Overview
If you install or service HVAC and mechanical systems on federal buildings and installations, your work orders, submittals, service tickets, schedules, and base access paperwork are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
HVAC and mechanical work is overwhelmingly Level 1. CUI enters only in narrow cases: sensitive facility mechanical and control system drawings, industrial control system documentation for critical facilities, and similar marked material. Most installation and service work never sees marked CUI.
Mechanical contractors run a service dispatch system, a couple of office and trailer PCs, and an email tenant. Level 1 covers the systems that hold FCI: email and files for submittals and schedules, the service and office PCs, and controlled paperwork on site.
Typical contracts you'll see
- HVAC installation and replacement on federal facilities
- Mechanical service and maintenance contracts on bases
- Controls and building automation subcontracts
- Subcontracts under a construction or facilities prime
- Set aside mechanical contracts (8(a), HUBZone, SDVOSB)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running service and submittal email through personal accounts, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Using a shared service laptop or office PC with one login, which fails (b)(1)(i) and (ii).
- Leaving access rosters and pay applications unsecured in the truck or trailer, which fails (b)(1)(viii).
- Letting subs and 1099 techs use the owner's credentials.
- Assuming mechanical work is out of scope. The FCI in the paperwork is what triggers CMMC.
- Treating sensitive facility controls work as Level 1 when the drawings are marked CUI.
Your Level 1 action plan
- 01Inventory the contracts: which prime or agency, any -7012 flow-down, any marked CUI. Most HVAC work has none.
- 02Move service and project email onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Give techs and office staff named accounts and lock down the service and office PCs.
- 04Pick one cloud folder for submittals, schedules, and tickets, and restrict access to the team.
- 05Secure access rosters and pay applications in the office and truck, and keep a visitor log on site.
- 06Write a short boundary description: which laptops, which tenant, which office, which truck.
- 07Run the 15 practice self-assessment, then have a senior official post and affirm the SPRS score and re-affirm annually.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 238220Plumbing, Heating & Air-Conditioning Contractors
- 238290Other Building Equipment Contractors
- 811310Commercial & Industrial Machinery & Equipment Repair & Maintenance
- 238210Electrical Contractors & Other Wiring Installation Contractors
- 561210Facilities Support Services
Frequently asked questions
Q.We just service HVAC on a base. Do we need CMMC?
Yes, if you receive Federal Contract Information from the prime or agency. Work orders, submittals, schedules, and base access rosters are FCI, and FAR 52.204-21 applies to the systems that hold them. The 15 practices apply to the laptop and email you run the job from, not to the rooftop unit.
Q.Could HVAC work ever be Level 2?
Only in narrow cases. If you work on sensitive facility mechanical or control systems and receive marked CUI, such as building automation or control drawings stamped as CUI under DFARS 252.204-7012, that project is Level 2. Standard installation and service work is Level 1.
Q.Does the prime cover us as a mechanical sub?
No. CMMC flows down. If you receive FCI from the prime, you have your own FAR 52.204-21 obligation and need your own SPRS affirmation. The prime cannot affirm for you.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.