← Custodia
CMMC Level 1 · Machine shops

CMMC Level 1 for machine shops & precision manufacturers

Small CNC, precision-machining, and metal-fabrication shops are the single largest population sitting at CMMC Level 1. They typically receive Federal Contract Information (FCI) — drawings, purchase orders, delivery schedules — from a DoD prime, but never receive Controlled Unclassified Information (CUI) like technical data marked under DFARS 252.204-7012.

Overview

If you run a 5–50 employee machine shop and your DoD work flows through a prime like Lockheed, Northrop, RTX, GD, or one of the larger tier-2 subs, you almost certainly sit at CMMC Level 1 — not Level 2. The work order, the PO, the delivery schedule, and even most engineering drawings count as Federal Contract Information (FCI), not CUI.

CUI only enters the picture when the prime explicitly marks technical data under DFARS 252.204-7012 (the famous "Safeguarding Covered Defense Information" clause) and flows that marked data down to you in writing. If you have never received an explicitly marked CUI package — and you have never signed a -7012 flow-down — you are a Level 1 shop.

Level 1 is the 15-practice self-assessment from FAR 52.204-21, scored binary (met / not met), affirmed annually in SPRS by a senior official. No C3PAO, no third-party audit, no SSP requirement, no POA&M. It is the cheapest tier in CMMC and the one most machine shops can complete in a weekend.

Typical contracts you'll see

  • Tier-2 / tier-3 subcontracts to the major DoD primes (Lockheed, Northrop, RTX, GD, Boeing Defense, BAE)
  • DLA Land & Maritime / DLA Aviation direct buys for spare parts and consumables
  • Navy/Air Force depot-level repair contracts and spares
  • SBIR/STTR Phase I subcontracts for prototype machining
  • GSA Schedule and SEWP work where the underlying scope is parts/fabrication

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Purchase orders and statements of work from a DoD prime
2D drawings and 3D models that are NOT marked as Controlled Technical Information (CTI) or Export Controlled
Delivery schedules, packing slips, and DD-250 acceptance documents
Quality clauses and first-article inspection requirements
Performance reports and corrective action requests

Common pitfalls in this industry

  • Assuming every drawing from a DoD prime is CUI — most aren't. CUI must be explicitly marked.
  • Letting a single "DFARS 252.204-7012 applies" line in a master agreement push you to Level 2 when no marked CUI has actually been sent.
  • Storing PO and drawing PDFs in personal Gmail or Dropbox accounts (fails FAR 52.204-21 b)(1)(iii) — limit access to authorized users).
  • Letting the shop floor PC run as a shared local-admin account with no per-user login (fails 3.1.1 / 3.1.2).
  • Forgetting that public-facing systems (the company website, a customer-quote portal) must be separated from the system handling FCI (fails 3.1.3).
  • Skipping the annual SPRS affirmation after the first one — DoD now treats a stale affirmation as a False Claims Act exposure under the Civil Cyber-Fraud Initiative.

Your Level 1 action plan

  1. 01Confirm in writing with each prime that no marked CUI has been or will be flowed down. If any prime confirms CUI, that contract is Level 2 and needs a separate enclave.
  2. 02Inventory every system that touches FCI: shop laptops, office PCs, the file server, the email tenant, the ERP / MRP system, and the backup target.
  3. 03Pull personal accounts off DoD work — every user gets a named, password-protected company account with MFA on email and remote access.
  4. 04Lock down the shop-floor PC: per-user login, screen lock, no internet browsing on the same account that opens drawings.
  5. 05Write a 1–2 page boundary description ("What systems hold FCI, who can access them, how they're separated from public-facing systems"). This is your scoping artifact.
  6. 06Run through the 15 FAR 52.204-21 practices, mark each as met / not met, and document the evidence. This is your Level 1 self-assessment.
  7. 07Have a senior official (owner, president, or designated officer) post and affirm the score in SPRS, then put a calendar reminder for the annual re-affirmation.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

  • 332710Machine Shops
  • 332721Precision Turned Product Manufacturing
  • 332722Bolt, Nut, Screw, Rivet & Washer Manufacturing
  • 332912Fluid Power Valve & Hose Fitting Manufacturing
  • 332999All Other Miscellaneous Fabricated Metal Product Manufacturing
  • 333517Machine Tool Manufacturing
  • 336413Other Aircraft Parts & Auxiliary Equipment Manufacturing

Frequently asked questions

Q.Does my machine shop need CMMC Level 2 if I make parts for an F-35 program?

Not automatically. The program being classified-adjacent does not put you at Level 2. What puts you at Level 2 is receiving CUI that is explicitly marked under DFARS 252.204-7012 — for example, drawings stamped "Controlled Technical Information" or "Export Controlled" with a CUI banner. If your prime has only sent you unmarked POs and drawings, you are a Level 1 shop, even on an F-35 program.

Q.My prime sent me a drawing with an ITAR / Export Controlled stamp. Am I still Level 1?

ITAR / Export Control alone does not equal CUI under -7012, but most primes will treat ITAR-marked technical data as CUI for safeguarding purposes and will flow down -7012. If a -7012 flow-down clause is in your subcontract AND you've received marked technical data, that contract is Level 2. You can still run Level 1 for your non-CUI work — many shops do this by carving out a small CUI enclave (often GCC High) for the -7012 contracts and keeping the rest of the business at Level 1.

Q.Can I do my Level 1 self-assessment myself, or do I need to hire a consultant?

You can do it yourself. Level 1 is explicitly a self-assessment — the 15 practices in FAR 52.204-21 are basic IT hygiene (passwords, MFA, antivirus, patching, access control, physical security). Most machine-shop owners with a competent IT person on staff or on retainer can complete the assessment in a weekend. A consultant is useful if you're unsure about scoping or if you have any chance of needing Level 2 in the next 12 months.

Q.Do I need an SSP for Level 1?

No. The 32 CFR Part 170 final rule explicitly does not require a System Security Plan (SSP) for Level 1. You only need evidence that each of the 15 practices is met. A short boundary description and a list of users with access to FCI is plenty.

Q.What happens at the annual affirmation?

A senior official at your company logs into SPRS at least once every 12 months and re-affirms that all 15 Level 1 practices remain met. There is no re-assessment fee and no third-party involvement. Miss the affirmation and your score becomes stale, which means primes will treat you as non-compliant and could pull awards — and a knowingly false affirmation creates False Claims Act exposure.

Related clauses

FAR 52.204-21
Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020
NIST SP 800-171 DoD Assessment Requirements

Related terms

Read more in the Library

Other Level 1 industries
SBIR Phase I awardees
Read the sbir phase i winners guide →
Construction, facilities & base-services subcontractors
Read the construction & facilities guide →
← Back to all industries
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)