CMMC for DoD Subcontractors: Obligations, Timelines, and What to Do When Your Prime Demands Compliance

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research

Published: May 27, 2026Last reviewed: May 27, 2026

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

DoD subcontractors — companies that receive work from prime contractors rather than directly from DoD — are fully subject to CMMC requirements when the prime flows down the obligation. That flow-down is required under 32 CFR Part 170 and DFARS 252.204-7021 whenever the subcontractor will process, store, or transmit CUI or provide security protection for CUI systems. The most common shock for subcontractors: finding out their prime is requiring CMMC certification with a 90- to 120-day deadline.

How CMMC Flow-Down Works for Subcontractors

Under 32 CFR Part 170, prime contractors must flow CMMC requirements to subcontractors when CUI will be shared. The flow-down clause is DFARS 252.204-7021. When the prime includes this clause in your subcontract — with a specified CMMC level — you have the same compliance obligation as the prime for that information type.

Important: if your prime has not yet included the clause in your subcontract, that does not mean you are exempt. It may mean the prime is behind on their own compliance obligations. If your prime sends you CUI — even informally, through email, through shared drives, or in meeting materials — and you store or process it, your handling of that data likely carries an obligation regardless of whether the contractual clause has been updated.

Before assuming you have no CMMC obligation

Check your subcontract for DFARS 252.204-7021
Ask your prime whether any shared data is designated CUI
Review whether any drawings, specifications, or reports you receive are CUI-marked
Consult federal-contracts counsel if clause language is ambiguous

Determining Your Level as a Subcontractor

Your required CMMC level is determined by the information type you handle under the subcontract — not by your company size or role:

What you handle	Your level	Key obligation
FCI only, no CUI	Level 1	15 requirements; annual self-assessment; SPRS posting
CUI (most subcontractors)	Level 2	110 NIST requirements; self-assessment or C3PAO per contract
CUI requiring enhanced protection (critical programs)	Level 3	NIST 800-172 requirements; DIBCAC assessment

The Friction Subcontractors Face

Short timelines imposed by primes. Primes are under their own DFARS and CMMC obligations and are increasingly passing tight timelines downstream. A 90-day demand from a prime is not an unusual opening position. Achieving Level 2 from zero in 90 days is not realistic for most companies — but an honest scope conversation with the prime and a documented plan of action may preserve the relationship while managing the timeline realistically.
No budget allocation. Many subcontractors were not pricing CMMC compliance into contract estimates 2–3 years ago. Retroactively absorbing $100K+ in compliance costs on existing subcontracts is a business problem, not just a technical one. Scope reduction is the most important cost lever.
Multiple primes, different requirements. If you subcontract to multiple primes, each may flow down different CMMC levels or assessment paths. The most stringent active requirement governs your practical posture. Maintaining a single documented CMMC program that satisfies all active flow-downs is more efficient than managing them separately.
SPRS score not yet posted.Before you can satisfy a DFARS 252.204-7019/7020 clause, you need a current NIST SP 800-171 score in SPRS. If you don’t have one, that is the first deliverable — a gap assessment produces the evidence you need to calculate and post a defensible score.

What to Do When Your Prime Demands Compliance

Get the clause language in writing. Request the specific DFARS clause(s) and CMMC level being required. Do not act on a verbal demand without confirming the contractual basis.
Assess whether your data actually includes CUI. Before assuming Level 2, confirm whether the data your prime shares is actually CUI-designated. If it is not, the Level 2 requirement may not apply.
Commission a gap assessment. A gap assessment from an RPO gives you a defensible SPRS score posture, a remediation roadmap, and the evidence you need to have a realistic conversation with your prime about timeline.
Evaluate scope reduction. Before committing to full environment remediation, evaluate whether a managed CUI enclave or GCC High migration can limit your scope — and cost.
Set realistic expectations with the prime. A documented plan of action demonstrating your gap, your remediation plan, and your target date is more credible than promising 90-day compliance you cannot deliver.

Find your path as a DoD subcontractor

Answer questions about your flow-down clause, data type, and timeline. No CUI or contract details required.

Find your CMMC path →

Related Guides

Sources

32 CFR Part 170 — CMMC Program Final Rule (2024), including flow-down requirements
DFARS 252.204-7021 — CMMC Requirements
DFARS 252.204-7019/7020 — NIST SP 800-171 DoD Assessment Requirements
NIST SP 800-171 Revision 2
89 Fed. Reg. 66924 — CMMC Cost Analysis

Get a personalized CMMC recommendation

No CUI, drawings, or contract details required.

Find your CMMC path →

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.