Overview
If you hold a federal contract or subcontract to clean buildings, restrooms, and common areas on a federal site or military base, your award documents, cleaning schedules, base access rosters, daily reports, and invoices are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Custodial work is about as cleanly Level 1 as federal work gets. There is almost never CUI involved. The compliance scope is the small set of systems you use to run the contract: the email you send invoices and schedules from, the laptop or phone that holds the base access roster, and any cloud folder where you keep reports.
The most common surprise for custodial owners is that CMMC applies at all. It does, the moment Federal Contract Information flows. The good news is that the fix is cheap and fast, and most custodial firms can complete Level 1 in a weekend.
Typical contracts you'll see
- Custodial and cleaning contracts for federal buildings and courthouses
- Base custodial services under NAVFAC, AFCEC, and USACE
- Subcontracts under a facilities services prime
- GSA PBS custodial task orders on federal buildings
- AbilityOne and small business set aside custodial contracts
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running the contract from a personal Gmail or a shared crew inbox, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Keeping the base access roster on an unlocked shared phone or PC, which works against (b)(1)(viii).
- Letting every cleaner log into the company account with the owner's password, which fails (b)(1)(i) and (ii).
- Storing pay applications and rosters in an unlocked office or vehicle.
- Assuming that because the work is cleaning, CMMC does not apply. The FCI in the paperwork is what triggers it.
- Skipping the annual SPRS affirmation after the first one.
Your Level 1 action plan
- 01List the systems that touch contract FCI: the email account, the laptop or phone that holds rosters and schedules, and any cloud folder.
- 02Move contract email onto a paid Microsoft 365 or Google Workspace tenant with MFA, even for a one or two person office.
- 03Give the owner and office staff named accounts and stop sharing one login.
- 04Protect the device that holds the base access roster with a passcode, encryption, and a screen lock.
- 05Keep schedules, reports, and pay applications in one controlled folder rather than scattered across personal accounts.
- 06Write a short, plain boundary description: which email, which device, which folder holds contract FCI.
- 07Run the 15 practice self-assessment, then have a senior official post and affirm the SPRS score and re-affirm annually.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 561720Janitorial Services
- 561740Carpet & Upholstery Cleaning Services
- 561790Other Services to Buildings & Dwellings
- 561210Facilities Support Services
- 561599All Other Travel Arrangement & Reservation Services
Frequently asked questions
Q.I just clean a federal building. Why do I need CMMC?
Because the contract paperwork is Federal Contract Information. Your award documents, schedules, base access roster, daily reports, and invoices are FCI, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your email and the device that holds your roster, not on the mop and bucket.
Q.Could a janitorial contract ever be Level 2?
Almost never. Custodial work does not normally involve Controlled Unclassified Information. The rare exception would be cleaning inside a sensitive facility where you are given marked CUI, such as security plans, which is unusual. For nearly all janitorial contracts, Level 1 is the right and only tier.
Q.I am a one person cleaning company. Do I still have to do this?
Yes, if you hold a federal contract or subcontract. The size of the company does not change the obligation. The upside is that a one person operation has a tiny scope: one email account and one device, which makes the 15 practice self-assessment quick to complete.
Q.How much does Level 1 cost for a small custodial firm?
The technical pieces are inexpensive: a business email tenant with MFA runs a few dollars per user per month, and most other practices use settings you already have. The real cost is the time to work through the 15 practices and post the affirmation, which most small firms can do in a weekend or with a guided platform.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Cost in 2026: DIY vs Consultant vs SaaS (Real Numbers)DIY says it's free. The consultant quote was $18,000. The SaaS bill is $249/mo. Here's the real math on each path through CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business OwnersYou're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.