← Custodia
CMMC Level 1 · SBIR Phase I winners

CMMC Level 1 for sbir phase i awardees

First-time SBIR Phase I winners with a DoD component (AFWERX, NavalX, ARMY xTech, DIU, etc.) almost always sit at CMMC Level 1 for the duration of Phase I. Phase I award documents, kickoff materials, and progress reports are FCI; CUI is rare until Phase II and only when the agency explicitly marks deliverables.

Overview

If you just won your first DoD SBIR Phase I — congratulations, and welcome to compliance. The award letter, the contract, the kickoff slides, the monthly progress reports, and the final Phase I report all count as Federal Contract Information (FCI). That alone puts you in scope for FAR 52.204-21 and a CMMC Level 1 self-assessment.

Phase I is almost always Level 1 because the work product is feasibility research, not classified or CUI-marked technical data. Phase II and Phase III can drift into CUI territory if the agency starts sending marked deliverables or if the work touches export-controlled technology — but the safe baseline for Phase I is Level 1 with an annual SPRS affirmation.

The catch: SBIR companies are often 1–5 people with no IT staff, working out of WeWorks or home offices, using personal Gmail and consumer Dropbox. That is the single biggest compliance gap in the entire SBIR ecosystem, and it's exactly what FAR 52.204-21 is designed to close.

Typical contracts you'll see

  • AFWERX / SpaceWERX Phase I (Open Topics and Direct-to-Phase-II Topics)
  • Army xTech, Navy NavalX, and DIU prototype contracts
  • DARPA / DTRA / MDA SBIR topics
  • DHS S&T, DOE, NASA Phase I (when DoD-aligned)
  • Subawards from a Phase I prime to a small research partner

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

The SBIR Phase I award letter and contract
Kickoff and quarterly progress slide decks
Monthly and final technical reports submitted to the agency
Invoice and DD-250 acceptance correspondence
Award announcement details that are not yet public

Common pitfalls in this industry

  • Running the whole company out of personal Gmail / Dropbox / iCloud — fails FAR 52.204-21 (b)(1)(i), (iii), and (vii).
  • Sharing a single "admin@" login across the founding team — fails (b)(1)(i) identification and (b)(1)(ii) authentication.
  • Posting the award letter or technical approach to LinkedIn or your website before the agency clears it for public release — fails (b)(1)(iv) control of public information.
  • Letting a contract advisor or part-time CTO use their own personal Mac with no MFA or disk encryption — fails (b)(1)(i)–(iii).
  • Forgetting that the SPRS affirmation must be made by a senior official of the awardee company, not by your accountant or attorney.
  • Drifting into CUI in Phase II without re-scoping — once the agency sends a CUI-marked deliverable, you've moved from L1 to L2 and need a real enclave.

Your Level 1 action plan

  1. 01Move every founder onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced on every account — no personal email for award work.
  2. 02Pick one place where SBIR documents live (a single Workspace / OneDrive folder), and only grant access to named team members.
  3. 03Encrypt every laptop used for award work (FileVault for Macs, BitLocker for Windows) and require a password / passcode on phones.
  4. 04Stand up an antivirus / endpoint protection product on every device — built-in Defender or XProtect is fine for L1, just confirm it's on and updated.
  5. 05Write a one-page boundary description for the SBIR work: what tenant, what folder, who has access, how it's separated from public marketing material.
  6. 06Run the 15-practice self-assessment, document evidence, and have the senior official (typically the CEO / PI on the award) affirm the score in SPRS.
  7. 07Calendar the annual re-affirmation for 11 months out, and re-scope before Phase II kicks off if any deliverable will be CUI-marked.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

  • 541713Research & Development in Nanotechnology
  • 541714R&D in Biotechnology (except Nanobiotechnology)
  • 541715R&D in the Physical, Engineering & Life Sciences
  • 541330Engineering Services
  • 541511Custom Computer Programming Services
  • 541512Computer Systems Design Services

Frequently asked questions

Q.I just won my first AFWERX Phase I. Do I really need CMMC Level 1?

Yes. The moment you receive a federal contract — which the SBIR Phase I award is — you have Federal Contract Information (FCI) in your environment and FAR 52.204-21 applies. By the 48 CFR CMMC acquisition rule, that triggers a CMMC Level 1 self-assessment and an annual SPRS affirmation. The good news: Level 1 is the lightest tier and most Phase I companies can stand it up in a weekend.

Q.My Phase I award is unclassified and the work is open-source. Do I still need to bother?

Yes. "Unclassified" is not the same as "unrestricted." The award documents themselves (the contract, your invoices, your DD-250s, your progress reports) are FCI regardless of how open the research is. FAR 52.204-21 applies to the information system that processes that FCI — which includes the laptop you use to write the progress report and the email account you send it from.

Q.When do I move from CMMC Level 1 to Level 2 in the SBIR lifecycle?

When the agency starts sending you deliverables or reference material that is explicitly marked CUI under DFARS 252.204-7012, or when the contract flows down -7012 and you've actually received marked content. That commonly happens in Phase II for hardware programs, export-controlled tech, or anything touching ITAR. Phase I is almost always Level 1; Phase II is the moment to re-scope.

Q.Can my fractional CTO or contract engineer be the senior affirming official?

No. The senior affirming official under 32 CFR Part 170 must be a senior official of the awardee company itself — typically the CEO, President, or a named officer. A contractor or fractional employee is not eligible. For a small SBIR company, this is almost always the founder/PI listed on the award.

Q.Do I need to put my whole company through CMMC, or just the SBIR work?

Only the systems that process, store, or transmit FCI are in scope. If you have a small SBIR-only company, that's effectively the whole company. If you have non-DoD revenue running through a separate tenant or separate laptops, you can scope just the DoD-touching environment. Document the boundary clearly so a prime or government reviewer can see exactly what's in and out.

Related clauses

FAR 52.204-21
Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements

Related terms

Read more in the Library

Other Level 1 industries
Machine shops & precision manufacturers
Read the machine shops guide →
Construction, facilities & base-services subcontractors
Read the construction & facilities guide →
← Back to all industries
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)