Overview
If you perform research, development, or testing for federal agencies and labs, your contracts, progress reports, test data, and program correspondence are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation. SBIR and STTR Phase I work is almost always Level 1.
Research and development sits near the CUI line because results, test data, and technical approaches can become marked or export controlled, especially in later phases or hardware programs. Work that involves only FCI is Level 1. When the agency marks deliverables as CUI under DFARS 252.204-7012, that work is Level 2.
R&D firms and labs run data and analysis systems, lab instruments and workstations, and an email tenant. Level 1 covers the systems that hold federal research FCI, which means named accounts, MFA, controlled access, and a clear boundary.
Typical contracts you'll see
- Federal research and development contracts and grants with FAR clauses
- SBIR and STTR awards (Phase I is almost always Level 1)
- Testing and evaluation laboratory contracts
- Subcontracts under a research or engineering prime
- Agency lab support and analysis task orders
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running research out of personal email and consumer drives, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Sharing lab and analysis system logins across the team, which fails (b)(1)(i) and (ii).
- Storing research data on an open share readable by everyone, which fails (b)(1)(iii).
- Continuing at Level 1 after the agency marks deliverables as CUI, which is Level 2.
- Publishing results or technical approaches before the agency clears them, which fails (b)(1)(iv).
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Scope each award: FCI only or will deliverables be marked CUI. Confirm in writing, and re-scope before later phases.
- 02Keep FCI only research at Level 1 and place any CUI marked work into a controlled enclave.
- 03Move federal research onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 04Set data and analysis access to least privilege and give every researcher a named account.
- 05Encrypt workstations and laptops used for research and protect lab systems and remote access with MFA.
- 06Write a one to two page boundary description naming the systems that hold research FCI and how CUI work is kept separate.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 541715R&D in the Physical, Engineering & Life Sciences (except Biotechnology & Nanotechnology)
- 541714R&D in Biotechnology (except Nanobiotechnology)
- 541713R&D in Nanotechnology
- 541380Testing Laboratories
- 541720R&D in the Social Sciences & Humanities
Frequently asked questions
Q.We won a federal research contract. Are we Level 1 or Level 2?
If the work involves only Federal Contract Information, you are Level 1, and SBIR or STTR Phase I work is almost always Level 1. You reach Level 2 when the agency marks deliverables as CUI under DFARS 252.204-7012, which is more common in later phases and hardware programs. Scope each award up front and re-scope before later phases.
Q.Our research is unclassified and open. Do we still need CMMC?
Yes. Unclassified is not the same as unrestricted. The award documents, your reports, your invoices, and your correspondence are Federal Contract Information regardless of how open the research is, and FAR 52.204-21 applies to the systems that process them.
Q.How do I know when research data becomes CUI?
CUI is explicitly marked by the agency with a CUI banner and category, or flows from a -7012 marked package. Export controlled data is often treated as CUI for safeguarding. If you expect markings but do not see them, ask the contracting officer rather than guessing.
Q.Do I need an SSP for the Level 1 part of my work?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. The Level 2 work does. For Level 1 you need evidence the 15 practices are met, a short boundary description, and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- Just Won an SBIR Phase I? Here's Your CMMC Timeline (2026 Edition)Congrats on the Phase I award. Now the question that ambushes most founders: do you need CMMC to start work, or only at Phase II? The honest answer depends on what kind of data the agency hands you on day one.
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.