The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path →
Find my subcontractor CMMC path
No CUI, no sales pitchStart →

CMMC Compliance for DoD Subcontractors: What Level You Need, What Flows Down From Your Prime, and What to Do First

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance.
Last verified: . This is editorial analysis, not legal, contractual, or compliance advice. We are not affiliated with the DoD, the Cyber AB, DCMA DIBCAC, or NIST. Please don’t submit CUI, export-controlled drawings, or sensitive contract details through any form on this site.

If you’re a DoD subcontractor, here’s the bottom line on CMMC compliance for DoD subcontractors: the requirement is real, it’s already showing up in DoD solicitations and subcontracts as a condition of award, and it flows down to you when your subcontract work will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems. FCI-only work maps to Level 1 (Self). CUI work requires at least Level 2 (Self)— or Level 2 (C3PAO) when your prime contract requires it — and there’s no blanket exemption for being a sub or being small.

That paragraph answers the question most subs are actually typing at 11 p.m. after a prime sends a clause or a questionnaire. But there’s a trap hiding inside it — and it’s the reason so many subcontractors waste five figures in the first 30 days. We’ll get to it. First, the part you can act on right now.

Find yourself in this table:

Where you landYour likely pathYour first move
You handle FCI only, never CUILevel 1 (Self)Confirm in writing that no CUI will reach your systems
You handle CUI, prime requires Level 2 (Self)Level 2 (Self)Build your SSP and evidence; prepare your SPRS posting
You handle CUI, prime requires Level 2 (C3PAO) or Level 3Level 2 (C3PAO)Get readiness help before you call an assessor
You’re not sure whether your data is FCI or CUIScope unclearSend your prime the clarification email below
You touch no FCI or CUI, or the work is exclusively COTSLikely no CMMC requirement for this workGet written confirmation before you ignore it

We built this guide by reading the rule itself — 32 CFR Part 170, the September 2025 DFARS final rule, the Acquisition.gov clause text, the NIST publications, the Cyber AB’s Code of Professional Conduct, a DoD Inspector General audit, and three Department of Justice settlement announcements — not by paraphrasing other blogs. Everything below is sourced.

Start here — it’s free and takes about 60 seconds.

Not sure which row you’re in? Answer a few non-sensitive questions about your data, your prime’s requirement, and your timeline — and we’ll show you the path that fits, plus the exact questions to take back to your prime. No CUI. No contract details.

Find my subcontractor CMMC path →

Disclosure: We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation never controls our regulatory analysis or provider-category recommendations.

Does CMMC compliance for DoD subcontractors actually apply to you?

The trigger is the data you handle, not your size or your tier. CMMC applies to prime contractors and subcontractors at every tier that will process, store, or transmit FCI or CUI on contractor information systems in performance of a DoD contract or subcontract (32 CFR §170.23). If your work involves no FCI and no CUI on contractor information systems, you may be outside CMMC for that work — but get it confirmed in writing.

So “my prime says CMMC is required” is not, by itself, your answer. Your answer depends on what’s flowing to you.

The takeaway most pages skip:the question isn’t “does CMMC apply to subcontractors” (yes, it can). It’s “does this subcontract route FCI or CUI onto contractor information systems in myscope” — and that’s a question you answer with your prime in writing, not by guessing. We give you the exact words for that conversation below.

What CMMC level does a DoD subcontractor need? The flow-down decision matrix

Your level is driven by the data you handle; your assessment type is driven by your prime contract’s requirement. Under 32 CFR §170.23, FCI-only subcontractors need Level 1 (Self); CUI subcontractors need at least Level 2 (Self); and when the prime contract requires Level 2 (C3PAO) or Level 3 (DIBCAC), a CUI subcontractor’s minimum becomes Level 2 (C3PAO) — unless the DoD provides specific flow-down guidance.

The 2026 Subcontractor CMMC Flow-Down Decision Matrix

Source: 32 CFR §170.23(a)(1)–(4), read from the eCFR on June 8, 2026.

If your subcontract has you……and the prime’s contract requires…Your minimum CMMC statusWho assesses youPOA&M to Conditional?
Handle only FCI (no CUI)Any levelLevel 1 (Self)You (annual self-assessment)No — POA&Ms not allowed at Level 1
Handle CUILevel 2 (Self)Level 2 (Self)You (self-assessment, every 3 years)Yes, within strict limits
Handle CUILevel 2 (C3PAO)Level 2 (C3PAO)An authorized C3PAOYes, within strict limits
Handle CUILevel 3 (DIBCAC)Level 2 (C3PAO) — not Level 3An authorized C3PAOYes, at Level 2, within strict limits
Handle no FCI or CUI in scope, or exclusively COTS workNot subject for this subcontract

Here’s the nuance almost no competing page states cleanly:

Two separate things flow down to you. 1. Your levelcomes from your data — FCI → Level 1, CUI → at least Level 2. Simple. 2. Your assessment type— whether you can self-assess or must bring in a C3PAO — flows from your prime contract’s requirement, not your prime’s preference and not your budget. If the prime contract requires Level 2 (C3PAO), you can’t quietly self-assess your CUI work to save money.

And one point that surprises people: even when the prime is at Level 3 (DIBCAC), a CUI subcontractor’s requirement is capped at Level 2 (C3PAO)— not Level 3. Level 3 is the prime’s burden on its own most-sensitive systems (32 CFR §170.23(a)(4)).

Decode your row before you spend a dollar. Tell us your level, scope, and timeline and we’ll match you with source-checked CMMC provider options that fit your flow-down, starting with the help you actually need first.

Get matched with source-checked provider options →

Self-assessment or C3PAO? Who assesses you, and can you choose the cheaper path?

Some subcontractors can self-assess; some legally cannot — and you don’t get to pick the cheaper option. Level 1 is self-assessed every year. Level 2 (Self) is a recognized status when the contract or flow-down permits it. Level 2 (C3PAO) requires an independent third-party assessment, and if your flow-down requires it, a self-assessment will not satisfy the requirement, no matter how clean your environment is.

PathWho assessesWhat you’re measured againstWhere the result livesValidity
Level 1 (Self)YouThe 15 safeguarding requirements in FAR 52.204-21(b)(1)SPRSAnnual self-assessment + annual affirmation
Level 2 (Self)YouThe 110 requirements of NIST SP 800-171 Rev. 2, across 14 control familiesSPRSEvery 3 years + annual affirmation
Level 2 (C3PAO)An authorized C3PAOThe same 110 NIST SP 800-171 Rev. 2 requirementseMASS → SPRSEvery 3 years + annual affirmation
Level 3 (DIBCAC)DCMA DIBCAC (the government)Level 2 plus 24 selected NIST SP 800-172 requirements (Feb. 2021 version)eMASS → SPRSEvery 3 years + annual affirmation

Requirement counts from 32 CFR §170.14.

SPRS (Supplier Performance Risk System) is the DoD system where your self-assessment score and your affirmation live. eMASS is the government system a C3PAO uses to submit your certification results, which then flow to SPRS. An affirmation is a formal attestation of continuous compliance, submitted by an affirming official in your company.

On the Revision 2 vs. Revision 3 question:

NIST has published Revision 3, and you’ll find vendors and some guides referencing it. For CMMC, that’s wrong right now. 32 CFR Part 170 incorporates NIST SP 800-171 Revision 2 for CMMC Level 2, and it stays Revision 2 unless and until the DoD amends the rule (32 CFR §170.2). If a provider tells you to build to Rev. 3 for CMMC today, that’s worth a second opinion.

The honest line you won’t always get from a vendor: if your prime’s language is vague, this page cannot turn a paraphrase into a contract requirement, and neither can anyone selling you something. The safe move is to get the exact level, assessment type, data type, and timing from your prime in writing.

The honest part: why most subcontractors should NOT call a C3PAO first

If you panic and call a C3PAO first, you’re probably spending on the wrong thing. A C3PAO assesses; it does not fix your scope, write your System Security Plan (SSP), close your gaps, or sort out your cloud. And the rule actually forbids the firm that gets you ready from also being your assessor.

That’s not our opinion — it’s in the regulation. The CMMC Code of Professional Conduct, implementing 32 CFR §170.8(b)(17)(ii)(G), prohibits a CMMC ecosystem member from participating in the Level 2 certification process for any organization it served “as a consultant to prepare the organization for any CMMC assessment within 3 years.” That prohibition binds the C3PAO as an organization and every member of its assessment team. Preparation and assessment are legally separate. You generally use one firm to get ready and a different one to certify you.

So why is “don’t call a C3PAO first” actually goodnews? Because your first dollars — the ones that matter most — go toward things that are cheaper and more within your control: confirming your data type, shrinking your CUI footprint, building your SSP and evidence, and closing real gaps. The assessment comes later, when you’re ready.

If you’re genuinely assessment-ready

Environment locked, SSP complete, evidence in hand, score where it needs to be — engaging a C3PAO is your right next step.

If you’re like most subs

Got a clause last month and still mapping where your CUI lives — your first call is readiness, not assessment.

See what getting ready actually involves before you commit. A readiness program — scoping, SSP, gap analysis, remediation — is where the real work and most of the real cost live.

Compare readiness provider categories →

What CMMC really costs a subcontractor: the DoD’s own numbers vs. reality

The most defensible cost floor is the DoD’s own estimate — but it deliberately leaves out the most expensive part.In the CMMC rulemaking, the DoD pegged a small entity’s three-year Level 2 self-assessment at roughly $37,196, and a small entity’s three-year Level 2 (C3PAO) certification at roughly $104,670. Those figures are real and citable. They are also, by the DoD’s own design, only part of the bill.

Cost elementDoD published estimate (assessment + affirmations only)Industry-reported range to also budget
Level 1 (Self) self-assessment + affirmation~$6,000 (small entity); ~$4,000 (larger entity)Often absorbed by existing IT
Level 2 (Self), 3-year~$37,196 (≈$34,000 first year)
Level 2 (C3PAO), 3-year~$104,670 (≈$101,752 first year)C3PAO fees alone commonly run tens of thousands, set per firm
Gap assessmentexcluded~$3,500–$20,000+
Remediation / control implementationexcluded~$10,000–$250,000+
CUI enclave (scope-reduction strategy)excluded~$300–$400 per user/month, or ~$3,000–$4,000+/month managed
Tools (FIPS-validated encryption, SIEM, EDR, vulnerability scanning)excluded~$10,000–$50,000+/year

DoD figures from the CMMC rule’s cost analysis in the Federal Register (primary). Industry-reported ranges are planning context, not government estimates; confirm current quotes for your own environment.

Why the DoD number is so much lower than what your peers report:

The government’s estimate starts at the assessment phase and assumes you’ve already implementedNIST SP 800-171 — because DFARS 252.204-7012 has required exactly that since 2017. If your environment isn’t already built to all 110 requirements, the DoD’s $104,670 is a floor, not a forecast.

First-cycle Level 2 costs — gap assessment through certification — commonly land in the $75,000–$300,000+ range (industry-reported). An industry survey of more than 2,000 defense contractors found roughly 70% had budgeted under $100,000for their CMMC program — below the DoD’s own three-year projection, let alone real-world implementation.

For the smallest subs: there’s no broad federal subsidy that covers CMMC compliance costs for subcontractors. For a 10-person shop on a single subcontract, compliance can be a real share of the job’s value. That’s a reason to read the scope-reduction section below before you spend, because the cheapest compliant path is often the smallest one.

What your prime will actually verify before award

Two different gates apply, and subs need to understand both. For a DoD award, the solicitation provision DFARS 252.204-7025 makes the required CMMC level “or higher” a prior-to-award eligibility gate. For a subcontract award, the contract clause DFARS 252.204-7021 requires your prime to ensure you hold a current CMMC status at the appropriate level before it awards you the subcontract.

The single highest-leverage thing you can do this week is stop guessing and ask. Copy, paste, and send this:

Subject: CMMC flow-down clarification for [subcontract / program name]

Hi [name] — before we scope our CMMC work, could you confirm what you expect to flow down to us for this subcontract?

  1. Will our work process, store, or transmit FCI, CUI, or both?
  2. If CUI, what CUI category or marking guidance applies?
  3. What exact CMMC status are you flowing down — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3?
  4. Which clause is the requirement tied to — DFARS 252.204-7021, 252.204-7025, 252.204-7012, 7019, or 7020?
  5. Is CMMC status required before award, before an option exercise, before delivery, or at a later milestone?
  6. Which of our systems do you expect to process, store, or transmit FCI/CUI?
  7. Will any of our own sub-tier suppliers receive FCI/CUI from us?
  8. What proof do you need — SPRS screenshot, CMMC UID(s), affirmation, certificate, SSP summary, or something else?
  9. Should we avoid receiving any CUI until our required status is confirmed?
  10. Who is our written point of contact for flow-down interpretation?

Thanks — we want to get this right and avoid scoping the wrong thing.

That email does more for your CMMC program than any tool you could buy this month. It tells you whether you’re a Level 1 problem or a Level 2 problem, whether you can self-assess, and whether you’re on a clock.

Got a prime email but you’re not sure what it actually requires? Don’t buy help against a guess. Send us your level, scope, and timeline — no contract data, no CUI — and we’ll match you with the provider category that fits.

Decode my flow-down →

What’s the difference between a NIST 800-171 SPRS score and CMMC status?

They’re related but not the same, and during the transition some subs will be asked for both. A NIST SP 800-171 DoD Assessment score — required under DFARS 252.204-7019 and 252.204-7020 — is a self-assessment score you post in SPRS showing how fully you’ve implemented the 110 NIST SP 800-171 Rev. 2 controls. A CMMC status under DFARS 252.204-7021/-7025 is the result of a CMMC assessment (self or C3PAO) at a specific level. The score is the older mechanism; CMMC is the verification layer the DoD built on top of it.

What if your CUI lives in Microsoft 365, GCC High, AWS GovCloud, an MSP, or another external service provider?

Moving CUI into a cloud or managed environment changes your scope and your evidence — it does not erase your CMMC obligation, and it does not make software “compliant” on its own.If an external service provider (ESP) — a cloud platform, an MSP, an MSSP, a secure collaboration tool — processes, stores, or transmits your CUI or the security data that protects it, that relationship sits inside your assessment scope and must be documented.

The Subcontractor CUI Environment Scope Matrix

Based on 32 CFR §170.19 scoping and the rule’s external-service-provider treatment.

OptionWhat it can reduceWhat stays your responsibilityWhat to request / not assume
Microsoft 365 GCC HighA compliant home for CUI email/files; many technical controlsSSP, configuration, evidence, user practices, the assessment itselfA shared-responsibility matrix; don’t assume the license equals compliance
AWS GovCloudAn environment that can support compliant workloadsYour configuration, documentation, control implementation, evidenceProof of which controls the platform covers vs. which you own
A defined CUI enclaveScope — isolating CUI so it doesn’t sprawl across laptops, email, and sharesGovernance, monitoring, and evidence for the enclaveA boundary diagram and what’s in vs. out of scope
MSP / MSSPDay-to-day operation of controls (identity, logging, endpoints, backups)Accountability — the controls are still assessed against youA documented Customer Responsibility Matrix (CRM), not “we handle security”
Non-cloud ESPSpecific functions you outsourceMapping what they do, what you do, and what’s left overA Service Description plus the CRM
GRC / compliance softwareOrganizing SSP, POA&M, policies, and evidenceThe actual control implementation behind the recordsClarity that the tool documents compliance; it doesn’t create it

An ESP changes where the work happens and who’s responsible, not whether you’re responsible. A serious provider gives you a Service Description and a Customer Responsibility Matrixspelling out which requirements it implements and which remain yours. “Our vendor handles security” is not an answer an assessor accepts. The CRM is.

Before you buy an enclave, GCC High, or a GRC platform, confirm your scope first. The right first move might be environment design, readiness, or evidence workflow — and the order matters.

Check whether scope, enclave, or readiness comes first →

Your first 30, 60, and 90 days after a CMMC flow-down request

The fastest path is sequential, not heroic: scope first, gaps second, remediation third.Days 1–30 are for data type, clauses, ownership, and your SPRS/SSP reality. Days 31–60 are for a gap assessment, evidence, and mapping your cloud and ESP responsibilities. Days 61–90 are for closing blocking gaps and deciding whether you’re ready to plan an assessment or still need readiness work.

Days 1–30 — establish reality

  • Confirm whether you handle FCI, CUI, or neither (use the prime email above).
  • Find every clause in play: DFARS 252.204-7012, 7019, 7020, 7021, and the 7025 provision in any solicitation.
  • Identify your CAGE code(s) and the specific information systems that will touch FCI/CUI.
  • Assign one accountable internal owner. This can’t be a side project for “whoever has time.”
  • Start or update your System Security Plan (SSP) — the document that defines your environment, scope, and how each control is implemented.
  • Confirm your SPRS access and your current assessment status.
  • Freeze any uncontrolled CUI sharing until your scope is clear.

Days 31–60 — find the gaps

  • Run a NIST SP 800-171 Rev. 2 gap assessment if any CUI is in play.
  • Build an evidence inventory — policies, configurations, logs, screenshots.
  • List every external service provider and request each one’s Service Description and CRM.
  • Draw your CUI boundary and a simple data-flow diagram.
  • Prioritize the high-weight gaps (the ones that cost you the most points under the scoring methodology).

Days 61–90 — close and decide

  • Remediate the blocking controls first.
  • If you’re self-assessing, prepare your SPRS submission and affirmation.
  • If you’re on a Level 2 (C3PAO) path, get a readiness review before you schedule an assessor.
  • Decide whether scope reduction or an enclave strategy lowers your cost and complexity.
  • Give your prime a documented status update — accurate, not overclaimed. “We’re implementing and on track for [milestone]” is honest. “We’re certified,” when you’re not, is the kind of statement that ends up in an enforcement action.

Our CMMC Readiness Checklist, mapped to the 14 NIST SP 800-171 control families, turns the plan above into a step-by-step worksheet you can hand to your team.

Download the readiness checklist →

The CMMC rollout timeline — and why “Phase 2 is 2026” is a trap for subcontractors

The rules are already in force, and the phase dates are not your real deadline — your prime’s award schedule is. The CMMC Program Rule (32 CFR Part 170) was published October 15, 2024 and took effect December 16, 2024. The DFARS acquisition rule was published September 10, 2025 and took effect November 10, 2025, starting a four-phase rollout (32 CFR §170.3(e)):

PhaseBeginsWhat it means for a subcontractor
Phase 1(underway)November 10, 2025Level 1 (Self) and Level 2 (Self) appear as conditions of award; Level 2 (C3PAO) can appear at the DoD’s discretion
Phase 2November 10, 2026DoD intends to include Level 2 (C3PAO) as a condition of award for applicable CUI contracts (the rule lets DoD apply it at an option period instead)
Phase 3November 10, 2027Level 2 (C3PAO) expands further; Level 3 (DIBCAC) is introduced for applicable contracts
Phase 4November 10, 2028Full implementation across applicable DoD solicitations and contracts, including option periods

The real constraint is runway, not a phase date.

Readiness for a Level 2 (C3PAO) assessment commonly runs 6 to 18 months(industry-reported). Phase 2’s certification standard lands November 10, 2026. Do that subtraction and the runway is already tight.

Primes aren’t waiting for the phases — they’re sending questionnaires and asking for SPRS evidence now. And according to Cyber AB town-hall data from spring 2026, there were roughly 100 authorized C3PAOs and around 750 certified assessorsserving tens of thousands of organizations expected to need Level 2 — with only around 1,000 organizations having achieved Level 2 certification, leaving the defense base near 1% certified. The bigger constraint isn’t assessor availability — it’s readiness. Start now.

What happens if you’re not ready: Conditional status, POA&M limits, and real enforcement

Falling short isn’t automatically fatal — but misrepresenting where you stand can be. (This section discusses legal risk and is general information, not legal advice — talk to counsel about your situation.) CMMC allows a Conditionalstatus for Level 2 if you meet strict conditions, and Conditional is enough to win an award. The line subcontractors must not cross is the one between “we have gaps and we’re remediating them” and “we told the government we’re compliant when we weren’t.”

Conditional-status mechanics (32 CFR §170.21):

  • A POA&M can get you to Conditional Level 2 only if your score is at least 80% (a score of at least 88 of 110 under the DoD methodology), only for the specific lower-point requirements the rule allows — generally 1-point items, with a narrow exception for CUI encryption (SC.L2-3.13.11) — and never for the requirements the rule bars from a POA&M entirely.
  • You then have 180 days to close the POA&M and pass a closeout assessment. Miss that window and your Conditional status expires.
  • Level 1 allows no POA&M at all. It’s all-or-nothing.

The Department of Justice’s Civil Cyber-Fraud Initiative uses the False Claims Act to pursue contractors that misrepresent cybersecurity compliance, and subcontractors are not shielded just for being subs. Real, on-the-record examples — these resolved allegations, not admissions of liability:

WhoWhenAmountWhat DOJ allegedThe lesson for a sub
Raytheon / RTX / NightwingMay 2025$8.4 millionDOJ alleged Raytheon failed to develop and implement an SSP and comply with DFARS 252.204-7012 and FAR 52.204-21 on a system used for roughly 29 DoD contracts and subcontractsThe obligation runs through subcontracts, and it can follow an acquisition
MORSE CorpMarch 2025$4.6 millionAs part of the settlement, MORSE acknowledged it had posted a self-assessed SPRS score of 104 while a later third-party assessment scored negative 142An inflated SPRS self-score is the exposure — the distance between what you posted and what’s real
Georgia Tech Research CorpSeptember 2025$875,000DOJ alleged the Astrolavos Lab ran without required antivirus/anti-malware and without an SSP, and that an inflated self-assessment score was submitted to DoD“We’ll fix it later,” plus a rosy score, is a False Claims Act risk

The takeaway isn’t to be frightened — it’s to be honest. Post the score you can defend, affirm only what’s true, and remediate the rest on a real plan. That posture is both safer and cheaper than the alternative.

Which CMMC provider category should a subcontractor talk to first?

If you don’t yet know your data type, scope, or assessment path, do not start with a C3PAO — start with the category that resolves your actual gap. For scoping, SSP, remediation, and managed compliance, that’s a readiness consultant (an RPO), a vCISO, or a CMMC-capable MSP/MSSP. For sprawling CUI, it’s an enclave or secure-collaboration provider. For evidence and workflow, it’s GRC software as a supporting layer. A C3PAO belongs at the end, when you’re assessment-ready.

Your situationFirst provider categoryWhy
You don’t know whether you handle CUIScope clarification / RPO / vCISOYou need data and boundary answers before tools
You have CUI but no SSP or evidenceRPO / readiness consultantImplementation evidence comes before assessment
Unmanaged endpoints, identity, logging, backupsCMMC-capable MSP / MSSPControls have to work continuously, not once
CUI sprawled across email and file sharesCUI enclave / secure collaboration / GCC High implementationScope reduction lowers cost and complexity
You have evidence but no system to manage itGRC / evidence-management softwareOrganizes SSP, POA&M, artifacts, and owners
Prime requires Level 2 (C3PAO) and you’re readyAuthorized C3PAOThe formal assessment path
You already used a readiness consultantA separate C3PAOThe 3-year conflict-of-interest rule requires it

The verification step a federal audit says you can’t skip

A January 2025 DoD Inspector General audit (DODIG-2025-056) reviewed 11 of the 48 C3PAOs authorized at the time and found the DoD had not effectively implementedthe authorization process — including authorizing some organizations without confirming a signed agreement or the required certified personnel. The audit’s own conclusion: without an effective process, the DoD “does not have assurance that all C3PAOs that perform the CMMC Level 2 assessments are qualified.” Before you trust any assessor, confirm its current authorization directly on the Cyber AB Marketplace. Don’t assume.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Still not sure which category fits you? Tell us your level, scope, and timeline — no CUI, no sales pitch — and we’ll match you with the right provider category first: readiness, enclave, evidence workflow, or assessment.

Get matched with source-checked provider options →

The most expensive mistakes subcontractors make with CMMC

Almost every costly CMMC mistake is a sequencing mistake. Naming them is the cheapest insurance you’ll buy this year:

  1. Treating FCI and CUI as interchangeable. They drive different levels.
  2. Assuming all Level 2 needs a C3PAO — or assuming none of it does. Your prime contract’s requirement decides.
  3. Calling a C3PAO before your SSP, evidence, and scope are ready.
  4. Buying GCC High before you’ve defined your CUI boundary.
  5. Posting a stale or unsupportable SPRS score. (See: MORSE Corp.)
  6. Sending CUI through lead forms, spreadsheets, or email chains.
  7. Letting an informal prime email replace an actual clause review.
  8. Forgetting your own sub-tier flow-down.
  9. Treating a POA&M as if it were implementation. It isn’t — the requirement stays “not met” until you close it.
  10. Saying “certified” when you only hold a self-assessment status.

How we built this guide, and what we actually verified

What we verified (last verified ):

We read 32 CFR §170.23 (subcontractor flow-down), §170.21 (POA&M and Conditional status), §170.14 (the CMMC model and requirement counts), §170.16 and §170.17 (Level 2 self vs. C3PAO), §170.9 (C3PAO requirements), and §170.3(e) (the phase schedule) directly on the eCFR. We pulled the DFARS 252.204-7019, 7020, 7021, and 7025 mechanics from Acquisition.gov and the September 2025 Federal Register final rule. We took the conflict-of-interest rule from the Cyber AB’s Code of Professional Conduct (implementing 32 CFR §170.8(b)(17)(ii)(G)) and reviewed the CMMC Assessment Process (CAP) v2.0 for assessment-procedure context. We sourced the DoD cost figures from the rule’s cost analysis and flagged that they exclude implementation. The C3PAO authorization findings come from DoD Inspector General report DODIG-2025-056. The enforcement figures come from Department of Justice settlement announcements. Ecosystem counts reflect Cyber AB town-hall data from spring 2026 and are re-checked monthly against the Cyber AB Marketplace. This is editorial analysis, not legal, contractual, or compliance advice.

Spot a figure that’s drifted? Tell us through our corrections policyand we’ll fix it.

Frequently asked questions

Does CMMC apply to subcontractors at every tier?

Yes — when the subcontractor will process, store, or transmit FCI or CUI in performance of the subcontract. 32 CFR §170.23 applies CMMC to prime contractors and subcontractors at all tiers that handle that information. Subcontractors that handle neither FCI nor CUI on contractor information systems are generally not subject for that work.

Does FCI-only subcontract work require Level 2?

No. Under 32 CFR §170.23, a subcontractor that handles FCI but not CUI needs CMMC Level 1 (Self) as its minimum — an annual self-assessment of the 15 FAR 52.204-21 safeguarding requirements, with an affirmation in SPRS.

Does handling CUI always mean a C3PAO assessment?

No. Handling CUI requires at least Level 2 (Self). Level 2 (C3PAO) is required when your prime’s contract requires Level 2 (C3PAO) or Level 3, in which case your CUI work must be third-party assessed, not self-assessed.

Can a subcontractor choose Level 2 (Self) because it’s cheaper?

Only if the solicitation, contract, or flow-down permits Level 2 (Self). If your flow-down requires Level 2 (C3PAO), a self-assessment does not satisfy it, regardless of cost.

Do small subcontractors get an exemption?

Not for being small or downstream. The rule includes no general small-business exemption from CMMC. It does, however, only require flow-down to subcontractors that will actually receive FCI or CUI — so a supplier outside that data flow may be outside CMMC for that work.

Does my prime automatically see my SPRS status?

No. The DoD has confirmed there’s no automated way for a prime to view a subcontractor’s CMMC status in SPRS. Verification is manual — primes typically ask you to share an SPRS screenshot or a certificate, and you decide what’s appropriate to provide.

What’s the difference between a NIST 800-171 SPRS score and CMMC status?

A NIST SP 800-171 DoD Assessment score (DFARS 252.204-7019/-7020) is a self-assessment score you post in SPRS for the 110 NIST SP 800-171 Rev. 2 controls. A CMMC status (DFARS 252.204-7021/-7025) is the result of a CMMC self-assessment or C3PAO assessment at a specific level. During the transition, some subs are asked for both.

Can my readiness consultant also be my C3PAO?

Not for the same engagement. The CMMC conflict-of-interest rule (32 CFR §170.8(b)(17)(ii)(G), via the Cyber AB Code of Professional Conduct) bars a firm from assessing an organization it served as a consultant to prepare for a CMMC assessment within the prior 3 years. Preparation and certification go to separate providers.

Is NIST SP 800-171 Revision 3 the standard for CMMC Level 2 now?

No — not for CMMC. NIST has published Revision 3, but 32 CFR Part 170 incorporates NIST SP 800-171 Revision 2 for CMMC Level 2, and that holds unless the DoD amends the rule.

When do subcontractors have to be compliant?

As each subcontract requires. Phase 1 began November 10, 2025, with Level 1 and Level 2 self-assessments appearing as conditions of award. Level 2 (C3PAO) certification is slated to become standard for applicable CUI contracts at Phase 2 on November 10, 2026 (32 CFR §170.3(e)).

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get matched with source-checked provider options →

Related from The Defense Compliance Report

Primary sources

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. Not affiliated with the DoD, the Cyber AB, DCMA DIBCAC, or NIST. Read our editorial review process.

This article is editorial analysis, not legal, contractual, or compliance advice. Confirm your specific obligations with your prime and your counsel. Last verified: . Next scheduled verification: September 2026, or sooner if DoD, DFARS, NIST, Cyber AB, or SPRS guidance changes.