← Custodia
CMMC Level 1 · Software development

CMMC Level 1 for software & application development firms

Small custom software, web, and application development shops building for federal agencies or for a DoD prime usually start at CMMC Level 1. Requirements documents, source code written under contract, tickets, and award paperwork are Federal Contract Information (FCI). You move to Level 2 only when the system you build or operate stores, processes, or transmits marked Controlled Unclassified Information (CUI).

Overview

If your shop writes custom software, builds web applications, or modernizes legacy systems for the government, the requirements, the backlog, the source you produce under contract, and the award documents are Federal Contract Information. That puts you in scope for FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.

The trigger for Level 2 is the data the application handles, not the act of coding. If you are building a public information site, an internal workflow tool, or a prototype that never touches CUI, you stay at Level 1. If the system you deliver or operate will store or process CUI, or the agency flows marked CUI into your development and test environments, that contract is Level 2.

Most early stage software vendors run everything through a single cloud tenant, a code host, and a handful of laptops. That is fine for Level 1, but it has to be locked down: named accounts, MFA, controlled repository access, and a clear boundary so a reviewer can see exactly where federal FCI lives.

Typical contracts you'll see

  • Custom application development and modernization task orders for civilian and defense agencies
  • Web and portal builds for federal program offices
  • Agile development subcontracts under a systems integration prime
  • SBIR and STTR software prototypes (Phase I is almost always Level 1)
  • Maintenance and enhancement task orders on government owned applications that hold FCI only

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Requirements documents, user stories, and backlogs tied to the contract
Source code and build artifacts produced for the government under the contract
Tickets, sprint reports, and release notes shared with the program office
Award documents, modifications, invoices, and acceptance correspondence
Test data and user lists that are not marked CUI

Common pitfalls in this industry

  • Hosting the code repository and project tooling under personal accounts shared across the team, which fails FAR 52.204-21 (b)(1)(i) and (ii).
  • Leaving repositories and cloud projects world readable or open to every contractor, which fails (b)(1)(iii) limit access to authorized users.
  • Putting real CUI into development or test environments without re-scoping to Level 2.
  • Letting a fractional or 1099 developer use a personal, unencrypted laptop with no MFA.
  • Publishing screenshots, architecture, or award details before the agency clears them for public release, which fails (b)(1)(iv).
  • Treating the SPRS affirmation as one and done instead of an annual obligation by a senior official.

Your Level 1 action plan

  1. 01Decide, per contract, whether the system will ever hold CUI. If yes, scope that contract as Level 2 with a separate environment.
  2. 02Move source control, issue tracking, and CI into accounts with named identities and MFA, and remove access for anyone off the project.
  3. 03Set repository and cloud project permissions to least privilege, so only authorized team members can read federal code and data.
  4. 04Encrypt every development laptop and require a screen lock and a passcode on phones used for project work.
  5. 05Keep production secrets and credentials in a managed secrets store, not in code, chat, or a shared note.
  6. 06Write a one page boundary description: which tenant, which repos, which environments hold FCI, and who has access.
  7. 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

  • 541511Custom Computer Programming Services
  • 541512Computer Systems Design Services
  • 541519Other Computer Related Services
  • 513210Software Publishers
  • 541715R&D in the Physical, Engineering & Life Sciences

Frequently asked questions

Q.We build a public facing website for an agency. Do we need CMMC?

If you hold a federal contract or subcontract to build it, the requirements, your invoices, the source you write under the contract, and the project correspondence are FCI, so FAR 52.204-21 and a Level 1 self-assessment apply. The public nature of the site does not remove the FCI in your own environment.

Q.When does a software contract become Level 2?

When the application stores, processes, or transmits CUI, or when the agency flows marked CUI under DFARS 252.204-7012 into your development, test, or hosting environment. At that point the systems handling CUI are Level 2 and need a separate, controlled boundary. Building software that only handles FCI stays at Level 1.

Q.Does my code repository count as a system in scope?

Yes, if it holds source, tickets, or documents that are FCI for the contract. The repository, the CI pipeline, and the laptops that access them are part of your Level 1 boundary and must meet the 15 practices: named accounts, MFA, access limited to authorized users, and basic protection of the systems.

Q.We are a two person startup. Is the whole company in scope?

Only the systems that process, store, or transmit FCI are in scope. For a small software startup whose only revenue is the federal work, that is effectively the whole company. If you have separate commercial work on separate systems, you can scope just the federal touching environment and document the boundary clearly.

Related clauses

FAR 52.204-21
Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements

Related terms

Read more in the Library

Other Level 1 industries
Machine shops & precision manufacturers
Read the machine shops guide →
SBIR Phase I awardees
Read the sbir phase i winners guide →
Construction, facilities & base-services subcontractors
Read the construction & facilities guide →
IT services & managed service providers (MSPs)
Read the it services & msps guide →
Aerospace & aircraft parts manufacturers
Read the aerospace parts guide →
Metal fabrication & welding shops
Read the metal fabrication guide →
Base operations & facilities O&M contractors
Read the facilities & base ops guide →
Logistics, warehousing & distribution contractors
Read the logistics & warehousing guide →
Electronics & circuit card manufacturers
Read the electronics manufacturing guide →
Management & professional services consultants
Read the professional consulting guide →
Staffing & workforce services firms
Read the staffing services guide →
Janitorial & custodial services contractors
Read the janitorial & custodial guide →
Engineering services firms
Read the engineering services guide →
Medical & pharmaceutical supply distributors
Read the medical supply distribution guide →
Defense electronics & instrument makers
Read the defense electronics guide →
Shipbuilding & marine repair contractors
Read the shipbuilding & marine guide →
Industrial machinery & equipment suppliers
Read the industrial equipment guide →
Plastics & rubber products manufacturers
Read the plastics & rubber guide →
Textiles, apparel & uniform manufacturers
Read the textiles & apparel guide →
PPE & safety equipment suppliers
Read the ppe & safety equipment guide →
Medical device & instrument manufacturers
Read the medical devices guide →
Specialty trade subcontractors (electrical, plumbing)
Read the specialty trades guide →
HVAC & mechanical contractors
Read the hvac & mechanical guide →
Landscaping & grounds maintenance contractors
Read the landscaping & grounds guide →
Environmental & remediation services contractors
Read the environmental services guide →
Telecommunications & networking contractors
Read the telecommunications guide →
Cybersecurity & IT security services firms
Read the cybersecurity services guide →
Architecture & design firms
Read the architecture & design guide →
Security & guard services contractors
Read the security & guard services guide →
Training & education services providers
Read the training & education guide →
Marketing, media & creative services firms
Read the marketing & media guide →
Trucking & transportation contractors
Read the trucking & transportation guide →
Wholesale & product distribution contractors
Read the wholesale distribution guide →
Food services & catering contractors
Read the food services & catering guide →
Vehicle & equipment maintenance contractors
Read the vehicle maintenance guide →
Printing & reprographics contractors
Read the printing & reprographics guide →
Research, development & testing labs
Read the research & development guide →
Office & operating supplies distributors
Read the office & operating supplies guide →
← Back to all industries
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)