Overview
If you print documents, forms, signage, or materials for federal agencies, your contracts, the files you receive to print, schedules, and delivery records are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Printing and reprographics is usually Level 1. The content you handle is FCI unless the agency sends marked CUI to print. When marked CUI arrives under a DFARS 252.204-7012 flow-down, that job is Level 2 and needs a controlled workflow.
Print shops run prepress and production systems, office PCs, and an email tenant. Level 1 covers the systems that hold federal files and contract data, which means named accounts, MFA, controlled access, and a clear boundary.
Typical contracts you'll see
- Printing and reprographics task orders for federal agencies
- Forms, manuals, and document production contracts
- Signage and large format printing for federal sites
- Subcontracts under a document services or supply prime
- Set aside printing contracts (8(a), WOSB, SDVOSB, HUBZone)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Receiving print files through personal email and consumer file sharing, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Storing agency files on an open prepress share readable by everyone, which fails (b)(1)(iii).
- Running prepress and production systems on shared logins, which fails (b)(1)(i) and (ii).
- Leaving printed materials and files unsecured in the shop, which works against (b)(1)(viii).
- Printing marked CUI content without a controlled Level 2 workflow.
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Inventory the systems that hold federal FCI: prepress and production systems, file transfer, office PCs, email, and backups.
- 02Move file transfer and contract email onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Give each operator a named account and set agency file access to least privilege.
- 04Confirm with the agency whether any content to print is marked CUI. If so, set up a controlled Level 2 workflow.
- 05Secure printed materials and files in the shop, and control who can handle agency jobs.
- 06Write a short boundary description naming the systems that hold federal files and contract data.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 323111Commercial Printing (except Screen & Books)
- 323113Commercial Screen Printing
- 323117Books Printing
- 323120Support Activities for Printing
- 561439Other Business Service Centers (including Copy Shops)
Frequently asked questions
Q.We just print documents for an agency. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The contracts, the files you receive to print, schedules, and delivery records are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your prepress systems and email.
Q.When would a print job be Level 2?
When the agency sends content explicitly marked as CUI to print under a DFARS 252.204-7012 flow-down. That job needs a controlled Level 2 workflow. Ordinary printing of unmarked agency content is Level 1.
Q.Are the files we receive to print FCI?
Yes, files you receive under a federal contract are FCI unless they are explicitly marked as CUI. Control access to them, transfer them through a business tenant rather than personal email, and secure the printed output.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.