accounts, MFA, access limited to authorized users, antivirus, patching, and basic physical and boundary protection. Then post the affirmation in SPRS. Holding yourself to the standard you sell is the point.

Q.Do I need an SSP for the Level 1 part of my work?

No. Level 1 does not require a System Security Plan under 32 CFR Part 170. The Level 2 work does require an SSP and a NIST SP 800-171 assessment. For Level 1 you need evidence the 15 practices are met, a short boundary description, and a current list of authorized users.

Related clauses

FAR 52.204-21
Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements

Related terms

Read more in the Library

Other Level 1 industries
Machine shops & precision manufacturers
Read the machine shops guide →
SBIR Phase I awardees
Read the sbir phase i winners guide →
Construction, facilities & base-services subcontractors
Read the construction & facilities guide →
IT services & managed service providers (MSPs)
Read the it services & msps guide →
Software & application development firms
Read the software development guide →
Aerospace & aircraft parts manufacturers
Read the aerospace parts guide →
Metal fabrication & welding shops
Read the metal fabrication guide →
Base operations & facilities O&M contractors
Read the facilities & base ops guide →
Logistics, warehousing & distribution contractors
Read the logistics & warehousing guide →
Electronics & circuit card manufacturers
Read the electronics manufacturing guide →
Management & professional services consultants
Read the professional consulting guide →
Staffing & workforce services firms
Read the staffing services guide →
Janitorial & custodial services contractors
Read the janitorial & custodial guide →
Engineering services firms
Read the engineering services guide →
Medical & pharmaceutical supply distributors
Read the medical supply distribution guide →
Defense electronics & instrument makers
Read the defense electronics guide →
Shipbuilding & marine repair contractors
Read the shipbuilding & marine guide →
Industrial machinery & equipment suppliers
Read the industrial equipment guide →
Plastics & rubber products manufacturers
Read the plastics & rubber guide →
Textiles, apparel & uniform manufacturers
Read the textiles & apparel guide →
PPE & safety equipment suppliers
Read the ppe & safety equipment guide →
Medical device & instrument manufacturers
Read the medical devices guide →
Specialty trade subcontractors (electrical, plumbing)
Read the specialty trades guide →
HVAC & mechanical contractors
Read the hvac & mechanical guide →
Landscaping & grounds maintenance contractors
Read the landscaping & grounds guide →
Environmental & remediation services contractors
Read the environmental services guide →
Telecommunications & networking contractors
Read the telecommunications guide →
Architecture & design firms
Read the architecture & design guide →
Security & guard services contractors
Read the security & guard services guide →
Training & education services providers
Read the training & education guide →
Marketing, media & creative services firms
Read the marketing & media guide →
Trucking & transportation contractors
Read the trucking & transportation guide →
Wholesale & product distribution contractors
Read the wholesale distribution guide →
Food services & catering contractors
Read the food services & catering guide →
Vehicle & equipment maintenance contractors
Read the vehicle maintenance guide →
Printing & reprographics contractors
Read the printing & reprographics guide →
Research, development & testing labs
Read the research & development guide →
Office & operating supplies distributors
Read the office & operating supplies guide →
← Back to all industries
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)