Overview
If you supply office products, janitorial and operating supplies, or maintenance, repair, and operations (MRO) items to federal agencies under schedules and contracts, your contracts, purchase orders, catalog and pricing files, and delivery records are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Commodity supply is cleanly Level 1. There is essentially never CUI involved in selling and delivering office and operating supplies. The compliance scope is the systems used to run the contract: the order or ERP system, the email tenant, and the office and order desk PCs.
Level 1 covers the systems that hold federal contract and order information, which means named accounts, MFA, controlled access, and a clear boundary.
Typical contracts you'll see
- Office and operating supply contracts under federal supply schedules
- Janitorial and sanitation supply buys for federal facilities
- MRO and consumable supply task orders
- Subcontracts to a supply or facilities prime
- Set aside supply contracts (8(a), WOSB, SDVOSB, HUBZone)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running orders and invoices through personal email, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Sharing one order desk login across the team, which fails (b)(1)(i) and (ii).
- Leaving EDI and ordering portals on weak or shared credentials.
- Storing contracts and orders in a consumer drive open to everyone, which fails (b)(1)(iii).
- Assuming commodity supply is too simple to be in scope. The FCI in the contracts and orders is what triggers CMMC.
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Inventory the systems that hold federal FCI: order or ERP system, EDI, email, the order desk and office PCs, and backups.
- 02Move order and invoice exchange onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Give each order desk user a named login and set access to least privilege.
- 04Protect EDI and ordering portals with strong, individual credentials and MFA where supported.
- 05Keep contracts, catalogs, and orders in one controlled location rather than personal accounts.
- 06Write a short boundary description naming the systems that hold federal contract and order information.
- 07Run the 15 practice self-assessment, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 424120Stationery & Office Supplies Merchant Wholesalers
- 423210Furniture Merchant Wholesalers
- 424130Industrial & Personal Service Paper Merchant Wholesalers
- 423430Computer & Computer Peripheral Equipment & Software Merchant Wholesalers
- 453210Office Supplies & Stationery Retailers
Frequently asked questions
Q.We just supply office and cleaning products to agencies. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The contracts, purchase orders, catalog and pricing data, and delivery records are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your order systems and email.
Q.Would commodity supply ever be Level 2?
Essentially never. Selling and delivering office and operating supplies does not involve Controlled Unclassified Information. Level 1 is the right tier.
Q.Is our order or EDI system in scope?
Yes, if it holds federal orders, line items, or contract data. That system, the email tenant, and the laptops that reach them are part of your Level 1 boundary and must meet the 15 practices: named accounts, MFA, access limited to authorized users, antivirus, and patching.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Cost in 2026: DIY vs Consultant vs SaaS (Real Numbers)DIY says it's free. The consultant quote was $18,000. The SaaS bill is $249/mo. Here's the real math on each path through CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.