Overview
If you maintain and repair federal fleets, ground support equipment, or other government equipment, your contracts, work orders, maintenance records, schedules, and base access paperwork are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Fleet and equipment maintenance is usually Level 1. You reach Level 2 only when a prime or agency flows down DFARS 252.204-7012 and sends marked technical data for a specific defense vehicle or system. Routine maintenance and repair from unmarked manuals is Level 1.
Maintenance contractors run a shop management system, office and shop PCs, and an email tenant. Level 1 covers the systems that hold FCI: email and files for work orders and schedules, the shop and office PCs, and controlled paperwork on site.
Typical contracts you'll see
- Fleet maintenance and repair contracts on federal sites and bases
- Ground support and material handling equipment maintenance
- Equipment overhaul and rebuild task orders
- Subcontracts under a base operations or logistics prime
- Set aside maintenance contracts (8(a), HUBZone, SDVOSB)
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Running work orders and parts ordering through personal email, which fails FAR 52.204-21 (b)(1)(i) and (iii).
- Using a shared shop PC with one login, which fails (b)(1)(i) and (ii).
- Leaving access rosters and work orders unsecured in the shop or office, which works against (b)(1)(viii).
- Letting subs and 1099 techs use the owner's credentials.
- Assuming maintenance is out of scope because it is hands on. The FCI in the paperwork is what triggers CMMC.
- Letting the annual SPRS affirmation lapse.
Your Level 1 action plan
- 01Inventory the systems that hold contract FCI: shop management system, office and shop PCs, email, and backups.
- 02Move work order and parts email onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 03Give techs and office staff named accounts and lock down the shop and office PCs.
- 04Confirm with primes whether any work carries a -7012 flow-down with marked technical data.
- 05Secure access rosters and work orders in the shop and office, and keep a visitor log on site.
- 06Write a short boundary description naming the systems that hold contract FCI and who can access them.
- 07Run the 15 practice self-assessment, then have a senior official affirm the score in SPRS and re-affirm annually.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 811111General Automotive Repair
- 811121Automotive Body, Paint & Interior Repair & Maintenance
- 811198All Other Automotive Repair & Maintenance
- 811310Commercial & Industrial Machinery & Equipment Repair & Maintenance
- 488410Motor Vehicle Towing
Frequently asked questions
Q.We just maintain government vehicles. Do we need CMMC?
Yes, once you hold a federal contract or subcontract. The contracts, work orders, maintenance records, and base access rosters are Federal Contract Information, and FAR 52.204-21 applies to the systems that hold them. The 15 practices apply to your shop system and email, not to the wrenches.
Q.When would maintenance work be Level 2?
When a prime or agency flows down DFARS 252.204-7012 and sends technical data explicitly marked as CUI or Controlled Technical Information for a specific defense vehicle or system. Routine maintenance from unmarked manuals is Level 1.
Q.Does the prime cover us as a maintenance sub?
No. CMMC flows down. If you receive FCI from the prime, you have your own FAR 52.204-21 obligation and need your own SPRS affirmation. The prime cannot affirm for you.
Q.Do I need an SSP at Level 1?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence the 15 practices are met for the systems that hold FCI, plus a short boundary description and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)If your prime is asking for a 0–110 SPRS score and you're a Level 1 contractor, the answer is not zero. It's that you're a different tier of the regulation. Here's how to say that without losing the contract.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.