Overview
If you provide marketing, communications, public affairs support, video, or creative services for federal agencies, your contracts, creative files, schedules, and program correspondence are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Creative and communications work is usually Level 1. CUI is uncommon and appears only when the agency provides marked sensitive material to work with. Most public facing campaign and communications work runs on FCI.
Creative firms run project and asset management tools, design and video systems, and an email tenant. Level 1 covers the systems that hold federal FCI, which means named accounts, MFA, controlled access to deliverables, and a clear boundary.
Typical contracts you'll see
- Marketing, communications, and public affairs support contracts
- Video, multimedia, and creative production task orders
- Campaign, outreach, and design services for agencies
- Subcontracts under a communications or professional services prime
- Set aside creative services contracts (8(a), WOSB, SDVOSB)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running creative work through personal accounts and consumer file sharing, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Sharing asset libraries with the whole company instead of the project team, which fails (b)(1)(iii).
- Letting freelance creatives use personal, unencrypted laptops with no MFA.
- Publishing agency work or campaign details before they are cleared for release, which fails (b)(1)(iv).
- Holding marked sensitive material the agency provided without re-scoping to Level 2.
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Decide, per engagement, whether the agency will provide marked CUI. If yes, scope that work as Level 2.
- 02Move federal creative work onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Set project and asset access to least privilege and give each creative a named account.
- 04Encrypt laptops used for federal work and protect cloud creative tools with MFA.
- 05Keep deliverables and review materials in a controlled location, not personal accounts.
- 06Write a short boundary description naming the systems that hold federal FCI and who can access them.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 541810Advertising Agencies
- 541820Public Relations Agencies
- 541613Marketing Consulting Services
- 541430Graphic Design Services
- 512110Motion Picture & Video Production
Frequently asked questions
Q.We just do marketing for a federal agency. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The contracts, creative deliverables, schedules, and correspondence are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your cloud tools and laptops.
Q.Our work is public facing. Does that remove the FCI?
No. Even when the end product is public, the contract, your invoices, the drafts, and the program correspondence in your environment are FCI until and unless cleared. FAR 52.204-21 applies to the systems that hold that information.
Q.When would creative work be Level 2?
When the agency provides marked CUI for you to store or work with. That is uncommon for marketing and communications. Most creative engagements involve only FCI and stay at Level 1.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.