Does CMMC apply to you as a subcontractor?
Yes — if you handle Federal Contract Information or Controlled Unclassified Information as part of work on a DoD contract, CMMC applies to you regardless of your position in the supply chain. There is no "subcontractor exemption."
The most common misconception in the defense supply chain: "CMMC is my prime's problem, not mine." It isn't. The DFARS rule that took effect November 10, 2025 explicitly requires flow-down of CMMC obligations to subcontractors at all tiers. If you touch FCI or CUI and you're not compliant, you are a liability to your prime — and primes are increasingly required to do something about that.
The question isn't whether CMMC applies to you. The question is which level applies, and how much time you have before your prime contractor comes looking for proof.
What "flow-down" actually means
Flow-down is the mechanism by which CMMC requirements travel from the DoD through prime contractors to subcontractors at every tier. Here's how the chain works:
🏛️ Department of Defense
Includes CMMC clause in prime contract specifying required level. Sets the obligation at the top of the chain.
Prime Contractor
Must include CMMC flow-down clauses in subcontracts for work involving FCI or CUI. Responsible for verifying subcontractor compliance. Cannot share CUI with non-compliant subcontractors.
Subcontractor (You)
Must meet the CMMC level specified in your subcontract. Must submit SPRS score. Must get C3PAO certified if handling CUI at Level 2. Flow-down continues to your own subcontractors if you have them.
Prime contractors are under real pressure here. If a subcontractor causes a breach of CUI, the prime can be held responsible. That's why primes are increasingly auditing their supply chains and replacing non-compliant subcontractors before the DoD asks questions.
What CMMC level do you need?
Your required level is determined by the type of government information you handle — not by your size, your revenue, or how far down the supply chain you are.
Level 1 — if you handle FCI
- 17 basic cybersecurity practices
- Annual self-assessment — no C3PAO
- Must submit SPRS score
- Authorized official annual affirmation
- Typical cost: $5,000–$30,000
Level 2 — if you handle CUI
- All 110 NIST SP 800-171 controls
- C3PAO third-party assessment required
- SPRS score of 88+ for POA&M eligibility
- Certification valid 3 years, annual affirmations
- Typical cost: $100,000–$500,000
When in doubt, assume Level 2. If you're not certain whether the information you receive is FCI or CUI, ask your prime contractor in writing. CUI has specific markings — "CUI" or legacy markings like "FOUO" (For Official Use Only). If data is unmarked but feels sensitive, treat it as CUI until clarified. The cost of being wrong and under-investing is losing the subcontract.
FCI vs CUI — the distinction that determines your level
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release. This includes things like pricing data, delivery schedules, technical specifications, and contract performance information. Almost every defense subcontractor handles some FCI.
Controlled Unclassified Information (CUI) is a broader category of sensitive government information that requires safeguarding under law, regulation, or policy — but is not classified. Examples include export-controlled technical data, privacy-protected information, law enforcement sensitive data, and defense acquisition information. CUI is specifically marked and must be handled only by authorized parties with appropriate protections in place.
The key distinction: handling CUI triggers Level 2. Handling only FCI (and no CUI) triggers Level 1. Many subcontractors are surprised to learn that technical drawings, specifications, and design data for defense systems often qualify as CUI — particularly if they're subject to export controls.
Common subcontractor scenarios
| Subcontractor Type | Data Handled | Required Level |
|---|---|---|
| IT services provider to a defense prime | Has access to systems that process CUI | Level 2 |
| Engineering firm doing design work | Receives export-controlled technical drawings (CUI) | Level 2 |
| Staffing company placing workers at a prime | Only handles contract and billing information (FCI) | Level 1 |
| Manufacturing supplier — commodity parts | Receives purchase orders and specs — no CUI markings | Level 1 |
| Cloud storage provider used by prime | Stores CUI on behalf of prime | Level 2 |
| Legal or accounting firm serving prime | Contract and financial data only — no CUI | Level 1 |
| Cybersecurity consultant with system access | Accesses systems that process or store CUI | Level 2 |
| COTS product supplier (off-the-shelf only) | Sells standard commercial products, no customization | Likely exempt |
What your prime contractor owes you
Flow-down is a two-way street. Your prime has obligations toward you that they often don't volunteer. Understanding what they're required to do helps you hold them accountable — and protects you from being caught off guard.
- Specify your required CMMC level in the subcontract. The subcontract clause should state explicitly what level is required and by when. If it doesn't, ask for it in writing before doing any work involving FCI or CUI.
- Identify what data is CUI before sending it to you. CUI must be marked. If your prime is sending you unmarked sensitive data and telling you to just "handle it carefully," that's their compliance failure — but it becomes your problem if there's a breach.
- Provide the CMMC clause in your subcontract. The applicable DFARS clauses must be included in your subcontract for flow-down to be legally effective. A prime that hasn't included these clauses hasn't properly passed the obligation — but you should still comply based on the data you handle.
- Not share CUI with you until you're authorized. A prime cannot legally share CUI with a subcontractor that isn't compliant with the applicable CMMC level. If a prime is sharing CUI with you before you're certified, that's their violation — and you should document the conversation.
What you owe your prime
Beyond the regulatory requirements, the practical reality is that your prime needs to demonstrate supply chain compliance to the DoD. The easier you make that for them, the more valuable you are as a subcontractor.
Every subcontractor handling FCI or CUI must have a current SPRS submission. Your prime may ask for your CAGE code to verify your score. Submit your actual score — and update it as you implement controls.
Your SSP documents how you protect FCI/CUI across your systems. It's the foundation of your CMMC compliance and something your prime may ask to review as part of their supply chain due diligence.
If you're not yet fully compliant, document your Plan of Action and Milestones and share it with your prime. A credible, dated roadmap is far better than silence. Primes need to show the DoD their supply chain is actively working toward compliance.
For CUI work, self-assessment isn't enough. You need a formal C3PAO assessment. Your prime cannot legally subcontract CUI work to you without it — and increasingly, they'll be checking before renewing your agreement.
If you have subcontractors who handle FCI or CUI as part of work you do for your prime, you must include CMMC flow-down clauses in your own subcontracts and verify their compliance. The chain continues at every tier.
Using a compliant enclave to limit your scope
One of the most practical cost-reduction strategies for subcontractors is scoping. The fewer systems that touch CUI, the smaller and cheaper your CMMC assessment. A compliant enclave — a segregated environment purpose-built to handle CUI — lets you contain compliance to that environment rather than your entire organization.
Common enclave approaches for subcontractors:
- Microsoft GCC High — Government Community Cloud High is purpose-built to handle CUI. Email, Teams, SharePoint, and OneDrive all operate within a FedRAMP High boundary. Many subcontractors use GCC High exclusively for CUI collaboration, keeping their commercial Microsoft 365 tenant out of scope.
- Managed compliant enclave providers — Several MSPs offer pre-built CMMC-compliant enclaves as a managed service. You use their environment for CUI work; your own systems stay out of scope. This trades monthly fees for dramatically reduced assessment scope.
- Physical or network segmentation — For organizations with on-premises infrastructure, a physically or logically separated network segment for CUI handling can limit scope — though this requires rigorous enforcement to ensure CUI doesn't leak out.
Scope reduction is the highest-leverage cost reduction strategy available to subcontractors. Getting your CUI environment down to a small, well-defined boundary — even if it requires migrating to GCC High or a managed enclave — often costs less than assessing your entire organization at Level 2.
Your action plan as a subcontractor
-
Identify what data you receive and whether any of it is CUI Review your subcontracts and the actual data flows between you and your prime. Look for CUI markings. Ask your prime directly if you're unsure. This single question determines whether you're looking at Level 1 or Level 2.
-
Read your subcontract flow-down clauses Find the CMMC clause in your subcontract. It should specify your required level. If it's absent, ask your prime in writing — both to clarify your obligation and to create a paper trail showing you're being proactive.
-
Run a gap assessment and get your real SPRS score Don't estimate. Walk through all 110 NIST SP 800-171 controls if Level 2 applies, and calculate your actual score. A free gap assessment can get you there quickly. Your score tells you how much remediation work is ahead — and how urgent your timeline is.
-
Submit your SPRS score immediately Whatever your actual score is, submit it now. An honest low score is far better than no submission — and far better than an inflated one that could trigger False Claims Act liability. Update it as you close gaps.
-
Communicate your plan to your prime proactively Don't wait to be asked. Email your prime with your current SPRS score, your assessment of what level you need, and your remediation roadmap. This alone differentiates you from the majority of subcontractors who haven't started.
-
Book a C3PAO if Level 2 applies — now C3PAO slots are scarce and booking takes months. See the CMMC cost and timeline guide for what to expect. Start reaching out to C3PAOs while you're still in remediation — don't wait until you're ready.
For more on what the full Level 2 certification process looks like, see our CMMC Level 2 guide. For help understanding and improving your SPRS score specifically, see the SPRS score guide.
Find out where your gaps are before your prime does
Run a free gap assessment to see which NIST 800-171 controls you're missing and get your baseline SPRS score — so you can have a real conversation with your prime contractor.
Start Free Assessment →Frequently asked questions
Yes, if you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of your work on a DoD contract — even as a subcontractor. CMMC requirements flow down through the supply chain via contract clauses. If your prime contractor's subcontract includes a CMMC clause, you must meet the specified level. Level 1 requires annual self-assessment; Level 2 requires a C3PAO third-party assessment for most CUI work.
Flow-down means that CMMC requirements in a prime contractor's DoD contract are passed down to subcontractors through subcontract clauses. Prime contractors are responsible for ensuring their subcontractors that handle FCI or CUI meet the applicable CMMC level. This means primes must include CMMC clauses in their subcontracts, verify subcontractor compliance, and can be held responsible if a non-compliant subcontractor causes a breach.
Your required level depends on what type of information you handle. If you only receive Federal Contract Information (FCI) — basic contract data like pricing, schedules, technical specs — you need Level 1, which is annual self-assessment only. If you handle Controlled Unclassified Information (CUI) — sensitive but unclassified government data — you need Level 2, which requires a C3PAO third-party assessment. The specific requirement should be spelled out in your subcontract clause.
Yes. Prime contractors are required to flow CMMC requirements to subcontractors and verify compliance. If you cannot demonstrate compliance with the required CMMC level, your prime may be unable to continue subcontracting with you — not as a preference, but as a regulatory obligation. As CMMC requirements become standard in DoD solicitations, non-compliant subcontractors will increasingly be replaced by compliant alternatives.
Prime contractors must include CMMC flow-down clauses in subcontracts for work involving FCI or CUI, verify that subcontractors have the required CMMC level before awarding subcontracts, and ensure CUI is only shared with subcontractors who are authorized to receive it. Primes can be held responsible for supply chain compliance failures — which is why they're increasingly proactive about verifying subcontractor SPRS scores and certification status.
Yes. All contractors and subcontractors in the defense supply chain that handle FCI or CUI must submit a NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS) at sprs.eb.mil. Your prime contractor may ask to verify your submission as part of their supply chain due diligence. Submit your actual score — falsifying it is a federal False Claims Act violation.
Don't wait to be asked. CMMC requirements are now in DoD solicitations and primes are actively auditing their supply chains. If you handle FCI or CUI and haven't started on CMMC compliance, you're behind. Get ahead of it: run a gap assessment, submit your SPRS score, and reach out to your prime proactively with your compliance status and roadmap. Being the subcontractor that's already working on this is a competitive advantage.
Yes — and it's a common strategy. A compliant enclave is a segregated environment (often cloud-based, like Microsoft GCC High or a managed compliant enclave provider) where all CUI handling occurs. By isolating CUI to the enclave, you limit which of your systems are in scope for CMMC assessment. This can significantly reduce assessment complexity and cost. However, the enclave itself must meet all Level 2 requirements, and you'll need to ensure CUI doesn't leak outside it.