CMMC for Subcontractors: What You Need to Know
CMMC for Subcontractors: What You Need to Know
If you’re a subcontractor in the defense supply chain, you’ve probably heard the question: “Does CMMC apply to us?”
The short answer is yes — if you handle certain types of government data, CMMC requirements flow down to you from your prime contractor. Ignoring this won’t make it go away. Primes are actively auditing their supply chains, and non-compliant subs are getting dropped.
Here’s exactly what you need to know.
The Short Answer: Yes, Subcontractors Need CMMC
CMMC isn’t just a prime contractor problem. The regulation is written specifically to flow down the supply chain.
DFARS 252.204-7021 — the contract clause that became effective November 10, 2025 — requires prime contractors to pass CMMC requirements to all subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
This means: if the data touches your systems, the requirement touches your business.
For a full breakdown of each DFARS clause and what it requires, see our DFARS Clauses Decoded guide.
Which CMMC Level Do Subcontractors Need?
Your required level depends on the type of data you handle — not your company size or contract value.
Level 1 (17 controls, self-assessment) You handle FCI only. FCI is basic contract operational information — schedules, invoices, routine communications. Level 1 requires annual self-assessment submitted to the SPRS database. Year 1 cost: typically $5,000–$15,000.
Level 2 (110 controls, third-party assessment) You handle CUI. CUI covers technical drawings, engineering specs, test results, design files, and anything the DoD marks as controlled. Level 2 requires a formal assessment by a Cyber AB-authorized C3PAO. Year 1 cost for a small subcontractor: $80,000–$315,000 depending on your current security posture.
The question to ask: “Does the data I receive from my prime include technical specifications, engineering drawings, or anything marked ‘CUI’?” If yes, assume Level 2 until your prime confirms otherwise.
What Is Flow-Down? How Primes Pass Requirements to Subs
“Flow-down” is the mechanism by which prime contractors pass federal compliance requirements down to their subcontractors.
Under DFARS 252.204-7021, a prime contractor’s CMMC certification is only valid if their entire supply chain — including every subcontractor that touches covered data — meets the appropriate level.
What this means in practice:
- Your prime is legally responsible for ensuring their subs are compliant
- If you’re not compliant, you put your prime’s contract at risk
- Primes are now including CMMC compliance as a condition in new subcontracting agreements
- Non-compliant subs are being dropped or replaced before contract renewals
The DoD’s CMMC model rule makes clear that flow-down is mandatory — there’s no carve-out for smaller subs or lower-tier suppliers.
What Data Triggers CMMC for a Subcontractor?
You need CMMC if your systems process, store, or transmit either:
Federal Contract Information (FCI): Information provided by or generated for the government under a contract that is not intended for public release. This is the baseline — almost every defense sub handles some FCI.
Controlled Unclassified Information (CUI): Technical data, engineering drawings, specifications, test data, software code, or any information the DoD designates as controlled. The National Archives CUI Registry maintains the definitive list of what qualifies.
If you’re unsure, check your contracts for DFARS clauses 252.204-7012, 7019, 7020, or 7021. Their presence is a reliable signal that CUI is in scope. If any clause appears, talk to your prime before assuming you can self-assess.
What Primes Are Doing Right Now
The supply chain pressure is real and accelerating. From the IPC electronics manufacturers survey: 41% of electronics manufacturers believe applying CMMC requirements to their suppliers will create supply chain problems.
That number tells you primes are not waiting. They’re actively evaluating which subs to keep and which to replace with already-compliant alternatives.
Typical prime actions in early 2026:
- Sending compliance questionnaires to all sub-tiers
- Adding CMMC requirements to new and renewed subcontracts
- Requesting proof of SPRS scores (your NIST 800-171 self-assessment score — publicly visible to contracting officers)
- Setting deadlines for Level 2 audit readiness tied to option period renewals
If you haven’t heard from your prime about CMMC yet, you will.
Timeline and Cost Reality for Small Subcontractors
Time: Starting from scratch — no documentation, no SSP, no formal policies — expect 12–18 months to reach Level 2 audit readiness. With baseline security already in place, 6–12 months is achievable.
Phase 2 enforcement begins November 10, 2026. That means subcontractors aiming for contracts in 2027 need to have remediation underway by Q1 2026.
Cost: For a small defense contractor (1–100 employees), DoD’s regulatory cost analysis and industry data show:
| Component | Low | High |
|---|---|---|
| Gap assessment | $5,000 | $15,000 |
| Technology/infrastructure | $20,000 | $100,000 |
| RPO consulting | $15,000 | $50,000 |
| C3PAO assessment | $30,000 | $100,000 |
| Internal labor | $10,000 | $50,000 |
| Year 1 Total | $80,000 | $315,000 |
This sounds like a lot. But consider: the average DoD subcontract is worth hundreds of thousands annually. Compliance is cheap relative to the contract value it protects. See our full CMMC cost breakdown for a detailed analysis by company size.
Steps to Get Started
- Check your contracts — Look for DFARS 252.204-7012, 7019, 7020, 7021. Identify whether you handle FCI only or CUI.
- Talk to your prime — Ask explicitly what CMMC level they require for your scope of work and when.
- Get a gap assessment — An RPO can assess your current posture against NIST SP 800-171 in 2–4 weeks. This tells you your SPRS score and the delta to compliance.
- Build your SSP — Your System Security Plan is the foundation of every CMMC assessment. No SSP means no assessment.
- Plan your timeline — With Phase 2 in November 2026, you have a fixed deadline.
Not sure where to start? Take our 3-minute CMMC readiness check →
FAQ — CMMC for Subcontractors
Do all subcontractors need CMMC, or only certain ones? Only subcontractors whose systems process, store, or transmit FCI or CUI. If your role is purely physical (no contract data touches your systems), you may be exempt. Check with your prime and review the DoD CMMC scoping guidance.
Does CMMC flow down to second and third-tier subs? Yes. DFARS 252.204-7021 requires primes to flow down requirements to all sub-tiers in the supply chain that handle covered data — there’s no exemption for lower-tier subs.
What happens if my prime drops me for not being compliant? You lose the subcontract. As non-compliant subs exit the DIB, compliant competitors will fill their spots. The IPC survey found 24% of electronics manufacturers may exit the defense supply chain entirely due to CMMC costs.
Can I just wait and see? Phase 1 is already active (November 10, 2025). Phase 2 enforcement — when C3PAO certification becomes broadly mandatory — begins November 10, 2026. Waiting now means a compressed timeline and potentially higher C3PAO fees as demand outpaces supply.
What’s the cheapest path to CMMC Level 1? Level 1 is 17 basic security controls with annual self-assessment. For many small subs, this is achievable for $5,000–$15,000 in Year 1 with help from an RPO. The question is whether your prime needs Level 2. See CMMC Level 1 vs Level 2 to find out which applies to you.
Meridian Compass helps defense subcontractors navigate CMMC without the guesswork. Check your compliance status in 3 minutes →
Found this useful?
Get the CMMC Readiness Checklist — free
15 questions to understand your compliance exposure before you talk to a single vendor.
Ready to get started?
15 minutes. We'll tell you exactly where you stand on CMMC and what your next step should be.
Get in TouchFree. Available to US-based defense contractors.