Overview
If you make or supply protective equipment, safety gear, or related consumables for federal agencies and the military, your contracts, item specifications, purchase orders, and delivery records are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Protective and safety equipment supply is cleanly Level 1. There is almost never CUI involved in standard gear production and distribution. The compliance scope is the small set of systems used to run the contract: email and file systems for specs and orders, the office and order desk PCs, and the delivery records.
Whether you manufacture or distribute, Level 1 covers the systems that hold federal contract and order information, which means named accounts, MFA, controlled access, and a clear boundary.
Typical contracts you'll see
- DLA and agency contracts for protective and safety equipment
- Subcontracts to a safety equipment prime
- Field and individual protective equipment buys
- Industrial safety supply under federal supply schedules
- Set aside safety equipment contracts (8(a), WOSB, SDVOSB)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running orders and specs through personal email, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Sharing one order desk login across the team, which fails (b)(1)(i) and (ii).
- Storing contracts and orders in a consumer drive open to everyone, which fails (b)(1)(iii).
- Assuming safety gear supply is too simple to be in scope. The FCI in the contract and orders is what triggers CMMC.
- Leaving contract paperwork unsecured in the office or warehouse, which works against (b)(1)(viii).
- Skipping the annual SPRS affirmation.
Your Level 1 action plan
- 01List the systems that hold contract FCI: email, the order or ERP system, the office and order desk PCs, and any backup.
- 02Move contract and order email onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Give each user a named account and set order and contract access to least privilege.
- 04Keep contracts, specifications, and orders in one controlled location rather than personal accounts.
- 05Protect the order desk and office PCs with screen lock and encryption.
- 06Write a short boundary description naming the systems that hold contract FCI and who can access them.
- 07Run the 15 practice self-assessment, then have a senior official post and affirm the SPRS score and re-affirm annually.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 339113Surgical Appliance & Supplies Manufacturing
- 315990Apparel Accessories & Other Apparel Manufacturing
- 326199All Other Plastics Product Manufacturing
- 423840Industrial Supplies Merchant Wholesalers
- 424130Industrial & Personal Service Paper Merchant Wholesalers
Frequently asked questions
Q.We just supply safety gear to the government. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The contracts, specifications, orders, and delivery records are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your office and order systems.
Q.Would PPE supply ever be Level 2?
Almost never. Standard protective and safety equipment supply does not involve Controlled Unclassified Information. Level 1 is the right tier. You would only reach Level 2 if a contract flowed down DFARS 252.204-7012 with marked technical data, which is not typical for gear supply.
Q.We both manufacture and distribute. Does that change the scope?
Not the tier. Whether you make or distribute, the systems that hold federal contract and order information are in scope at Level 1. Manufacturing may add drawings and specs to that scope, but the 15 practices and the annual affirmation are the same.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Cost in 2026: DIY vs Consultant vs SaaS (Real Numbers)DIY says it's free. The consultant quote was $18,000. The SaaS bill is $249/mo. Here's the real math on each path through CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.