Overview
If you mold, extrude, or fabricate plastic and rubber parts, seals, gaskets, hoses, or components for defense and federal supply, your purchase orders, drawings, material certifications, and delivery records are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Plastics and rubber work is almost entirely build to print from unmarked drawings, which keeps it at Level 1. A specific job reaches Level 2 only when a prime flows down DFARS 252.204-7012 and sends marked technical data, which is uncommon for commodity molded and fabricated parts.
These shops typically run an ERP or quality system, a couple of office PCs, and email. Level 1 covers those systems, which means named accounts, MFA, controlled access to drawings, and a clear boundary.
Typical contracts you'll see
- Subcontracts to defense primes for molded and fabricated parts
- Seal, gasket, and hose supply for military equipment
- DLA buys for plastic and rubber components
- Build to print molding for ground, air, and sea systems
- Replacement parts and consumables under federal supply schedules
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Emailing drawings and POs from personal accounts, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Running the quality or ERP system on one shared login, which fails (b)(1)(i) and (ii).
- Storing drawings on an open share that every contractor can read, which fails (b)(1)(iii).
- Assuming commodity parts are out of scope. The FCI in the paperwork is what triggers CMMC.
- Missing a rare -7012 flow-down on a specific program.
- Skipping the annual SPRS affirmation.
Your Level 1 action plan
- 01Confirm with each prime in writing that no marked CUI has been or will be flowed down for your parts.
- 02Inventory the systems that hold FCI: ERP or quality system, office PCs, the file share, email, and backups.
- 03Move drawing and PO exchange onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 04Give each user a named account and set drawing access to least privilege.
- 05Separate program systems from public web browsing and the company website.
- 06Write a short boundary description naming the systems that hold FCI and who can access them.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 326199All Other Plastics Product Manufacturing
- 326299All Other Rubber Product Manufacturing
- 326220Rubber & Plastics Hoses & Belting Manufacturing
- 339991Gasket, Packing & Sealing Device Manufacturing
- 326150Urethane & Other Foam Product (except Polystyrene) Manufacturing
Frequently asked questions
Q.We just mold plastic parts to a print. Do we really need CMMC?
Yes, once you hold a federal contract or subcontract. The purchase orders, drawings, material certs, and delivery records are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your office systems and email.
Q.Would a molding job ever be Level 2?
Only if a prime flows down DFARS 252.204-7012 and sends technical data explicitly marked as CUI or Controlled Technical Information, which is uncommon for commodity molded and fabricated parts. Standard build to print work is Level 1.
Q.Is our quality system in scope?
Yes, if it holds POs, drawings, or inspection records that are FCI. The quality system, the office PCs, and the laptops that reach them are part of your Level 1 boundary and must meet the 15 practices: named accounts, MFA, access limited to authorized users, antivirus, and patching.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that handle FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.