Overview
If you hold a federal contract or subcontract to mow, maintain grounds, landscape, or provide tree and pest services on a federal site or military base, your award documents, schedules, base access rosters, daily reports, and invoices are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Grounds and landscaping work is cleanly Level 1. There is essentially never CUI involved. The compliance scope is the small set of systems you use to run the contract: the email you send invoices and schedules from, the device that holds the base access roster, and any cloud folder for reports.
The most common surprise for grounds contractors is that CMMC applies at all. It does, the moment Federal Contract Information flows. The fix is cheap and most grounds firms can complete Level 1 in a weekend.
Typical contracts you'll see
- Grounds maintenance and mowing contracts on federal sites and bases
- Landscaping and tree service contracts under NAVFAC, AFCEC, and USACE
- Subcontracts under a facilities services prime
- GSA PBS grounds task orders on federal buildings
- Set aside grounds contracts (8(a), WOSB, SDVOSB, HUBZone)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running the contract from a personal Gmail or a shared crew inbox, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Keeping the base access roster on an unlocked shared phone or PC, which works against (b)(1)(viii).
- Letting every crew member log into the company account with the owner's password, which fails (b)(1)(i) and (ii).
- Storing pay applications and rosters in an unlocked office or truck.
- Assuming grounds work is too low tech to be in scope. The FCI in the paperwork is what triggers CMMC.
- Skipping the annual SPRS affirmation.
Your Level 1 action plan
- 01List the systems that touch contract FCI: the email account, the device that holds rosters and schedules, and any cloud folder.
- 02Move contract email onto a paid Microsoft 365 or Google Workspace tenant with MFA, even for a small office.
- 03Give the owner and office staff named accounts and stop sharing one login.
- 04Protect the device that holds the base access roster with a passcode, encryption, and a screen lock.
- 05Keep schedules, reports, and pay applications in one controlled folder rather than personal accounts.
- 06Write a short, plain boundary description: which email, which device, which folder holds contract FCI.
- 07Run the 15 practice self-assessment, then have a senior official post and affirm the SPRS score and re-affirm annually.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 561730Landscaping Services
- 561790Other Services to Buildings & Dwellings
- 115112Soil Preparation, Planting & Cultivating
- 561210Facilities Support Services
- 561310Employment Placement Agencies
Frequently asked questions
Q.I just mow grass on a base. Why do I need CMMC?
Because the contract paperwork is Federal Contract Information. Your award documents, schedules, base access roster, daily reports, and invoices are FCI, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your email and the device that holds your roster, not on the mower.
Q.Could grounds work ever be Level 2?
Essentially never. Grounds and landscaping work does not involve Controlled Unclassified Information. Level 1 is the right and only tier for these contracts.
Q.I am a one or two person operation. Is the scope small?
Yes. If one email account and one device hold your contract FCI, that is your scope. The 15 practice self-assessment is quick for a small footprint, and a senior official posts the affirmation in SPRS.
Q.How much does Level 1 cost for a small grounds firm?
The technical pieces are inexpensive: a business email tenant with MFA runs a few dollars per user per month, and most other practices use settings you already have. The main cost is the time to work through the 15 practices and post the affirmation, which most small firms can do in a weekend.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Cost in 2026: DIY vs Consultant vs SaaS (Real Numbers)DIY says it's free. The consultant quote was $18,000. The SaaS bill is $249/mo. Here's the real math on each path through CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business OwnersYou're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.