Overview
If you provide management consulting, program and project support, administrative support, or analysis for federal agencies, your task orders, deliverables, schedules, meeting notes, and program correspondence are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Professional services work stays at Level 1 as long as the information you hold is FCI. It becomes Level 2 when the agency gives you marked CUI to work with, or when you access or store CUI as part of the engagement, for example pulling controlled data into your own analysis environment.
Consulting firms tend to run on a single cloud tenant, a lot of documents, and staff working from anywhere. That is workable at Level 1, but it requires named accounts with MFA, controlled document sharing, and a clear boundary so a reviewer can see exactly where federal FCI lives.
Typical contracts you'll see
- Management and program support task orders for civilian and defense agencies
- Administrative and operational support services
- Acquisition, financial, and analytic support contracts
- Subcontracts under a professional services prime
- 8(a), WOSB, SDVOSB, and HUBZone set asides for support services
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running engagements out of personal email and consumer file sharing, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Sharing deliverable folders with the whole company instead of the project team, which fails (b)(1)(iii).
- Letting subcontractor consultants use personal, unencrypted laptops with no MFA.
- Pulling marked CUI into the engagement without re-scoping to Level 2.
- Publishing client work, logos, or award details before the agency clears them, which fails (b)(1)(iv).
- Treating the SPRS affirmation as a one time task instead of an annual obligation by a senior official.
Your Level 1 action plan
- 01Decide, per engagement, whether you will ever hold marked CUI. If yes, scope that work as Level 2 with a controlled environment.
- 02Move all federal work onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced on every account.
- 03Give each consultant a named account and set deliverable and document access to least privilege per project.
- 04Encrypt every laptop used for federal work and require a passcode on phones.
- 05Keep a short list of which projects, folders, and people touch federal FCI.
- 06Write a one page boundary description: which tenant, which folders, who has access, how it is separated from marketing and personal systems.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 541611Administrative Management & General Management Consulting Services
- 541618Other Management Consulting Services
- 541612Human Resources Consulting Services
- 541990All Other Professional, Scientific & Technical Services
- 561110Office Administrative Services
Frequently asked questions
Q.We just write reports and give advice. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The task orders, your deliverables, your invoices, and your program correspondence are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your cloud tenant and laptops.
Q.When does a consulting engagement become Level 2?
When you store, process, or transmit CUI for the client, or the agency flows marked CUI under DFARS 252.204-7012 into your environment. Working only with FCI keeps you at Level 1. If a single engagement involves CUI, scope just that work as Level 2 and keep the rest of the firm at Level 1.
Q.Our consultants work from home and coffee shops. Is that allowed at Level 1?
Yes, if the systems are controlled. FAR 52.204-21 requires identified, authenticated users, access limited to authorized people, and basic protection of the systems. Remote work is fine when every consultant uses a named company account with MFA, an encrypted laptop, and controlled access to federal documents.
Q.Do I need an SSP for Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence that each of the 15 practices is met across the systems that handle FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.