Overview
If you develop and deliver training, courseware, or instruction for federal agencies, your contracts, course materials, schedules, attendance rosters, and program correspondence are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Training work stays at Level 1 as long as the content and data you hold are FCI. It becomes Level 2 when the agency gives you marked CUI to build training around, or when your courseware and learning systems store CUI.
Training firms run a learning management system, content tools, and an email tenant. Level 1 covers the systems that hold federal training FCI, which means named accounts, MFA, controlled access, and a clear boundary.
Typical contracts you'll see
- Training and courseware development task orders for agencies
- Instructor led and online training delivery contracts
- Curriculum and learning support services
- Subcontracts under a training or professional services prime
- Set aside training contracts (8(a), WOSB, SDVOSB, HUBZone)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running courseware and rosters through personal accounts and consumer drives, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Granting the whole company access to all federal training content instead of least privilege.
- Letting contract instructors use personal, unencrypted laptops with no MFA.
- Building training around marked CUI without re-scoping to Level 2.
- Posting agency course content publicly before it is cleared, which fails (b)(1)(iv).
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Decide, per engagement, whether you will hold marked CUI in content or systems. If yes, scope that work as Level 2.
- 02Move federal training work onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Set learning management and content access to least privilege and give each instructor a named account.
- 04Encrypt laptops used for federal training and protect the learning systems with MFA.
- 05Keep attendance rosters and completion records in a controlled location, not personal accounts.
- 06Write a short boundary description naming the systems that hold federal training FCI and who can access them.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 611430Professional & Management Development Training
- 611710Educational Support Services
- 611699All Other Miscellaneous Schools & Instruction
- 611513Apprenticeship Training
- 541611Administrative Management & General Management Consulting Services
Frequently asked questions
Q.We just deliver training to a federal agency. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The contracts, course materials, schedules, and rosters are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. That means a Level 1 self-assessment and an annual SPRS affirmation.
Q.When does training work become Level 2?
When you store, process, or transmit marked CUI, for example building training around CUI material the agency provides, or holding CUI in your learning systems. Training that only involves FCI stays at Level 1.
Q.Our instructors work remotely. Is that allowed at Level 1?
Yes, if the systems are controlled. FAR 52.204-21 requires identified, authenticated users, access limited to authorized people, and basic protection of the systems. Remote delivery is fine when every instructor uses a named account with MFA, an encrypted laptop, and controlled access to federal content.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.