Overview
If you manufacture medical instruments, devices, or surgical appliances for the VA, military treatment facilities, or other federal health buyers, your contracts, item specifications, drawings, and delivery records are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Device supply is usually Level 1. The data you hold for a typical order, the contract, the specification, the drawing, the delivery record, is FCI, not CUI. Protected health information, where it appears, brings its own privacy obligations that sit alongside CMMC rather than changing the CMMC tier.
Device makers run an ERP or quality system, engineering and production stations, and an email tenant. Level 1 covers the systems that hold federal contract and design information, which means named accounts, MFA, controlled access, and a clear boundary.
Typical contracts you'll see
- Medical and surgical device contracts for the VA and military treatment facilities
- Subcontracts to a medical device prime
- Instrument and equipment supply under federal supply schedules
- DLA Troop Support medical materiel buys
- Set aside medical device contracts (8(a), WOSB, SDVOSB)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Storing device drawings and specs on an open share readable by everyone, which fails FAR 52.204-21 (b)(1)(iii).
- Running the quality or ERP system on a shared login, which fails (b)(1)(i) and (ii).
- Emailing contracts and specs from personal accounts, which fails (b)(1)(iii).
- Confusing privacy obligations for health data with CMMC scope, and addressing neither.
- Assuming device supply is too simple to be in scope. The FCI in the contracts and drawings is what triggers CMMC.
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Inventory the systems that hold federal FCI: ERP or quality system, engineering and production stations, email, and shared drives.
- 02Move contract and design exchange onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Give each engineer and order user a named account and set drawing and contract access to least privilege.
- 04Keep any protected health information handling aligned with its own privacy obligations, separate from but alongside CMMC.
- 05Separate program systems from public web browsing and the company website.
- 06Write a short boundary description naming the systems that hold federal contract and design information.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 339112Surgical & Medical Instrument Manufacturing
- 339113Surgical Appliance & Supplies Manufacturing
- 334510Electromedical & Electrotherapeutic Apparatus Manufacturing
- 339114Dental Equipment & Supplies Manufacturing
- 423450Medical, Dental & Hospital Equipment & Supplies Merchant Wholesalers
Frequently asked questions
Q.We make medical instruments for the VA. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The contracts, specifications, drawings, and delivery records are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. That means a Level 1 self-assessment and an annual SPRS affirmation.
Q.Does handling patient or health data change my CMMC level?
Not by itself. Protected health information carries its own privacy obligations that are separate from CMMC. CMMC Level 1 covers the systems that hold Federal Contract Information. The same basic protections, named accounts, MFA, access control, and encryption, help satisfy both.
Q.Could a device contract be Level 2?
It is uncommon. You would reach Level 2 only if the contract flowed down DFARS 252.204-7012 and you received marked Controlled Unclassified Information, such as controlled technical data for a defense specific device. Ordinary medical device supply is Level 1.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.