The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path →
Get matched with source-checked providers
Tell us your tiers, CUI scope, and deadline.Get matched →
Phase 1 (Nov. 10, 2025–Nov. 9, 2026): Level 1 and Level 2 self-assessments required; DoD may add Level 2 C3PAO at its discretion. Phase 2 (begins Nov. 10, 2026): Level 2 C3PAO certification becomes the standard for applicable contracts. Any CUI-handling supplier you need next year should be moving today.

CMMC Flow Down Requirements for Prime Contractor Supply Chains

Prime contractor supply-chain playbook · By The Defense Compliance Report Editorial Team · Last verified

General information for the defense industrial base — not legal, contractual, audit, or compliance advice. Not affiliated with the DoD, DCMA DIBCAC, The Cyber AB, or any U.S. government agency. Your solicitation, contract, and contracting officer guidance control what applies to you.

CMMC flow down requirements come down to one rule most guides get half-right: what a subcontractor must do depends on the data it touches — not on your CMMC level. Under 32 CFR 170.23, a supplier that handles only Federal Contract Information (FCI) needs Level 1. A supplier that handles Controlled Unclassified Information (CUI) needs at least Level 2. If your contract requires Level 2 with a third-party assessment — or even Level 3 — a CUI-handling subcontractor needs Level 2 (C3PAO), not Level 3. That’s the whole answer.

The rest of this page is the operating manual — how to classify your suppliers, what evidence to ask for, what to write into the subcontract, what to do with a supplier that isn’t ready, and what’s actually changing in the rulebook in 2026. We read the controlling text ourselves on June 8, 2026: the subcontractor rule in 32 CFR 170.23, the assessment and scoring rules in 32 CFR 170.16, 170.17, 170.21, and 170.24, the CMMC clause at DFARS 252.204-7021, the CUI-safeguarding clause at DFARS 252.204-7012, the DoD CIO’s phase schedule, and the March 2026 GAO report on assessor capacity.

Quick reference: which CMMC status does each supplier need?

If the subcontractor will handle…Flow-down answerYour move
No FCI or CUINo CMMC flow-down without a documented triggerWrite down why no covered data flows
FCI onlyLevel 1 (self-assessment)Confirm Level 1 status + annual affirmation
CUI, on a Level 2 self-assessment contractLevel 2 (Self) minimumVerify SPRS score, scope, affirmation
CUI, on a Level 2 C3PAO contractLevel 2 (C3PAO) minimumVerify a current C3PAO certificate before award
CUI, on a Level 3 contractLevel 2 (C3PAO) minimum — not Level 3Verify Level 2 C3PAO status + any contract-specific DoD guidance

Put your own list through it. Work through the Prime-to-Subcontractor Flow-Down Matrix below to place every supplier in one of these buckets, then use the Supplier Evidence Checklistfurther down to request exactly the right proof — no more, no less. Both tools are on this page, at no cost.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Not affiliated with the DoD, DCMA DIBCAC, The Cyber AB, or any U.S. government agency. This is editorial research to help you decide — not legal, contractual, or compliance advice.

What are CMMC flow down requirements?

CMMC flow down requirements are a prime contractor’s obligation to pass the correct CMMC level and assessment type down to every subcontractor and supplier that will process, store, or transmit FCI or CUI in performance of the work. CMMC — the Cybersecurity Maturity Model Certification — is the DoD program that verifies a contractor has actually implemented required cybersecurity controls. Flow-down is not “make every supplier Level 2.” It’s “match each supplier’s status to the data you’re sending them.”

Two definitions do most of the work here:

FCI — Federal Contract Information

Non-public information provided by or generated for the government under a contract to deliver a product or service. Not classified, not already public on a government website. Handling FCI puts a supplier at Level 1.

CUI — Controlled Unclassified Information

Sensitive but unclassified information the government requires you to protect — technical drawings, specifications, engineering data, and program details. Overlaps heavily with “Covered Defense Information” (CDI) under DFARS 252.204-7012. Handling CUI puts a supplier at Level 2 or higher.

That single distinction is the whole game. Misjudge it and you either overspend protecting suppliers who only touch FCI, or — far worse — you hand CUI to a supplier that can’t protect it and put your own contract at risk.

The regulation and required action side by side:

What the regulation saysYour action as the prime
32 CFR 170.23: flow CMMC down to subs that process, store, or transmit FCI or CUI, at the level the data requiresClassify every supplier by data, then set the level and assessment type from the matrix
DFARS 252.204-7021: the sub must have a current CMMC status before award; affirmations are required annuallyCollect status evidence before award; track each supplier's affirmation date
DFARS 252.204-7012: protect CUI, report cyber incidents within 72 hours, use FedRAMP Moderate (or equivalent) cloudFlow 7012 to CUI-handling subs; verify their cloud posture

What CMMC flow-down is not

  • • Not a reason to send a blanket “be Level 2 by Friday” letter to your whole vendor list.
  • • Not a substitute for mapping where your CUI actually goes.
  • • Not permission to ignore contract-specific instructions from your contracting officer.
  • • Not the same as the incident-reporting and NIST 800-171 obligations under DFARS 252.204-7012 — those obligations overlap with CMMC and predate it by years.

Why this is urgent right now

CMMC stopped being theoretical. The CMMC Program rule (32 CFR Part 170) took effect December 16, 2024, and the acquisition rule that lets DoD put CMMC into contracts (DFARS 252.204-7021) took effect November 10, 2025. We are in Phase 1(November 10, 2025 through November 9, 2026), which focuses primarily on Level 1 and Level 2 self-assessments — though DoD can require Level 2 (C3PAO) where warranted. Phase 2 begins November 10, 2026, when Level 2 C3PAO certification becomes the standard for applicable contracts.

For the foundational background, see our explainer on what CMMC 2.0 is and how the levels work.

The Prime-to-Subcontractor CMMC Flow-Down Matrix

The minimum CMMC status for a subcontractor is set by the information flowed down to it and the assessment type required in your prime contract. FCI-only suppliers need Level 1; CUI-handling suppliers need at least Level 2; CUI suppliers on a Level 2 C3PAO contract need Level 2 (C3PAO); and CUI suppliers on a Level 3 contract still need only Level 2 (C3PAO) unless DoD gives contract-specific guidance. This is the rule in 32 CFR 170.23.

This matrix was cross-checked against 32 CFR 170.23, the levels and scoring in 32 CFR 170.14, 170.16, 170.17, 170.21, and 170.24, DFARS 252.204-7021, DFARS 252.204-7012, the DoD CIO’s “CMMC Alignment to NIST Standards” reference, and NIST SP 800-171 Revision 2. Last verified: .

Supplier situationMin. CMMC status (sub)Assessment typePrimary sourceWhat the prime should verifyMost common mistakeWhere to route for help
Will not process/store/transmit FCI or CUINo CMMC flow-down (document the basis)None32 CFR 170.23(a)Data-flow map; SOW language; no covered data transferFlowing Level 2 'just in case'CUI scoping / contracts review
Handles FCI onlyLevel 1 (Self)Annual self-assessment; pass/fail (all 15 met)32 CFR 170.23(a)(1); FAR 52.204-21Level 1 status + annual affirmation; system boundaryTreating all DoD data as CUILevel 1 readiness support
Handles CUI; prime contract is Level 2 (Self)Level 2 (Self) minimumSelf-assessment on a 3-year cycle; SPRS score posted; affirmation at assessment and annually32 CFR 170.23(a)(2); 170.16SPRS score + score date; SSP scope; affirmation; POA&M status if conditionalDemanding a C3PAO certificate when only Level 2 Self is requiredRPO / MSP / MSSP readiness + GRC
Handles CUI; prime contract requires Level 2 (C3PAO)Level 2 (C3PAO) minimumTriennial third-party C3PAO certification; annual affirmation32 CFR 170.23(a)(3); 170.17Current C3PAO certificate; CMMC UID; CUI scope; affirmationAccepting a self-assessment SPRS score as if it equals C3PAO certificationReadiness first; C3PAO only when assessment-ready
Handles CUI; prime contract requires Level 3 (DIBCAC)Level 2 (C3PAO) minimum — not Level 3Triennial C3PAO (sub does not need DIBCAC)32 CFR 170.23(a)(4)Level 2 C3PAO status; CMMC UID; contract-specific DoD instructionsWrongly demanding Level 3 from the subLevel 2 C3PAO readiness + contract review
Cloud Service Provider (CSP) that processes/stores/transmits your CUIFedRAMP Moderate authorized, or FedRAMP Moderate-equivalent per DoD policyProvider posture verified; CRM documented in your SSPDFARS 252.204-7012; 32 CFR 170.16/170.17FedRAMP authorization or equivalency evidence; Customer Responsibility Matrix; SSP integrationAssuming a 'secure' tool removes the data from your scopeGCC High / GovCloud / CUI enclave review
Non-CSP External Service Provider (ESP) that touches your CUINo standalone FedRAMP requirement; assessed inside your scopeESP relationship and services documented in your SSP/CRM32 CFR 170.16/170.17ESP relationship, services, and responsibility split in your SSPTreating an in-scope ESP as out of scopeMSP/MSSP/managed compliance review
Commercial off-the-shelf (COTS) item only, no FCI/CUICOTS exclusion may keep 7021 out of that subcontractNoneDFARS 252.204-7021 (COTS excluded)Procurement category; written rationale; no covered data flowTreating every commercial purchase as a CMMC supplierNo provider unless CUI scope is unclear

Source note. 32 CFR 170.23 sets the minimum subcontractor CMMC status based on FCI/CUI and the associated prime contract level, and lets DoD provide contract-specific flow-down guidance. DFARS 252.204-7021 requires the prime to flow down the correct level, ensure applicable subs complete and maintain annual affirmations, and confirm a current CMMC status before subcontract award.

The one rule that fixes most confusion

A subcontractor’s level follows its data, not your level. A janitorial vendor that never touches covered data is out of scope. A machine shop that downloads your CUI drawings to quote a job is squarely in scope at Level 2. Same prime, two very different obligations — driven entirely by what data moves.

The Level 3 myth, killed with the citation

If your prime contract requires Level 3, your CUI-handling subcontractors do not automatically need Level 3. Read 32 CFR 170.23(a)(4): the subcontractor minimum is Level 2 (C3PAO)unless DoD issues contract-specific guidance. Demanding Level 3 from a sub that doesn’t need it can cost months and price perfectly capable suppliers out of your supply chain unnecessarily.

What each level actually requires:

Level 1

Maps to the 15 basic safeguarding requirements in FAR 52.204-21, assessed by annual self-assessment and annual affirmation. (You'll see '17 controls' floating around the web — that's a leftover from the old CMMC 1.0 model. The DoD CIO's own alignment document lists 15 for the current program.)

Level 2

Maps to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families. Depending on the contract, it's either self-assessed (three-year cycle, annual affirmations) or certified by a C3PAO every three years. CMMC Level 2 currently maps to Revision 2 — not Revision 3, which DoD has not incorporated into the program.

Level 3

The rare tier. Requires a Final Level 2 (C3PAO) status for the same scope first, then DCMA DIBCAC assesses 24 selected enhanced requirements from NIST SP 800-172. It sits on top of Level 2's 110 — not a standalone 134-item exam. For the deeper self-assessment vs. C3PAO split, see our guide to CMMC Level 2 self-assessment vs. C3PAO.

For the deeper split on self-assessment versus third-party assessment, see CMMC Level 2 self-assessment vs. C3PAO.

Which DFARS clauses actually carry the requirement — and what to confirm in your contract

Flow-down runs through a stack of FAR and DFARS clauses, and the anchors haven’t moved: DFARS 252.204-7012 (safeguarding CUI and incident reporting) and DFARS 252.204-7021 (the CMMC requirement and its flow-down obligation). But the broader acquisition rulebook is in motion in 2026, so the safe move is to read the clauses in your specific solicitation rather than assume which ones apply.

The recurring trap is conflating the SPRS self-assessment world with the CMMC certification world. A self-assessment score is not a C3PAO certification. If your contract requires Level 2 (C3PAO), a supplier’s self-generated SPRS number — however high — doesn’t satisfy it.

SPRSis the Supplier Performance Risk System — DoD’s platform where assessment scores, CMMC statuses, and annual affirmations live. It matters in a minute, because it’s also the thing you can’t see into for your suppliers.

Do all suppliers need CMMC if the prime has a CMMC requirement?

No. CMMC flows down only to suppliers that will process, store, or transmit FCI or CUI in performance of the subcontract. A supplier that receives no covered data should not be treated like one that downloads CUI drawings — and forcing CMMC on no-data suppliers adds cost and friction with zero security benefit.

The “no covered data” supplier

Plenty of your vendors touch neither FCI nor CUI. For those, the right move is a documented no-flow rationale — a short record in your contracts file showing the work doesn’t transfer covered data. Two cautions: don’t break your own rationale later by emailing a CUI drawing to a supplier you classified as out of scope, and keep procurement and contracts aligned. A simple defensible record:

FieldExample entry
Supplier name
SOW task
Data we provide to them
Will they handle FCI?Yes / No
Will they handle CUI?Yes / No
Basis for 'no covered data flows'
Classification approved by
Date reviewed
Re-review triggerNew SOW, new data package, scope change

COTS and commercial-item edge cases

DFARS 252.204-7021 reaches into subcontracts for commercial products and servicesthat involve FCI or CUI — only true COTS items are excluded. “Commercial” does not automatically mean “no CMMC.” A commercial service provider that handles your CUI is in scope; a COTS partthat involves no covered data is not. Classify by data flow, not by the word “commercial” on the purchase order.

Lower-tier subcontractors

Flow-down doesn’t stop at your direct subs. 32 CFR 170.23 applies CMMC throughout the supply chain “at all tiers” that handle FCI or CUI. If your subcontractor passes covered data to itssuppliers, the chain continues — and your CUI can end up two or three hops away in a system you’ve never heard of. Require your subs to flow the requirement down and to notify you of lower-tier suppliers that will touch covered data.

The cheapest compliance move most primes miss: shrink who touches CUI

Before you certify more suppliers, ask whether fewer suppliers need to touch CUI at all. Reducing CUI flow is often the highest-leverage — and cheapest — supply-chain move available to a prime. If a supplier doesn’t need raw CUI to do its job, changing the workflow can drop it from Level 2 to Level 1, or out of scope entirely. The catch: the workflow change has to be real, documented, and enforced.

The honest admission

Blanket Level 2 flow-down letters are administratively easy and operationally sloppy. They feel like progress — one letter, whole supplier base, done. But they overburden FCI-only and no-data suppliers, shrink the pool of vendors willing to keep doing DoD work, and trigger panic before anyone has defined scope. A prime sends “be Level 2 certified by [date],” a small shop reads it as full third-party certification, panics, and starts buying infrastructure before scope is even drawn.

Here’s the trade-off we’ll name plainly: doing flow-down right sometimes means you need less paid help, not more. If you can re-architect a data flow so a supplier never downloads CUI, that supplier may not need a readiness engagement at all.

But when CUI genuinely has to reach a supplier,the math flips. That supplier needs at least Level 2, and getting a small shop there before Phase 2 is exactly where a CUI enclave or a readiness partner earns its fee. A CUI enclave — a secure, walled-off environment for storing and sharing controlled data — can put a small supplier on a fast path to Level 2 without rebuilding its entire IT estate.

The construction and manufacturing case makes this concrete. Suppliers need drawings and specs to estimate and quote. If they download those CUI files into unmanaged systems, their environment enters Level 2 scope. Controlled, view-only access or an enclave can keep the CUI from ever landing on the supplier’s own systems — which can be the difference between a supplier needing Level 2 and not.

Next step, your call

If your supplier base is mixed and you want a fast read on which groups need a Level 2 path, compare readiness and CUI-enclave provider categories — or get matched with source-checked provider options. Tell us your tiers, CUI scope, and deadline.

Compare provider categories →Get matched with options →

How to verify a subcontractor’s CMMC status when you can’t see their SPRS score

Here’s the operational gap nobody warns you about: as of June 8, 2026, a prime contractor cannot look up a subcontractor’s CMMC status or SPRS score directly. SPRS access is tied to your own records and authorized users. You verify a sub by collecting documentation theyprovide — and you do it before award, because there are no do-overs once the work starts.

Your suppliers post their own self-assessment results or CMMC statuses and complete an annual affirmation of continuous compliance, signed by an affirming official. The CMMC UIDis the unique identifier tied to that status in SPRS. Accountability for the affirmation sits with the supplier — but the obligation to confirm the right status before award sits with you.

And DoD keeps a check on the back end. Under 32 CFR 170.16 and 170.17, it reserves the right to run a DCMA DIBCAC assessment, and if that review finds requirements weren’t actually achieved or maintained, those results take precedence over the supplier’s existing CMMC status. A status you relied on at award can be unwound later. That’s one more reason to collect real evidence, not a signature and a shrug.

We recommend five stages:

  1. Classify. Sort every supplier into one of five buckets: no FCI/CUI, FCI only, CUI, cloud/ESP, or lower-tier
  2. Assign. Set the required CMMC level and assessment type from the matrix.
  3. Request. Ask for level-appropriate evidence — and only level-appropriate evidence.
  4. Resolve. For each supplier, choose: accept, remediate, reduce CUI flow, replace, or escalate.
  5. Monitor. Track annual affirmations, status expirations, and any change in the supplier's CUI workflow.

A few hard facts to build the cadence around. Level 1 self-assessed status is current for one year. Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC) statuses are current for three years. Affirmations are annual at every level. The requirement must be met at the time of award.

The Supplier Evidence Checklist — by category, without over-collecting

Asking every supplier for a full System Security Plan (SSP) by email is a rookie move that creates a newsecurity problem: now you’re holding sensitive system documentation you didn’t need and have to protect. Match the evidence to the requirement.

Supplier categoryEvidence to requestWhyDon’t over-request
FCI only / Level 1Level 1 status/affirmation; system boundary; responsible officialConfirms the right tier and an active affirmationA full Level 2 SSP
Level 2 (Self)SPRS score + date; CAGE code; SSP name/date; affirmation; POA&M status if conditionalConfirms posted score, scope, and currencyRaw control-by-control evidence unless risk warrants
Level 2 (C3PAO)Current C3PAO certificate; CMMC UID; scope; certificate date; affirmationConfirms certification, not just a self-scoreThe assessor's working papers
Cloud / CSPFedRAMP authorization or equivalency evidence; Customer Responsibility MatrixConfirms the cloud meets the 7012 standardA generic 'we're secure' brochure
Non-CSP ESPESP relationship + services + responsibility split documented in your SSPKeeps the in-scope service properly assessedDemanding a separate ESP 'certificate'
No FCI/CUIWritten no-flow rationale; SOW; procurement classificationDocuments why CMMC doesn't applyAny CMMC demand without a data trigger

Use a least-sensitive-evidence ladder: status proof first, scope proof second, affirmation proof third, limited artifacts only if risk warrants, and a full SSP only under controlled, secure conditions. Use secure intake — not email — for documents that matter.

Short status request email — copy this:

Subject: CMMC status confirmation for [subcontract / RFQ #]


As part of awarding this work, we need to confirm your CMMC status for the information you’ll handle. Please provide: (1) your current CMMC status and SPRS score (or Level 1 confirmation), with the assessment date; (2) the assessment scope; and (3) confirmation of your current annual affirmation. We are not asking for your full SSP at this stage. If you believe you will not receive FCI or CUI under this work, let us know and we’ll document that instead.

And to say the quiet part out loud: “have them sign something saying they’re compliant and hope for the best” is not a verification program. A signed attestation with no status evidence, no scope, and no affirmation date is exposure dressed up as diligence.

Make it repeatable

Save the table above as your standing Supplier Evidence Checklist, and the email as your request template. When you’re ready to move suppliers forward, get matched with source-checked provider options for the groups that need readiness help — we’ll route by category, and tell you why.

Get matched with provider options →

What should prime contractors put in subcontract flow-down language?

Good flow-down language names the data, the required CMMC level and assessment type, the evidence due date, the annual-affirmation expectation, the change-notification duty, and the lower-tier flow-down obligation. Vague “be CMMC compliant” language is what creates the panic-and-overbuy cycle. This is not legal advice — your counsel and contracting officer guidance govern — but these are the components that prevent the predictable failures.

Contract componentWhy it matters
Information categoryDistinguishes no-FCI, FCI, CUI, and CDI
Required CMMC level/statusReplaces vague 'be compliant' language
Assessment typeSeparates Level 2 Self from Level 2 C3PAO
System boundaryStops one status from being misapplied to everything
Evidence due datePrevents award-week scrambles
Annual affirmation requirementAligns with DFARS 252.204-7021
Change notificationCaptures lapses, scope changes, new CUI workflows
Lower-tier flow-downPrevents hidden downstream CUI exposure
Incident reportingAligns with DFARS 252.204-7012 where applicable
Write the assessment type into the subcontract so there’s no daylight for misreading it later. “Level 2” is not enough; “Level 2 (C3PAO) certification” or “Level 2 self-assessment status” is.

What happens if a subcontractor isn’t CMMC-ready?

You have four practical options, and “send them to a C3PAO” is rarely the first one. You can keep CUI out of the supplier’s systems, delay or replace the supplier, help the supplier get ready, or — only when the contract requires it and the supplier is genuinely prepared — move toward a formal assessment. The key is keeping readiness help and formal assessment separate, because mixing them creates conflicts of interest.

Option 1Reduce or eliminate the CUI flow

Provide non-CUI outputs, use controlled access, or move the supplier into an enclave so CUI never lands on its systems. Cheapest path when it's feasible.

Option 2Readiness and remediation support

Registered Practitioner Organizations (RPOs — firms authorized by The Cyber AB to advise on CMMC), CMMC-focused managed service providers (MSPs and MSSPs), virtual CISOs, and SSP/POA&M documentation providers help a supplier prepare. An RPO is not the same as a C3PAO. Readiness help is not an assessment.

Option 3Evidence and workflow software (GRC)

Governance, risk, and compliance tools help manage SSPs, POA&Ms, evidence, and the recurring affirmation workflow across many suppliers. Useful as a supporting layer — but software alone does not make anyone CMMC compliant. Anyone who tells you a tool equals certification is selling, not advising.

Option 4Formal C3PAO assessment

Appropriate when the contract requires Level 2 (C3PAO) and the supplier is evidence-ready. The Cyber AB's assessment process requires C3PAOs to manage impartiality and conflicts of interest; where a conflict can't be mitigated, the C3PAO shouldn't proceed. No legitimate party can promise a guaranteed certification result — be wary of anyone who does.

False Claims Act exposure

Awarding covered work to a non-compliant supplier can jeopardize your prime contract, and misrepresenting compliance can create False Claims Actexposure under the Department of Justice’s Civil Cyber-Fraud Initiative. The DOJ has used this to pursue contractors that knowingly misrepresent their cybersecurity practices. The accurate takeaway: false attestations about your supply chain are a legal exposure, not just a compliance ding.

When a supplier is genuinely ready, our guide to the authorized C3PAO landscape explains what to check.

When you’re ready to act

If your supplier base is a mix of FCI-only, CUI-handling, cloud, and not-ready vendors, get matched with source-checked provider options — tell us your level, scope, and timeline, and we’ll help you identify which category fits each group before you request quotes.

Get matched with source-checked provider options →

How do SPRS, CMMC UID, annual affirmations, and POA&Ms fit into supplier oversight?

SPRS is the system of record for CMMC statuses, self-assessment scores, CMMC UIDs, and annual affirmations — so supplier oversight means tracking not just whether a sub says it’s compliant, but whether its current status, scope, affirmation date, and any POA&M actually support the subcontract.

POA&M limits — strictly enforced:

  • Level 1 allows none— you meet all 15 requirements or you fail.
  • Levels 2 and 3permit POA&Ms only for lower-weighted requirements; the score must clear the 80% threshold; and six specific requirements — including the System Security Plan requirement (CA.L2-3.12.4) — can never be on a POA&M.
  • • A Conditional status must be closed out via a closeout assessment within 180 days of the Conditional CMMC Status date, or it expires.

So “we have a POA&M” is not the same as “we’re done.” When tracking conditional suppliers, capture the details that actually drive your risk decision:

SupplierRequired levelCurrent scoreConditional status date180-day closeout deadlineAny barred requirement open?Affirmation dateYour risk decision
Yes / NoProceed / Hold / Replace

What’s the real assessor capacity situation — and the phase timeline?

The capacity risk is real but situational, and it’s now documented at the highest level: in March 2026, the GAO reported that DoD had no documented plan for the private sector not having enough certified assessors to meet demand. As of December 2025, The Cyber AB had authorized about 92 C3PAOs to serve a defense industrial base the government puts at roughly 200,000 companies. For complex, multi-site suppliers in high-demand regions, the assessment queue — not just readiness — can be the binding constraint.

Source: GAO report Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation (GAO-26-107955, March 12, 2026). GAO also cautioned that leaning on waivers to bypass requirements could undermine the program’s purpose.

Capacity snapshot — re-verify quarterly:

Capacity snapshotFigureAs of
Authorized C3PAOs~92December 2025 (GAO / DoD officials)
DIB companies (DoD estimate)~200,000March 2026 (GAO)
Companies expected to need Level 2Tens of thousandsIndustry estimates, 2025-2026

Official four-phase rollout, per the DoD CIO:

PhaseStartsWhat applies
Phase 1Nov 10, 2025 (through Nov 9, 2026)Level 1 and Level 2 self-assessments, where applicable; Level 2 (C3PAO) at DoD discretion where warranted
Phase 2Nov 10, 2026Level 2 C3PAO certification requirements appear more broadly, where applicable
Phase 3Nov 10, 2027Level 3 certification; Level 2 extends to options/existing contracts
Phase 4Nov 10, 2028Full implementation across applicable contracts and orders

Translation for primes: requirements are appearing now, they intensify at Phase 2 in November 2026, and the safe planning assumption is that any CUI-handling supplier you’ll still need next year should be moving today.

What are the biggest CMMC flow-down mistakes prime contractors make?

Most flow-down failures aren’t caused by one misread acronym — they’re caused by missing data-flow governance. The expensive mistakes cluster:

MistakeWhy it hurtsBetter move
Flowing Level 2 to every supplierShrinks your pool, wastes moneySegment by FCI/CUI exposure
Accepting 'we're compliant' as proofFalse confidence, real exposureRequest status, scope, affirmation, UID
Treating an SPRS self-score as C3PAO certificationBlurs self-assessment with certificationMatch evidence to the required assessment type
Forgetting lower-tier subsCUI escapes downstreamRequire lower-tier flow-down notice
Sending not-ready suppliers to a C3PAOWastes time, risks conflictsUse readiness support first
Ignoring annual affirmationsStatus quietly goes inactiveTrack affirmation dates
Over-collecting SSPs by emailCreates a new security riskRequest least-sensitive evidence first
Assuming Level 3 prime = Level 3 subsOverstates 32 CFR 170.23(a)(4)Use Level 2 C3PAO minimum unless DoD says otherwise
Treating an in-scope CSP/ESP as out of scopeCUI sits unprotected in third-party systemsVerify FedRAMP (CSP) or document in your SSP (ESP)
Waiting until award weekProcurement failurePre-classify suppliers during capture/proposal

Who should help with CMMC flow-down: RPO, MSP, GRC, enclave provider, or C3PAO?

Most prime supply-chain CMMC problems are readiness, scoping, evidence, or supplier-management problems before they are assessment problems. Use a C3PAO when a supplier is assessment-ready and the contract requires Level 2 (C3PAO). Use readiness, managed-compliance, enclave, or GRC providers to get suppliers to that point.

Your needBest-fit categoryWhat to verifyCommon mistake
Supplier scoping + implementationRPO, MSP, MSSP, vCISO, readiness consultantCMMC experience, scoping method, documentation quality, no guaranteesHiring generic IT support
CUI boundary reductionCUI enclave, GCC High, AWS GovCloud, secure collaborationShared responsibility, FedRAMP/equivalency, SSP integrationThinking a tool alone equals compliance
Evidence + recurring supplier trackingGRC / compliance-workflow softwareSSP/POA&M workflow, supplier portal, audit trailBuying software without owning the process
Formal Level 2 certificationAuthorized C3PAOCurrent Cyber AB Marketplace status, independence, capacity, scopeAsking the C3PAO to implement and assess
Contract interpretationCounsel / contracts advisorDFARS and CUI experienceLetting sales interpret a vague clause

A note on how we handle providers: we don’t publish a “best providers” ranking on this page, because doing it right means documenting each provider’s category, current Cyber AB Marketplace status, compensation relationship, evaluation depth, and verification date — and that belongs in a dedicated, source-checked profile, not buried in an operational guide. For the deeper provider work, see how to choose CMMC help and our CMMC consultant guidance.

If none of your suppliers touch FCI or CUI, you don’t have a CMMC flow-down obligation today. Bookmark this for the day a CUI contract changes that.

This is the decision most primes get backwards

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider categories — readiness, MSP/MSSP, enclave, GRC, or C3PAO — so you route each supplier group to the right help, in the right order.

Get matched with source-checked options →

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

What we actually verified for this guide

This guide was built from current primary and authoritative sources, not rewritten from vendor marketing. Where something is in transition, we flagged it rather than smoothing it over. Last verified: .

  • 32 CFR Part 170 and § 170.23 — the subcontractor application rule, including the Level 3-prime case at 170.23(a)(4) (read on the eCFR)
  • 32 CFR 170.16 and 170.17 — Level 2 self-assessment and certification cadence, CSP/ESP treatment, DoD's reserved right to a DCMA DIBCAC assessment
  • 32 CFR 170.21 and 170.24 — POA&M limits and barred requirements, the 80% (88-point) conditional threshold, the 180-day closeout, and scoring methodology
  • DFARS 252.204-7021 — current CMMC clause, flow-down obligation, annual affirmation (Acquisition.gov)
  • DFARS 252.204-7012 — CUI safeguarding, 72-hour reporting, FedRAMP Moderate (or equivalent) cloud requirement
  • DoD's 2026 FAR-overhaul class deviations — may affect use of legacy clauses (e.g., 7019/7020) in specific solicitations
  • DoD CIO CMMC guidance — the four-phase schedule and the 15 / 110 / 24-requirement level alignment
  • NIST SP 800-171 Revision 2 — the 110 requirements and 14 control families that CMMC Level 2 currently maps to
  • GAO-26-107955 (March 12, 2026) — external-factor and assessor-capacity findings; ~92 authorized C3PAOs as of December 2025

This is editorial research for decision-makers, not legal, contractual, or compliance advice. Contract language, contracting-officer guidance, and program-specific DoD instructions can change the answer for your specific situation. See our editorial review process and corrections policy.

CMMC flow down requirements: FAQ

The short version: CMMC flows down only where a subcontractor will process, store, or transmit FCI or CUI, and the required level follows the data and the contract’s assessment type. These are the edge cases that send primes and subs back to the search bar.

Does CMMC flow down to subcontractors?

Yes. Under 32 CFR 170.23, CMMC applies to prime contractors and subcontractors at all tiers that process, store, or transmit FCI or CUI, and the prime must flow down the applicable level and assessment type. Suppliers that receive no FCI or CUI are not subject to flow-down.

Do all subcontractors need CMMC Level 2?

No. Subcontractors handling only FCI need Level 1; subcontractors handling CUI need at least Level 2; and whether Level 2 must be C3PAO-certified depends on the requirement in the associated prime contract.

Does a subcontractor need Level 3 if the prime contract is Level 3?

Not automatically. For CUI flowed down on a Level 3 prime contract, 32 CFR 170.23(a)(4) sets the subcontractor minimum at Level 2 (C3PAO) unless DoD provides contract-specific guidance.

Can a prime contractor see a subcontractor’s SPRS score?

Not directly. As of June 8, 2026, SPRS access is tied to a contractor’s own records and authorized users. Primes verify a subcontractor’s status by collecting documentation the subcontractor provides — its CMMC status, score, scope, and annual affirmation — before award.

Can a prime accept a subcontractor’s SPRS score instead of a CMMC certification?

Only if the contract’s required assessment type allows it. A self-generated SPRS score is not the same as a Level 2 (C3PAO) certification; if the contract requires C3PAO certification, a self-assessment score doesn’t satisfy it.

How often does a subcontractor have to reassess?

A Level 1 self-assessed status is current for one year. Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC) statuses are current for three years. Affirmations are required annually at every level.

What if a supplier handles CUI only through a prime-controlled portal?

It depends on whether the supplier’s own systems process, store, or transmit CUI. If the supplier downloads, edits, stores, or transmits CUI locally, those systems likely enter scope. If access is tightly controlled and no CUI leaves the prime-controlled environment, document the workflow and get a CUI-scope review.

Can a C3PAO also help implement the controls it will assess?

Be careful. The Cyber AB’s assessment process requires C3PAOs to manage impartiality and conflicts of interest; where a conflict can’t be mitigated, the C3PAO should not proceed. Keep readiness/remediation and formal assessment clearly separated.

Are COTS and commercial-item subcontracts exempt from CMMC?

True COTS items are excluded, but commercial products and services that involve FCI or CUI are not automatically exempt. Classify by whether covered data flows, not by the 'commercial' label.

Which clauses should primes watch for in solicitations and contracts?

FAR 52.204-21 (FCI), DFARS 252.204-7012 (CUI safeguarding and incident reporting), DFARS 252.204-7021 (CMMC requirements and flow-down), and DFARS 252.204-7025 (the solicitation notice of the required level). The codified DFARS still contains the legacy 7019/7020 self-assessment clauses; confirm which clauses your specific contract uses, since DoD’s 2026 class deviations may affect their use.

When do subcontractors have to be CMMC compliant?

The requirement must be met at the time of subcontract award when a CMMC level applies. We’re in Phase 1 through November 9, 2026, focused primarily on Level 1 and Level 2 self-assessments (with DoD able to require Level 2 C3PAO where warranted). Phase 2 begins November 10, 2026 and expands Level 2 C3PAO requirements where applicable.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. We’ll say which category fits, and why — not push a logo.

Find my CMMC path →

Related guides

Editorial disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Not affiliated with the Department of Defense, the Cyber AB, DCMA DIBCAC, NIST, or any U.S. government agency. Read our editorial review process. Last verified: . By The Defense Compliance Report Editorial Team.