← Custodia
CMMC Level 1 · Logistics & warehousing

CMMC Level 1 for logistics, warehousing & distribution contractors

Third party logistics, warehousing, distribution, and supply contractors moving and storing goods for the government sit at CMMC Level 1 for the common case. Contracts, manifests, inventory and shipment records, and delivery paperwork are Federal Contract Information (FCI). CUI is rare and usually tied to sensitive shipment details, routing for controlled items, or marked technical data for what is being stored.

Overview

If you warehouse, kit, distribute, or move goods under a federal contract, your award documents, manifests, inventory records, shipment and tracking data, and delivery paperwork are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.

Most logistics and warehousing work stays at Level 1. You move toward Level 2 only when the data you hold is marked CUI, for example sensitive routing or security details for controlled shipments, or marked technical data that travels with the items you store and handle.

Logistics firms often run a warehouse management system, a handful of office PCs, scanners, and an email tenant. Level 1 is very achievable here, but it means named accounts and MFA on the systems that hold federal manifests and inventory, and basic control over who can see shipment data.

Typical contracts you'll see

  • Warehousing and storage contracts for federal agencies and the military
  • Distribution and kitting task orders under DLA and GSA
  • Third party logistics subcontracts to a defense prime
  • Freight, drayage, and transportation services on and off installations
  • Supply and fulfillment under federal supply schedules

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Contracts, task orders, modifications, and invoices
Manifests, packing lists, and bills of lading tied to the contract
Inventory records and warehouse management data for government owned stock
Shipment, tracking, and proof of delivery records
Receiving reports and DD-250 acceptance documents

Common pitfalls in this industry

  • Running the warehouse management system under a single shared login, which fails FAR 52.204-21 (b)(1)(i) and (ii).
  • Emailing manifests and inventory reports from personal accounts, which fails (b)(1)(iii).
  • Leaving the receiving office PC logged in and unattended on the warehouse floor, which works against (b)(1)(viii).
  • Granting every temp and seasonal worker full access to federal shipment data instead of least privilege.
  • Assuming pure pick and pack is out of scope. The FCI in the manifests and contracts is what triggers CMMC.
  • Skipping the annual SPRS affirmation after the first one.

Your Level 1 action plan

  1. 01Inventory the systems that hold federal FCI: the warehouse management system, office PCs, scanners that sync data, email, and backups.
  2. 02Confirm with the agency or prime whether any shipment or item data is marked CUI. Most general warehousing has none.
  3. 03Give each user a named account with MFA and set access to least privilege, so temps see only what they need.
  4. 04Move manifest and inventory exchange onto a paid Microsoft 365 or Google Workspace tenant rather than personal email.
  5. 05Lock down the receiving office and any PC that holds federal data with per person login and screen lock.
  6. 06Write a short boundary description: which systems hold federal manifests and inventory and who can access them.
  7. 07Run the 15 practice self-assessment, document evidence, then have a senior official affirm the score in SPRS and set the annual reminder.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

  • 493110General Warehousing & Storage
  • 488510Freight Transportation Arrangement
  • 484110General Freight Trucking, Local
  • 484121General Freight Trucking, Long-Distance, Truckload
  • 541614Process, Physical Distribution & Logistics Consulting Services
  • 423990Other Miscellaneous Durable Goods Merchant Wholesalers

Frequently asked questions

Q.We just warehouse and ship government goods. Do we need CMMC?

Yes, once you hold a federal contract or subcontract. The manifests, inventory records, shipment data, invoices, and delivery documents are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices apply to your warehouse management system and office PCs, not to the forklift.

Q.When would a logistics firm be Level 2 instead of Level 1?

When the data you hold is marked CUI, such as sensitive routing or security details for controlled shipments, or marked technical data that travels with the items you store. General warehousing, distribution, and freight that only involve FCI stay at Level 1.

Q.We use temps and seasonal workers. How does that affect access control?

FAR 52.204-21 (b)(1)(i) through (iii) require you to identify users, authenticate them, and limit access to authorized users and the information they need. Give temps named accounts scoped to only the screens and data they need, and disable those accounts promptly when the assignment ends.

Q.Do I need an SSP for Level 1 as a warehousing contractor?

No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence that each of the 15 practices is met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.

Related clauses

FAR 52.204-21
Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements

Related terms

Read more in the Library

Other Level 1 industries
Machine shops & precision manufacturers
Read the machine shops guide →
SBIR Phase I awardees
Read the sbir phase i winners guide →
Construction, facilities & base-services subcontractors
Read the construction & facilities guide →
IT services & managed service providers (MSPs)
Read the it services & msps guide →
Software & application development firms
Read the software development guide →
Aerospace & aircraft parts manufacturers
Read the aerospace parts guide →
Metal fabrication & welding shops
Read the metal fabrication guide →
Base operations & facilities O&M contractors
Read the facilities & base ops guide →
Electronics & circuit card manufacturers
Read the electronics manufacturing guide →
Management & professional services consultants
Read the professional consulting guide →
Staffing & workforce services firms
Read the staffing services guide →
Janitorial & custodial services contractors
Read the janitorial & custodial guide →
Engineering services firms
Read the engineering services guide →
Medical & pharmaceutical supply distributors
Read the medical supply distribution guide →
Defense electronics & instrument makers
Read the defense electronics guide →
Shipbuilding & marine repair contractors
Read the shipbuilding & marine guide →
Industrial machinery & equipment suppliers
Read the industrial equipment guide →
Plastics & rubber products manufacturers
Read the plastics & rubber guide →
Textiles, apparel & uniform manufacturers
Read the textiles & apparel guide →
PPE & safety equipment suppliers
Read the ppe & safety equipment guide →
Medical device & instrument manufacturers
Read the medical devices guide →
Specialty trade subcontractors (electrical, plumbing)
Read the specialty trades guide →
HVAC & mechanical contractors
Read the hvac & mechanical guide →
Landscaping & grounds maintenance contractors
Read the landscaping & grounds guide →
Environmental & remediation services contractors
Read the environmental services guide →
Telecommunications & networking contractors
Read the telecommunications guide →
Cybersecurity & IT security services firms
Read the cybersecurity services guide →
Architecture & design firms
Read the architecture & design guide →
Security & guard services contractors
Read the security & guard services guide →
Training & education services providers
Read the training & education guide →
Marketing, media & creative services firms
Read the marketing & media guide →
Trucking & transportation contractors
Read the trucking & transportation guide →
Wholesale & product distribution contractors
Read the wholesale distribution guide →
Food services & catering contractors
Read the food services & catering guide →
Vehicle & equipment maintenance contractors
Read the vehicle maintenance guide →
Printing & reprographics contractors
Read the printing & reprographics guide →
Research, development & testing labs
Read the research & development guide →
Office & operating supplies distributors
Read the office & operating supplies guide →
← Back to all industries
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)