Overview
If you haul freight, move materiel, or provide transportation services under a federal contract, your award documents, manifests, bills of lading, routing, and delivery records are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Most freight and transportation work stays at Level 1. You move toward Level 2 only when the data you hold is marked CUI, for example sensitive routing or security details for controlled or arms, ammunition, and explosives shipments.
Carriers run dispatch and transportation management systems, driver devices, and an email tenant. Level 1 covers the systems that hold federal shipment FCI, which means named accounts, MFA, controlled access, and a clear boundary.
Typical contracts you'll see
- Freight and materiel transportation contracts for the military and agencies
- Drayage, hauling, and local delivery task orders
- Less than truckload and truckload service under federal schedules
- Subcontracts to a logistics or transportation prime
- Set aside transportation contracts (8(a), HUBZone, SDVOSB)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running dispatch and manifests through personal email, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Sharing one dispatch login across the team, which fails (b)(1)(i) and (ii).
- Leaving driver devices unlocked with access to shipment data, which works against (b)(1)(viii).
- Granting every driver and dispatcher full access to all federal shipment data instead of least privilege.
- Assuming hauling is out of scope. The FCI in the manifests and contracts is what triggers CMMC.
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Inventory the systems that hold federal FCI: dispatch and transportation management, driver devices, email, and backups.
- 02Confirm with the agency or prime whether any routing or shipment data is marked CUI. Most general freight has none.
- 03Give each dispatcher and driver a named account with MFA and set access to least privilege.
- 04Move manifest and routing exchange onto a paid Microsoft 365 or Google Workspace tenant rather than personal email.
- 05Lock down driver devices with passcodes and encryption, and protect the dispatch system.
- 06Write a short boundary description naming the systems that hold federal shipment FCI and who can access them.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 484110General Freight Trucking, Local
- 484121General Freight Trucking, Long-Distance, Truckload
- 484122General Freight Trucking, Long-Distance, Less Than Truckload
- 488490Other Support Activities for Road Transportation
- 492110Couriers & Express Delivery Services
Frequently asked questions
Q.We just haul freight for the government. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The manifests, bills of lading, routing, and delivery records are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices apply to your dispatch system and devices, not to the truck.
Q.When would transportation work be Level 2?
When the data you hold is marked CUI, such as sensitive routing or security details for controlled or arms, ammunition, and explosives shipments. General freight and transportation that only involve FCI stay at Level 1.
Q.Our drivers use their phones for the dispatch app. Is that in scope?
Yes, if the app and device hold federal shipment data that is FCI. Those devices are part of your Level 1 boundary and need basic protections: a passcode, encryption, a named account, and access limited to what the driver needs.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.