CMMC for DoD Subcontractors: Obligations, Timelines, and What to Do When Your Prime Demands Compliance
In short: DoD subcontractors are fully subject to CMMC when a prime flows the requirement down under 32 CFR Part 170 and DFARS 252.204-7021 and you process, store, or transmit CUI. FCI-only work maps to Level 1; CUI work maps to Level 2 — self-assessed or C3PAO-assessed as your subcontract specifies.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
DoD subcontractors — companies that receive work from prime contractors rather than directly from DoD — are fully subject to CMMC requirements when the prime flows down the obligation. That flow-down is required under 32 CFR Part 170 and DFARS 252.204-7021 whenever the subcontractor will process, store, or transmit CUI or provide security protection for CUI systems. The most common shock for subcontractors: finding out their prime is requiring CMMC certification with a 90- to 120-day deadline.
How CMMC Flow-Down Works for Subcontractors
Under 32 CFR Part 170, prime contractors must flow CMMC requirements to subcontractors when CUI will be shared. The flow-down clause is DFARS 252.204-7021. When the prime includes this clause in your subcontract — with a specified CMMC level — you have the same compliance obligation as the prime for that information type.
Important: if your prime has not yet included the clause in your subcontract, that does not mean you are exempt. It may mean the prime is behind on their own compliance obligations. If your prime sends you CUI — even informally, through email, through shared drives, or in meeting materials — and you store or process it, your handling of that data likely carries an obligation regardless of whether the contractual clause has been updated.
Before assuming you have no CMMC obligation
- Check your subcontract for DFARS 252.204-7021
- Ask your prime whether any shared data is designated CUI
- Review whether any drawings, specifications, or reports you receive are CUI-marked
- Consult federal-contracts counsel if clause language is ambiguous
Determining Your Level as a Subcontractor
Your required CMMC level is determined by the information type you handle under the subcontract — not by your company size or role:
| What you handle | Your level | Key obligation |
|---|---|---|
| FCI only, no CUI | Level 1 | 15 requirements; annual self-assessment; SPRS posting |
| CUI (most subcontractors) | Level 2 | 110 NIST requirements; self-assessment or C3PAO per contract |
| CUI requiring enhanced protection (critical programs) | Level 3 | NIST 800-172 requirements; DIBCAC assessment |
The Friction Subcontractors Face
- Short timelines imposed by primes. Primes are under their own DFARS and CMMC obligations and are increasingly passing tight timelines downstream. A 90-day demand from a prime is not an unusual opening position. Achieving Level 2 from zero in 90 days is not realistic for most companies — but an honest scope conversation with the prime and a documented plan of action may preserve the relationship while managing the timeline realistically.
- No budget allocation. Many subcontractors were not pricing CMMC compliance into contract estimates 2–3 years ago. Retroactively absorbing $100K+ in compliance costs on existing subcontracts is a business problem, not just a technical one. Scope reduction is the most important cost lever.
- Multiple primes, different requirements. If you subcontract to multiple primes, each may flow down different CMMC levels or assessment paths. The most stringent active requirement governs your practical posture. Maintaining a single documented CMMC program that satisfies all active flow-downs is more efficient than managing them separately.
- SPRS score not yet posted.Before you can satisfy a DFARS 252.204-7019/7020 clause, you need a current NIST SP 800-171 score in SPRS. If you don’t have one, that is the first deliverable — a gap assessment produces the evidence you need to calculate and post a defensible score.
What to Do When Your Prime Demands Compliance
- Get the clause language in writing. Request the specific DFARS clause(s) and CMMC level being required. Do not act on a verbal demand without confirming the contractual basis.
- Assess whether your data actually includes CUI. Before assuming Level 2, confirm whether the data your prime shares is actually CUI-designated. If it is not, the Level 2 requirement may not apply.
- Commission a gap assessment. A gap assessment from an RPO gives you a defensible SPRS score posture, a remediation roadmap, and the evidence you need to have a realistic conversation with your prime about timeline.
- Evaluate scope reduction. Before committing to full environment remediation, evaluate whether a managed CUI enclave or GCC High migration can limit your scope — and cost.
- Set realistic expectations with the prime. A documented plan of action demonstrating your gap, your remediation plan, and your target date is more credible than promising 90-day compliance you cannot deliver.
Find your path as a DoD subcontractor
Answer questions about your flow-down clause, data type, and timeline. No CUI or contract details required.
Find My CMMC Path →Which provider category fits your situation
- RPO/RP (Registered Provider Organization / Registered Practitioner) — when you need a gap assessment, a defensible SPRS score posture, an SSP, and a remediation roadmap before any assessment.
- MSSP (Managed Security Service Provider) — when you have no internal IT or security staff to implement and maintain the controls your flow-down requires.
- CUI enclave — when only a narrow set of workflows touches CUI and a managed enclave or GCC High can limit your scope and cost.
- C3PAO (Certified Third-Party Assessment Organization) — when your prime requires a Level 2 (C3PAO) assessment and you are assessment-ready. You don’t need a C3PAO yet if your flow-down only requires a self-assessment, or you are still scoping and remediating.
Related Guides
- CMMC Level 1 vs Level 2: Which One Applies to Your Contract?
- CMMC Gap Assessment: Scope, Cost, and What to Expect
- SPRS Score for CMMC: What Contractors Need Before Award
- CMMC Level 2 Cost: DoD Estimate vs Real Budget
- CMMC for Small Defense Contractors
- CMMC Managed Enclaves: Scope Reduction Guide
- Best CMMC Consultants for Defense Contractors (2026)
- CMMC MSPs and MSSPs: How to Choose
- C3PAO Directory: Authorized CMMC Level 2 Assessors
Sources
Get a personalized CMMC recommendation
No CUI, drawings, or contract details required.
Find My CMMC Path →Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →