Overview
If you install or service structured cabling, networks, radios, and communications systems for federal sites, your contracts, network diagrams, schedules, and base access paperwork are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Most cabling, network installation, and communications service work is FCI only and sits at Level 1. It becomes Level 2 when you store or administer systems that hold a client's marked CUI, or when the network you support carries and stores CUI under a DFARS 252.204-7012 flow-down.
Telecom contractors run design and documentation tools, field laptops, and remote management systems. Level 1 covers the systems that hold FCI, which means named accounts, MFA, controlled access to network documentation, and a clear boundary.
Typical contracts you'll see
- Structured cabling and network installation on federal facilities
- Communications and radio system installation and service
- Network and telecom service task orders for federal offices
- Subcontracts to a systems integration or construction prime
- Set aside telecom contracts (8(a), HUBZone, SDVOSB)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Storing network documentation and credentials in a personal password manager or consumer drive.
- Running design and management tools under shared logins, which fails FAR 52.204-21 (b)(1)(i) and (ii).
- Emailing diagrams and schedules from personal accounts, which fails (b)(1)(iii).
- Leaving remote management access (RMM, VPN) on weak or shared credentials.
- Missing the moment you administer a client system that stores CUI, which is Level 2.
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Classify each contract: FCI only or does the network you support store CUI. Confirm in writing with the agency or prime.
- 02Keep FCI only work at Level 1 and place any CUI carrying network support into a documented Level 2 boundary.
- 03Give every technician a named account with MFA and protect remote management access with least privilege.
- 04Inventory the systems that hold network FCI: design and documentation tools, field laptops, email, and backups.
- 05Set network documentation access to least privilege so only the project team can read it.
- 06Write a one to two page boundary description naming the systems that touch FCI and how they are kept separate.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 517311Wired Telecommunications Carriers
- 517312Wireless Telecommunications Carriers (except Satellite)
- 237130Power & Communication Line & Related Structures Construction
- 238210Electrical Contractors & Other Wiring Installation Contractors
- 517919All Other Telecommunications
Frequently asked questions
Q.We just install cabling on a base. Do we need CMMC?
Yes, if you receive Federal Contract Information from the prime or agency. Contracts, network diagrams, cable schedules, and base access rosters are FCI, and FAR 52.204-21 applies to the systems that hold them. The 15 practices apply to your design tools, laptops, and email.
Q.When does telecom work become Level 2?
When you store, process, or administer systems that hold a client's marked CUI, or when the network you support carries and stores CUI under a DFARS 252.204-7012 flow-down. Cabling and network installation that only involve FCI stay at Level 1.
Q.Are our network diagrams FCI or CUI?
Diagrams you produce or receive under the contract are FCI unless they are explicitly marked as CUI. Treat them as sensitive and control access either way, but the markings determine the tier. If something should be marked, ask the contracting officer.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.