CMMC Level 1 for Metal fabrication & welding shops

Overview

If you cut, bend, weld, or fabricate metal structures and components for military depots, shipyards, or defense primes, your work orders, drawings, repair specifications, and delivery documents are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.

Most fabrication and welding work is build to print from drawings that are not marked CUI. You move to Level 2 only when a prime flows down DFARS 252.204-7012 and sends technical data explicitly marked as Controlled Unclassified Information or Controlled Technical Information.

Fab shops tend to run lean on IT: a couple of office PCs, a shared estimating machine, and a lot of paper drawings on the floor. Level 1 is achievable for exactly this kind of shop, but it means tightening up accounts, email, and how drawings and POs are stored.

Typical contracts you'll see

Subcontracts to defense primes for fabricated structures and weldments
Depot and shipyard repair fabrication for the Army, Navy, and Air Force
DLA buys for fabricated metal parts and assemblies
Set aside construction subcontracts that include structural steel and miscellaneous metals
Build to print fabrication for ground support and material handling equipment

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Work orders, POs, and statements of work from a depot or prime

Fabrication and weld drawings that are not marked CTI or export controlled

Weld procedure and inspection records tied to the contract

Delivery schedules, packing slips, and DD-250 acceptance documents

Nonconformance reports and corrective action requests

Common pitfalls in this industry

Storing drawing and PO PDFs on a shared estimating PC with one login, which fails FAR 52.204-21 (b)(1)(i) and (ii).
Emailing quotes and drawings from a personal account, which fails (b)(1)(iii) limit access to authorized users.
Leaving paper drawings and delivery paperwork in an unlocked office overnight, which works against (b)(1)(viii) physical access.
Assuming a dirty, low tech shop is out of scope. The moment FCI flows, CMMC applies to the systems that hold it.
Treating a single -7012 line in a master agreement as Level 2 when no marked CUI has actually arrived.
Skipping the annual SPRS affirmation after the first one.

Your Level 1 action plan

01Confirm with each prime in writing that no marked CUI has been or will be flowed down. Any confirmed CUI makes that contract Level 2.
02Inventory the systems that touch FCI: office PCs, the estimating machine, email, the file share, and any backup.
03Give each user a named, password protected account with MFA on email and remote access, and retire shared logins.
04Move quoting and drawing exchange onto a paid Microsoft 365 or Google Workspace tenant instead of personal email.
05Lock the office and file cabinet that hold drawings and delivery paperwork, and keep the estimating PC from doubling as the public web browsing machine.
06Write a short boundary description naming the systems that hold FCI and who can access them.
07Run the 15 practice self-assessment, document the evidence, then have a senior official affirm the score in SPRS and set the annual reminder.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

332323Ornamental & Architectural Metal Work Manufacturing
332312Fabricated Structural Metal Manufacturing
332313Plate Work Manufacturing
332710Machine Shops
332999All Other Miscellaneous Fabricated Metal Product Manufacturing
238120Structural Steel & Precast Concrete Contractors

Frequently asked questions

Q.We just weld and fabricate to prints. Do we really need CMMC?

Yes, once you hold a federal contract or subcontract. The work orders, drawings, weld specs, invoices, and delivery documents are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic IT hygiene on your office PCs and email, not on the welder.

Q.When would a fab shop ever be Level 2?

When a prime flows down DFARS 252.204-7012 and sends you technical data explicitly marked as CUI or Controlled Technical Information. That is uncommon for general structural and repair fabrication, but it happens on sensitive programs. Until marked data actually arrives, build to print fabrication is Level 1.

Q.Most of our drawings are on paper. How does that affect scope?

Paper drawings that contain FCI bring physical protection into scope under FAR 52.204-21 (b)(1)(viii). In practice that means limiting who can handle them, locking them up when the office is closed, and controlling visitors. The digital copies and the systems that hold them are covered by the access and authentication practices.

Q.Can I do the Level 1 self-assessment without an IT department?

Yes. Level 1 is a self-assessment of 15 basic practices: accounts, passwords, MFA, antivirus, patching, access control, and physical security. Most fab shops with a competent IT person on retainer can complete it in a weekend and have a senior official affirm the result in SPRS.

Related clauses

FAR 52.204-21

Basic Safeguarding of Covered Contractor Information Systems

DFARS 252.204-7012

Safeguarding Covered Defense Information and Cyber Incident Reporting

DFARS 252.204-7019

Notice of NIST SP 800-171 DoD Assessment Requirements