Overview
If you place workers on federal contracts through staff augmentation, temporary help, or workforce services, your task orders, candidate and placement records, timesheets, labor qualification documents, and invoices are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation for your own systems.
A common point of confusion: if your placed employee works inside a client's Level 2 CUI environment, that CUI obligation lives with the client's systems, not automatically with your back office. Your own staffing systems, which hold contracts, resumes, and timesheets, are usually Level 1 unless you pull marked CUI into them.
Staffing firms run applicant tracking systems, payroll, and a lot of personal data. Level 1 covers the FCI in your federal book of business, and the personal data brings its own privacy obligations on top, but the CMMC scope is the systems that hold federal contract information.
Typical contracts you'll see
- Staff augmentation task orders for federal agencies and primes
- Temporary and contract to hire placements on federal programs
- Workforce and surge support contracts
- Recruiting and placement subcontracts under a services prime
- Set aside staffing contracts (8(a), WOSB, SDVOSB, HUBZone)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running recruiting and placement out of personal email and consumer drives, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Giving every recruiter full access to all federal placement data instead of least privilege.
- Storing resumes and timesheets for federal roles in an applicant tracking system with shared logins.
- Assuming the client's CMMC level covers your back office. Your own FCI is your own obligation.
- Pulling a client's marked CUI into your own systems without re-scoping to Level 2.
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Map your federal book of business and the systems that hold its FCI: applicant tracking, payroll, email, and shared drives.
- 02Move federal recruiting and placement onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Give each recruiter a named account and scope access to only the placements they work.
- 04Confirm that no client CUI is being stored in your back office. If it is, scope that data as Level 2.
- 05Encrypt laptops and protect the applicant tracking and payroll systems with MFA and least privilege.
- 06Write a short boundary description naming the systems that hold federal FCI and who can access them.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 561320Temporary Help Services
- 561311Employment Placement Agencies
- 561312Executive Search Services
- 561330Professional Employer Organizations
- 541612Human Resources Consulting Services
Frequently asked questions
Q.Our placed employees work in the client's secure environment. Are we Level 2?
Usually not for your own systems. When a placed worker handles a client's CUI inside the client's environment, that CUI obligation lives with the client's systems. Your staffing back office, which holds contracts, resumes, and timesheets, is typically Level 1, unless you also store or process that CUI yourself.
Q.Do staffing firms really need CMMC at all?
Yes, if you hold federal contracts or subcontracts. The contract paperwork, placement records, timesheets, and invoices are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. That means a Level 1 self-assessment and an annual SPRS affirmation.
Q.We handle a lot of personal data. Does CMMC cover that?
CMMC Level 1 covers the systems that hold Federal Contract Information. Personal data carries its own privacy obligations under other laws, which are separate from CMMC. In practice the same basic protections, named accounts, MFA, access control, and encryption, help with both.
Q.Do I need an SSP for Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence that the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.