Overview
If you make uniforms, field gear, bags, covers, or textile items for DLA Troop Support or a defense prime, your contracts, item specifications, production schedules, and delivery records are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Textiles and apparel is about as cleanly Level 1 as federal manufacturing gets. There is almost never CUI involved in standard uniform and field gear production. The compliance scope is the systems you use to run the contract: the email and file systems for specs and schedules, the office PCs, and the production records.
Many apparel shops run a small office and a production floor with shared computers. Level 1 means tightening up accounts, email, and how specifications and contracts are stored, which is quick to do.
Typical contracts you'll see
- DLA Troop Support contracts for uniforms and field gear
- Subcontracts to apparel and textile primes
- Berry Amendment compliant clothing and equipment buys
- Bags, covers, tents, and individual equipment contracts
- Set aside apparel and textile contracts (8(a), WOSB, HUBZone)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running contracts and specs through personal email, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Using one shared office PC with a single login, which fails (b)(1)(i) and (ii).
- Storing contracts and specs in a consumer cloud drive open to everyone, which fails (b)(1)(iii).
- Assuming apparel work is too simple to be in scope. The FCI in the contract and specs is what triggers CMMC.
- Leaving contract paperwork unsecured in an open office, which works against (b)(1)(viii).
- Skipping the annual SPRS affirmation.
Your Level 1 action plan
- 01List the systems that touch contract FCI: the email account, the office PC, the file location for specs and schedules, and any backup.
- 02Move contract email onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Give the owner and office staff named accounts and stop sharing one login.
- 04Keep contracts, specifications, and schedules in one controlled folder rather than scattered across personal accounts.
- 05Lock the office that holds contract paperwork and protect the office PC with a screen lock.
- 06Write a short boundary description naming the systems that hold contract FCI and who can access them.
- 07Run the 15 practice self-assessment, then have a senior official post and affirm the SPRS score and re-affirm annually.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 315990Apparel Accessories & Other Apparel Manufacturing
- 315280Other Cut & Sew Apparel Manufacturing
- 314999All Other Miscellaneous Textile Product Mills
- 314994Rope, Cordage, Twine, Tire Cord & Tire Fabric Mills
- 314120Curtain & Linen Mills
Frequently asked questions
Q.We sew uniforms for DLA. Why do we need CMMC?
Because the contract paperwork is Federal Contract Information. Your contracts, item specifications, schedules, and delivery records are FCI, and FAR 52.204-21 applies to the systems that hold them. The 15 practices are basic protections on your office PC and email, not on the sewing line.
Q.Could uniform production ever be Level 2?
Almost never. Standard uniform and field gear production does not involve Controlled Unclassified Information. Level 1 is the right and only tier for nearly all apparel and textile contracts.
Q.We are a small shop with one office computer. Is the scope tiny?
Yes. If one PC and one email account hold your contract FCI, that is your scope. The 15 practice self-assessment is quick to complete for a small footprint, and a senior official posts the affirmation in SPRS.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Cost in 2026: DIY vs Consultant vs SaaS (Real Numbers)DIY says it's free. The consultant quote was $18,000. The SaaS bill is $249/mo. Here's the real math on each path through CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business OwnersYou're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.