Friday at 4 PM, a purchase order prints from the fax machine or the email queue. Government customer, parts due in six weeks, nothing unusual. You put it in the job folder and move on.
That document is Federal Contract Information. The compliance clock started the moment you accepted it.
Most shop owners don’t know that. And most of the shops that do know haven’t thought through what it actually means on the floor.
What FCI Is — in Plain Language
Federal Contract Information is defined in FAR 52.204-21 as information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. It doesn’t have to be marked. It doesn’t have to be sensitive. If it’s generated in the performance of a government contract and it’s not publicly available, it’s FCI.
That covers:
- Purchase orders and delivery schedules
- Drawing references and part numbers tied to government work
- Pricing and contract terms
- Correspondence about performance, delivery, or specification changes
- Any data you generate in fulfilling the contract
“We don’t do classified work” is true for most job shops. It’s also not relevant. FCI isn’t classified. It’s just government contract data — and it’s in your shop today if you have a single active government PO.
The 17 Practices You Already Agreed To
CMMC Level 1 requires 17 security practices drawn from FAR 52.204-21. If you have a government contract, your contract contains that clause. By signing the contract, you agreed to meet those 17 practices.
Most shops have never read FAR 52.204-21. But they’ve been operating under it for years.
The practices cover things like:
- Limiting system access to authorized users
- Limiting access to types of transactions and functions that authorized users are permitted to execute
- Verifying and controlling all connections to external systems
- Sanitizing or destroying information system media containing FCI before disposal or reuse
- Scanning for malicious code when new software is introduced
These aren’t unreasonable requirements. Most shops are partially compliant just by running a normal IT environment. But “partially” is not the same as “fully,” and Level 1 is now self-assessed — annually — with an attestation that goes into the Supplier Performance Risk System.
That attestation is a legal statement. It carries consequences if it’s wrong.
Where Most Job Shops Are Quietly Failing
Three practices show up most often as gaps in Level 1 assessments.
Limiting access to FCI on a need-to-know basis. Your government job folder — the one with the PO, the drawing references, the delivery schedule — who can see it? In most shops, the answer is “anyone on the network.” That’s not what the practice requires.
Controlling connections to external systems. Email, personal cloud storage, USB drives. If FCI is moving to any of these without a defined, documented process, that’s an open control gap.
Media sanitization. When the job is done, what happens to the USB drive you used to carry files to the machine? What happens to the old laptop that had the CAM files on it? If the answer is “we put it on a shelf” or “I think someone threw it out,” that’s a gap.
Scope at Level 1 Is Already Worth Doing Right
Here’s the thing about Level 1 that most consultants don’t emphasize: which machines actually touch the government work matters.
If you run a 20-machine shop and only six of those machines ever run government parts, then only six machines should be part of your FCI environment. The other fourteen are out of scope.
Getting scope right at Level 1 means a smaller, cleaner compliance footprint now — and a much shorter path to Level 2 if that requirement arrives. Because for a lot of shops, it will.
Primes are already pushing Level 2 requirements into subcontracts. The shops that are Level 1 today and have a clean, documented scope will have a significantly easier transition than the shops that have been treating all 20 machines as equally in or out of scope without thinking about it.
Getting the CNC environment right — controlling how programs move to the machines, logging who sends what to where, keeping FCI off machines that don’t need it — is the same work whether you’re building toward Level 1 compliance or Level 2 readiness.
The Scope Reduction Guide walks through how to think about your CNC environment scope at any compliance level. Download it at secmfgsolutions.com/cnc-scope-reduction.