Overview
If you run a small IT shop or MSP and your federal work is break/fix, help desk, hardware refresh, cabling, or basic systems support, the information you touch (tickets, asset lists, contract POs, network drawings) is Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment, affirmed annually in SPRS by a senior official.
The hard part for IT firms is honest scoping. The instant you administer, store, or process a client's marked CUI (for example, you manage the file server where a manufacturer keeps DFARS 252.204-7012 technical data), you are no longer Level 1 for that work. You become a Level 2 obligation and, in CMMC terms, an External Service Provider whose own environment is in your client's assessment scope.
The practical answer for most small MSPs is to keep the federal book of business clean: serve FCI only clients at Level 1, and carve a separate, documented enclave (often GCC High) for any client whose data is marked CUI. Knowing which side of that line each contract sits on is the single most valuable thing you can document.
Typical contracts you'll see
- Help desk, desktop support, and managed IT task orders for small federal offices
- Hardware, peripherals, and network gear resale under GSA Schedule or SEWP
- Structured cabling and network installation on federal facilities
- IT subcontracts to a systems integration prime where no CUI is flowed down
- Microsoft 365 or Google Workspace setup and administration for FCI only clients
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Assuming all federal IT work is Level 2. Plenty of help desk and hardware work is FCI only and sits at Level 1.
- Missing the moment you cross into CUI. Administering a client system that stores marked CUI makes your own shop part of that client's Level 2 scope.
- Running client work out of a shared technician login with no per person account, which fails FAR 52.204-21 (b)(1)(i) and (ii).
- Storing client network documentation and credentials in a personal password manager or a consumer cloud drive.
- Reusing one global admin account across the whole team instead of named, MFA protected admin identities.
- Skipping the annual SPRS affirmation, which DoD now treats as False Claims Act exposure under the Civil Cyber-Fraud Initiative.
Your Level 1 action plan
- 01Classify every federal contract: FCI only or CUI involved. Confirm in writing with each client and prime whether any marked CUI is in play.
- 02Separate the two books of business. Keep FCI only clients at Level 1 and stand up a documented CUI enclave for anything marked.
- 03Give every technician a named company account with MFA, and replace shared admin logins with individual privileged identities.
- 04Inventory the systems that hold federal FCI: your ticketing tool, your documentation platform, your email tenant, and your remote management tooling.
- 05Lock down remote access (RMM, VPN, jump hosts) with MFA and least privilege, since that is the path an attacker uses to reach every client at once.
- 06Write a one to two page boundary description naming the systems that touch FCI and how they are kept separate from public facing and personal systems.
- 07Run the 15 FAR 52.204-21 practices, document the evidence, then have a senior official post and affirm the score in SPRS and calendar the annual re-affirmation.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 541512Computer Systems Design Services
- 541513Computer Facilities Management Services
- 541519Other Computer Related Services
- 541511Custom Computer Programming Services
- 517311Wired Telecommunications Carriers
- 423430Computer & Peripheral Equipment Merchant Wholesalers
Frequently asked questions
Q.I run an MSP for a defense manufacturer. Am I Level 1 or Level 2?
It depends on what data lives on the systems you manage. If your client only handles FCI and you support their general IT, you are Level 1. The moment your client stores marked CUI under DFARS 252.204-7012 on a system you administer, store, or back up, that work is Level 2, and your own environment becomes part of your client's assessment scope as an External Service Provider. Many MSPs run a clean Level 1 practice for FCI only clients and a separate enclave for CUI clients.
Q.Does selling hardware to a federal office require CMMC?
If you hold a federal contract or subcontract to supply and support that hardware, the contract paperwork, POs, and any asset or user information are FCI, so FAR 52.204-21 and a Level 1 self-assessment apply. Pure catalog resale with no ongoing access to federal information is a lighter footprint, but the safe assumption once you have a contract is Level 1.
Q.What is an External Service Provider and does it apply to my IT firm?
An External Service Provider (ESP) is an outside company that handles a contractor's covered information or security functions. If you manage systems that process or store a client's CUI, the CMMC rules treat your relevant environment as in scope for that client's Level 2 assessment. For Level 1 FCI only work there is no formal ESP assessment, but you still owe your own FAR 52.204-21 self-assessment.
Q.Do I need an SSP for Level 1 as an IT provider?
No. The 32 CFR Part 170 rule does not require a System Security Plan for Level 1. You need evidence that each of the 15 practices is met across the systems that touch FCI. A short boundary description plus a current list of authorized users and admins is enough.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.