The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC for DoD Subcontractors: Obligations, Timelines, and What to Do When Your Prime Demands Compliance

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

Last reviewed June 2026

In short: DoD subcontractors are fully subject to CMMC when a prime flows the requirement down under 32 CFR Part 170 and DFARS 252.204-7021 and you process, store, or transmit CUI. FCI-only work maps to Level 1; CUI work maps to Level 2 — self-assessed or C3PAO-assessed as your subcontract specifies.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

DoD subcontractors — companies that receive work from prime contractors rather than directly from DoD — are fully subject to CMMC requirements when the prime flows down the obligation. That flow-down is required under 32 CFR Part 170 and DFARS 252.204-7021 whenever the subcontractor will process, store, or transmit CUI or provide security protection for CUI systems. The most common shock for subcontractors: finding out their prime is requiring CMMC certification with a 90- to 120-day deadline.

How CMMC Flow-Down Works for Subcontractors

Under 32 CFR Part 170, prime contractors must flow CMMC requirements to subcontractors when CUI will be shared. The flow-down clause is DFARS 252.204-7021. When the prime includes this clause in your subcontract — with a specified CMMC level — you have the same compliance obligation as the prime for that information type.

Important: if your prime has not yet included the clause in your subcontract, that does not mean you are exempt. It may mean the prime is behind on their own compliance obligations. If your prime sends you CUI — even informally, through email, through shared drives, or in meeting materials — and you store or process it, your handling of that data likely carries an obligation regardless of whether the contractual clause has been updated.

Before assuming you have no CMMC obligation

  • Check your subcontract for DFARS 252.204-7021
  • Ask your prime whether any shared data is designated CUI
  • Review whether any drawings, specifications, or reports you receive are CUI-marked
  • Consult federal-contracts counsel if clause language is ambiguous

Determining Your Level as a Subcontractor

Your required CMMC level is determined by the information type you handle under the subcontract — not by your company size or role:

What you handleYour levelKey obligation
FCI only, no CUILevel 115 requirements; annual self-assessment; SPRS posting
CUI (most subcontractors)Level 2110 NIST requirements; self-assessment or C3PAO per contract
CUI requiring enhanced protection (critical programs)Level 3NIST 800-172 requirements; DIBCAC assessment

The Friction Subcontractors Face

What to Do When Your Prime Demands Compliance

  1. Get the clause language in writing. Request the specific DFARS clause(s) and CMMC level being required. Do not act on a verbal demand without confirming the contractual basis.
  2. Assess whether your data actually includes CUI. Before assuming Level 2, confirm whether the data your prime shares is actually CUI-designated. If it is not, the Level 2 requirement may not apply.
  3. Commission a gap assessment. A gap assessment from an RPO gives you a defensible SPRS score posture, a remediation roadmap, and the evidence you need to have a realistic conversation with your prime about timeline.
  4. Evaluate scope reduction. Before committing to full environment remediation, evaluate whether a managed CUI enclave or GCC High migration can limit your scope — and cost.
  5. Set realistic expectations with the prime. A documented plan of action demonstrating your gap, your remediation plan, and your target date is more credible than promising 90-day compliance you cannot deliver.

Find your path as a DoD subcontractor

Answer questions about your flow-down clause, data type, and timeline. No CUI or contract details required.

Find My CMMC Path →

Which provider category fits your situation

Related Guides

Sources

Get a personalized CMMC recommendation

No CUI, drawings, or contract details required.

Find My CMMC Path →

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

Your situation changes the answer

Find My CMMC Path

The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →