Overview
If you build or repair vessels, fabricate marine components, or provide waterfront services for the Navy and its shipyards, your work orders, repair specifications, drawings, schedules, and acceptance paperwork are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Most hull, mechanical, and general repair work is build to print from unmarked packages and sits at Level 1. The CUI line appears on combat systems, sensors, and sensitive vessel design, where a prime or the Navy flows down DFARS 252.204-7012 and sends marked technical data. That work is Level 2.
Marine contractors run on a mix of office systems and waterfront paperwork. Level 1 covers the systems that hold FCI: the email and file systems for drawings and schedules, the office PCs, and the controlled documents on the pier.
Typical contracts you'll see
- Navy ship repair and maintenance availabilities
- Subcontracts to public and private shipyards
- Marine component fabrication and machinery overhaul
- Boat building and small craft contracts
- Waterfront and pier services for naval installations
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Sending drawings and repair specs through personal or shared email, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Using a shared waterfront PC with one login for everyone, which fails (b)(1)(i) and (ii).
- Leaving access rosters and controlled drawings unsecured on the pier or in the trailer, which works against (b)(1)(viii).
- Assuming all Navy work is too sensitive to be Level 1, when most repair work is FCI only.
- Missing a real -7012 flow-down on a combat systems or sensitive vessel package.
- Skipping the annual SPRS affirmation.
Your Level 1 action plan
- 01Confirm with each prime or the Navy whether any -7012 flow-down applies and whether marked technical data is in play.
- 02Inventory the systems that hold FCI: office PCs, waterfront laptops, the file system for drawings and schedules, email, and backups.
- 03Move drawing and schedule exchange onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 04Lock down waterfront and office PCs with named logins and screen lock, and control who can open program drawings.
- 05Secure controlled drawings and access rosters on the pier and in the trailer, and keep a visitor log.
- 06Write a short boundary description naming the systems that hold FCI and how marked work is kept separate.
- 07Run the 15 practice self-assessment, then have a senior official affirm the score in SPRS and re-affirm annually.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 336611Ship Building & Repairing
- 336612Boat Building
- 488390Other Support Activities for Water Transportation
- 332312Fabricated Structural Metal Manufacturing
- 333611Turbine & Turbine Generator Set Units Manufacturing
Frequently asked questions
Q.We do Navy ship repair. Is that always Level 2?
No. Most hull, mechanical, and general repair work is build to print from unmarked packages and is Level 1. It becomes Level 2 when a prime or the Navy flows down DFARS 252.204-7012 and sends technical data explicitly marked as CUI or Controlled Technical Information, which is common on combat systems and sensitive vessels.
Q.How do we keep waterfront paperwork compliant at Level 1?
Control the systems and the paper. Use named accounts with MFA for the email and file systems that hold drawings and schedules, lock down the waterfront PC, and secure controlled drawings and access rosters on the pier under FAR 52.204-21 (b)(1)(viii). Keep a visitor log where the trailer or shop is accessible.
Q.The prime asked for our SPRS affirmation before the availability. What do they need?
For Level 1 they need a current MET result on all 15 FAR 52.204-21 requirements, affirmed in SPRS by your senior official within the last 12 months. There is no numerical score and no third party assessment at Level 1.
Q.Do I need an SSP for Level 1 marine work?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that handle FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.