Overview
If you run dining facilities, catering, or food service on a federal site or military base, your contracts, schedules, headcount and meal records, invoices, and base access rosters are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Food service work is cleanly Level 1. There is essentially never CUI involved. The compliance scope is the small set of systems you use to run the contract: the email you send invoices and schedules from, the device that holds the base access roster, and any cloud folder for reports.
The common surprise for food service owners is that CMMC applies at all. It does, the moment Federal Contract Information flows. The fix is cheap and most food service firms can complete Level 1 in a weekend.
Typical contracts you'll see
- Dining facility (DFAC) operation contracts on military bases
- Catering and event food service for federal agencies
- Mess and galley services under NAVFAC and base operations
- Subcontracts under a base operations or facilities prime
- Set aside food service contracts (8(a), WOSB, SDVOSB, HUBZone)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running the contract from a personal Gmail or a shared crew inbox, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Keeping the base access roster on an unlocked shared phone or PC, which works against (b)(1)(viii).
- Letting every staff member log into the company account with the owner's password, which fails (b)(1)(i) and (ii).
- Storing contracts and rosters in an unlocked office.
- Assuming food service is too low tech to be in scope. The FCI in the paperwork is what triggers CMMC.
- Skipping the annual SPRS affirmation.
Your Level 1 action plan
- 01List the systems that touch contract FCI: the email account, the device that holds rosters and schedules, and any cloud folder.
- 02Move contract email onto a paid Microsoft 365 or Google Workspace tenant with MFA, even for a small office.
- 03Give the owner and office staff named accounts and stop sharing one login.
- 04Protect the device that holds the base access roster with a passcode, encryption, and a screen lock.
- 05Keep schedules, reports, and invoices in one controlled folder rather than personal accounts.
- 06Write a short, plain boundary description: which email, which device, which folder holds contract FCI.
- 07Run the 15 practice self-assessment, then have a senior official post and affirm the SPRS score and re-affirm annually.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 722310Food Service Contractors
- 722320Caterers
- 722330Mobile Food Services
- 311999All Other Miscellaneous Food Manufacturing
- 424410General Line Grocery Merchant Wholesalers
Frequently asked questions
Q.We run a DFAC on a base. Why do we need CMMC?
Because the contract paperwork is Federal Contract Information. Your contracts, schedules, headcounts, base access roster, and invoices are FCI, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your email and the device that holds your roster, not on the kitchen.
Q.Could food service ever be Level 2?
Essentially never. Food service and catering do not involve Controlled Unclassified Information. Level 1 is the right and only tier for these contracts.
Q.I run a small catering company. Is the scope small?
Yes. If one email account and one device hold your contract FCI, that is your scope. The 15 practice self-assessment is quick for a small footprint, and a senior official posts the affirmation in SPRS.
Q.How much does Level 1 cost for a small food service firm?
The technical pieces are inexpensive: a business email tenant with MFA runs a few dollars per user per month, and most other practices use settings you already have. The main cost is the time to work through the 15 practices and post the affirmation, which most small firms can do in a weekend.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Cost in 2026: DIY vs Consultant vs SaaS (Real Numbers)DIY says it's free. The consultant quote was $18,000. The SaaS bill is $249/mo. Here's the real math on each path through CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business OwnersYou're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.