← Custodia
CMMC Level 1 · Defense electronics

CMMC Level 1 for defense electronics & instrument makers

Small firms building sensors, instruments, communications gear, and electronic subsystems for defense programs handle Federal Contract Information (FCI) in their POs, specifications, and test data. Because defense electronics design and test data is frequently marked, scoping is critical: marked Controlled Unclassified Information (CUI) or Controlled Technical Information moves that work to Level 2.

Overview

If you design or build sensors, instruments, radios, antennas, power supplies, or electronic subsystems for defense programs, your purchase orders, interface specifications, acceptance test procedures, and program correspondence are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.

Defense electronics is a domain where CUI shows up often, because performance specifications, interface control documents, and test results can be marked. Build to print and integration work from unmarked packages is Level 1. When a prime flows down DFARS 252.204-7012 and sends marked technical data, that program is Level 2 and needs a controlled boundary.

The practical pattern is to keep general electronics work at Level 1 and place the one or two programs that involve marked technical data into a separate, documented enclave, rather than dragging the whole company up to Level 2.

Typical contracts you'll see

  • Subcontracts to defense primes for sensors, instruments, and electronic subsystems
  • DLA buys for electronic assemblies and components
  • Depot repair and overhaul of electronic units
  • Communications and electronic warfare component subcontracts
  • SBIR and STTR Phase I electronics and sensor prototypes

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Purchase orders and statements of work from a prime or DLA
Interface and performance specifications that are not marked CUI
Acceptance test procedures and test results tied to the contract
Delivery schedules, packing slips, and DD-250 acceptance documents
Nonconformance reports and corrective action requests

Common pitfalls in this industry

  • Treating every defense specification as CUI. CUI must be explicitly marked. Many integration packages are FCI.
  • Ignoring a real -7012 flow-down. If marked technical data arrives, that program is Level 2.
  • Sharing engineering and test station logins across the team, which fails FAR 52.204-21 (b)(1)(i) and (ii).
  • Storing specifications and test data on an open network share readable by every contractor, which fails (b)(1)(iii).
  • Letting the same workstation handle program data and public web browsing, which works against (b)(1)(iv) and (v).
  • Letting the annual SPRS affirmation lapse.

Your Level 1 action plan

  1. 01Confirm with each prime in writing whether any -7012 flow-down applies and whether marked technical data is in play.
  2. 02Inventory the systems that hold program FCI: engineering and test stations, the document and configuration system, email, and backups.
  3. 03Move program email and document exchange onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
  4. 04Set specification and test data access to least privilege and give every engineer a named account.
  5. 05If one program sends marked CUI, build a separate enclave for it and keep the rest of the work at Level 1.
  6. 06Write a one to two page boundary description of where program FCI lives and how it is separated from public systems.
  7. 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and calendar the annual re-affirmation.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

  • 334511Search, Detection, Navigation, Guidance & Aeronautical Systems Manufacturing
  • 334290Other Communications Equipment Manufacturing
  • 334515Instrument Manufacturing for Measuring & Testing Electricity & Electrical Signals
  • 334519Other Measuring & Controlling Device Manufacturing
  • 335999All Other Miscellaneous Electrical Equipment & Component Manufacturing

Frequently asked questions

Q.We build sensors for a defense program. Are we Level 1 or Level 2?

It depends on the markings. If you build from unmarked specifications and the prime has not flowed down marked CUI, you are Level 1. The trigger for Level 2 is receiving technical data explicitly marked as CUI or Controlled Technical Information under DFARS 252.204-7012. Many defense electronics firms run Level 1 for general work and a small enclave for marked programs.

Q.Our performance specs feel sensitive. Does that make them CUI?

Sensitivity is not the test. CUI is explicitly marked with a CUI banner and category. If a document that should be marked is not, ask the contracting officer rather than guessing. Unmarked specifications and test data received under the contract are FCI and put you at Level 1.

Q.Is our test and configuration system in scope?

Yes, if it holds program POs, specifications, or test data that is FCI. That system, the engineering stations, and the laptops that reach them are part of your Level 1 boundary and must meet the 15 practices: named accounts, MFA, access limited to authorized users, antivirus, and patching.

Q.Do I need an SSP at Level 1?

No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that handle FCI, plus a short boundary description and a current list of authorized users.

Related clauses

FAR 52.204-21
Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020
NIST SP 800-171 DoD Assessment Requirements

Related terms

Read more in the Library

Other Level 1 industries
Machine shops & precision manufacturers
Read the machine shops guide →
SBIR Phase I awardees
Read the sbir phase i winners guide →
Construction, facilities & base-services subcontractors
Read the construction & facilities guide →
IT services & managed service providers (MSPs)
Read the it services & msps guide →
Software & application development firms
Read the software development guide →
Aerospace & aircraft parts manufacturers
Read the aerospace parts guide →
Metal fabrication & welding shops
Read the metal fabrication guide →
Base operations & facilities O&M contractors
Read the facilities & base ops guide →
Logistics, warehousing & distribution contractors
Read the logistics & warehousing guide →
Electronics & circuit card manufacturers
Read the electronics manufacturing guide →
Management & professional services consultants
Read the professional consulting guide →
Staffing & workforce services firms
Read the staffing services guide →
Janitorial & custodial services contractors
Read the janitorial & custodial guide →
Engineering services firms
Read the engineering services guide →
Medical & pharmaceutical supply distributors
Read the medical supply distribution guide →
Shipbuilding & marine repair contractors
Read the shipbuilding & marine guide →
Industrial machinery & equipment suppliers
Read the industrial equipment guide →
Plastics & rubber products manufacturers
Read the plastics & rubber guide →
Textiles, apparel & uniform manufacturers
Read the textiles & apparel guide →
PPE & safety equipment suppliers
Read the ppe & safety equipment guide →
Medical device & instrument manufacturers
Read the medical devices guide →
Specialty trade subcontractors (electrical, plumbing)
Read the specialty trades guide →
HVAC & mechanical contractors
Read the hvac & mechanical guide →
Landscaping & grounds maintenance contractors
Read the landscaping & grounds guide →
Environmental & remediation services contractors
Read the environmental services guide →
Telecommunications & networking contractors
Read the telecommunications guide →
Cybersecurity & IT security services firms
Read the cybersecurity services guide →
Architecture & design firms
Read the architecture & design guide →
Security & guard services contractors
Read the security & guard services guide →
Training & education services providers
Read the training & education guide →
Marketing, media & creative services firms
Read the marketing & media guide →
Trucking & transportation contractors
Read the trucking & transportation guide →
Wholesale & product distribution contractors
Read the wholesale distribution guide →
Food services & catering contractors
Read the food services & catering guide →
Vehicle & equipment maintenance contractors
Read the vehicle maintenance guide →
Printing & reprographics contractors
Read the printing & reprographics guide →
Research, development & testing labs
Read the research & development guide →
Office & operating supplies distributors
Read the office & operating supplies guide →
← Back to all industries
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)