← Custodia
CMMC Level 1 · Electronics manufacturing

CMMC Level 1 for electronics & circuit card manufacturers

Contract electronics manufacturers building circuit card assemblies, cable harnesses, and electronic components for defense primes start at CMMC Level 1 for build to print work. POs, assembly drawings, bills of material, and test records are Federal Contract Information (FCI). You move to Level 2 when a prime flows down DFARS 252.204-7012 and sends marked Controlled Unclassified Information or Controlled Technical Information.

Overview

If you assemble circuit cards, build cable and wire harnesses, or manufacture electronic components for defense and aerospace primes, your purchase orders, assembly drawings, bills of material, test procedures, and acceptance records are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.

Electronics is a place where the CUI line matters, because design data and test data can be marked. Build to print assembly from unmarked drawings is Level 1. The moment a prime flows down DFARS 252.204-7012 and sends marked technical data, that program is Level 2 and needs a controlled boundary.

Contract manufacturers usually run an ERP or MRP system, engineering and test stations, and an email tenant. Level 1 is achievable, but it means named accounts and MFA on the systems that hold program data, controlled access to drawings and BOMs, and a clean separation from public facing systems.

Typical contracts you'll see

  • Circuit card and electronic assembly subcontracts to defense and aerospace primes
  • Cable, wire harness, and box build manufacturing for DoD programs
  • DLA buys for electronic components and assemblies
  • Depot repair and rework of electronic units
  • SBIR and STTR Phase I electronics prototypes

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Purchase orders and statements of work from a prime or DLA
Assembly drawings, schematics, and BOMs that are not marked CTI or export controlled
Test procedures, ATP results, and inspection records tied to the contract
Delivery schedules, packing slips, and DD-250 acceptance documents
Nonconformance reports and corrective action requests

Common pitfalls in this industry

  • Treating every defense schematic as CUI. CUI must be explicitly marked. Many build to print packages are FCI.
  • Ignoring a real -7012 flow-down. If marked technical data arrives, that program is Level 2.
  • Sharing one engineering or test station login across the team, which fails FAR 52.204-21 (b)(1)(i) and (ii).
  • Storing drawings and BOMs on an open network share that every contractor can read, which fails (b)(1)(iii).
  • Letting the same PC handle program data and public web browsing or the company site, which works against (b)(1)(iv) and (v).
  • Letting the annual SPRS affirmation lapse.

Your Level 1 action plan

  1. 01Confirm with each prime in writing whether any -7012 flow-down applies and whether marked CUI or CTI is in play. Most build to print has none.
  2. 02Inventory the systems that hold program FCI: ERP or MRP, engineering and test stations, the file share, email, and backups.
  3. 03Move program email and file exchange onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
  4. 04Set drawing and BOM access to least privilege, and give every engineer and operator a named account.
  5. 05If one program sends marked CUI, build a small separate enclave for it and keep the rest of the floor at Level 1.
  6. 06Write a one to two page boundary description of where program FCI lives and how it is separated from public systems.
  7. 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and calendar the annual re-affirmation.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

  • 334418Printed Circuit Assembly (Electronic Assembly) Manufacturing
  • 334412Bare Printed Circuit Board Manufacturing
  • 334419Other Electronic Component Manufacturing
  • 334511Search, Detection, Navigation, Guidance & Aeronautical Systems Manufacturing
  • 335931Current-Carrying Wiring Device Manufacturing

Frequently asked questions

Q.We assemble circuit cards for a defense prime. Level 1 or Level 2?

If you build to unmarked drawings and the prime has not flowed down marked CUI, you are Level 1. The trigger for Level 2 is receiving technical data explicitly marked as CUI or Controlled Technical Information under DFARS 252.204-7012. Many contract electronics manufacturers run Level 1 for most of the floor and a small enclave for the one or two marked programs.

Q.Our schematics are export controlled. Does that make us Level 2?

Export control alone is not the same as CUI under -7012, but most primes treat export controlled technical data as CUI and flow down -7012. If that clause is in your subcontract and you have received marked data, that program is Level 2. Your non marked work can still run at Level 1.

Q.Is our ERP or MRP system in scope?

Yes, if it holds POs, BOMs, or program data that is FCI. The ERP, the engineering and test stations, and the laptops that reach them are part of your Level 1 boundary and must meet the 15 practices: named accounts, MFA, access limited to authorized users, antivirus, and patching.

Q.Do I need an SSP at Level 1?

No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence that each of the 15 practices is met for the systems that handle FCI, plus a short boundary description and a current list of authorized users.

Related clauses

FAR 52.204-21
Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020
NIST SP 800-171 DoD Assessment Requirements

Related terms

Read more in the Library

Other Level 1 industries
Machine shops & precision manufacturers
Read the machine shops guide →
SBIR Phase I awardees
Read the sbir phase i winners guide →
Construction, facilities & base-services subcontractors
Read the construction & facilities guide →
IT services & managed service providers (MSPs)
Read the it services & msps guide →
Software & application development firms
Read the software development guide →
Aerospace & aircraft parts manufacturers
Read the aerospace parts guide →
Metal fabrication & welding shops
Read the metal fabrication guide →
Base operations & facilities O&M contractors
Read the facilities & base ops guide →
Logistics, warehousing & distribution contractors
Read the logistics & warehousing guide →
Management & professional services consultants
Read the professional consulting guide →
Staffing & workforce services firms
Read the staffing services guide →
Janitorial & custodial services contractors
Read the janitorial & custodial guide →
Engineering services firms
Read the engineering services guide →
Medical & pharmaceutical supply distributors
Read the medical supply distribution guide →
Defense electronics & instrument makers
Read the defense electronics guide →
Shipbuilding & marine repair contractors
Read the shipbuilding & marine guide →
Industrial machinery & equipment suppliers
Read the industrial equipment guide →
Plastics & rubber products manufacturers
Read the plastics & rubber guide →
Textiles, apparel & uniform manufacturers
Read the textiles & apparel guide →
PPE & safety equipment suppliers
Read the ppe & safety equipment guide →
Medical device & instrument manufacturers
Read the medical devices guide →
Specialty trade subcontractors (electrical, plumbing)
Read the specialty trades guide →
HVAC & mechanical contractors
Read the hvac & mechanical guide →
Landscaping & grounds maintenance contractors
Read the landscaping & grounds guide →
Environmental & remediation services contractors
Read the environmental services guide →
Telecommunications & networking contractors
Read the telecommunications guide →
Cybersecurity & IT security services firms
Read the cybersecurity services guide →
Architecture & design firms
Read the architecture & design guide →
Security & guard services contractors
Read the security & guard services guide →
Training & education services providers
Read the training & education guide →
Marketing, media & creative services firms
Read the marketing & media guide →
Trucking & transportation contractors
Read the trucking & transportation guide →
Wholesale & product distribution contractors
Read the wholesale distribution guide →
Food services & catering contractors
Read the food services & catering guide →
Vehicle & equipment maintenance contractors
Read the vehicle maintenance guide →
Printing & reprographics contractors
Read the printing & reprographics guide →
Research, development & testing labs
Read the research & development guide →
Office & operating supplies distributors
Read the office & operating supplies guide →
← Back to all industries
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)