CMMC Subcontractor Evidence
How to Prove CMMC Compliance to a Prime Contractor
To prove CMMC compliance to a prime, you send the prime evidence of your current CMMC status— your level, your assessment type, your SPRS score or status, your CAGE code, the scope it covers, your affirmation date, and your CMMC UID if you have one. You do notdump your full System Security Plan, your Plan of Action & Milestones, or your control artifacts into an email.
Here’s the part almost every guide gets wrong: your prime cannot look your status up. Access to the Supplier Performance Risk System (SPRS)— the Department of Defense database where cybersecurity scores live — is restricted to your own company and to government acquisition officials. So the burden to produce the proof is yours. What you send depends on what you handle: work involving only Federal Contract Information (FCI) generally means Level 1; work involving Controlled Unclassified Information (CUI) means Level 2 or higher. That distinction comes straight from 32 CFR § 170.23 and DFARS 252.204-7021, the two rules that drive CMMC flow-down.
That’s the answer. The rest of this page is the how— the exact proof by situation, what to hold back and why, the email you can copy, and what to do if you’re not ready yet.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
What we verified for this guide. We read the DoD’s own SPRS FAQ (which tells requesters to contact a subcontractor directly for its cyber score), 32 CFR Part 170 on the eCFR (§§ 170.3, 170.4, 170.14, 170.15–170.24), and both Department of Justice False Claims Act settlement releases cited below. We confirmed the February 2026 “Revolutionary FAR Overhaul” class deviations that reorganized several cybersecurity clauses, and cross-checked the SPRS-access reality against published analyses from Akin Gump, Holland & Knight, and PilieroMazza. Verified July 2026. Regulatory facts change; recheck before you rely on them.
How to prove CMMC compliance to a prime, by your situation
What you send a prime depends on your CMMC status, and the safest first move is the smallest complete proof — not your whole security program. For FCI-only work, your proof is a Level 1 self-assessment status and affirmation you posted yourself in SPRS. For CUI, it’s either a Level 2 self-assessment score you enter in SPRS or a Level 2 (C3PAO) certification — plus an annual affirmation either way. There is no universal certificate to email for self-assessed levels; the record lives in SPRS, and you provide it.
Use this as your map. Every row is drawn from the CMMC Program Rule (32 CFR Part 170) and confirmed against the SPRS system itself.
| Your situation | What you handle | Status you’re proving | Is there a certificate? | Send the prime first |
|---|---|---|---|---|
| FCI only | Federal Contract Information | Level 1 (Self) | No. Proof is your self-posted SPRS status + affirmation | SPRS record showing Level 1 status, assessment date, CAGE code, scope, affirmation date |
| CUI, self-assessment allowed | Controlled Unclassified Information | Level 2 (Self) | No. Proof is your self-posted score + affirmation | SPRS record: score, status (Conditional or Final), CAGE, scope, SSP metadata, affirmation date |
| CUI where the contract requires a third party | CUI, where the solicitation or subcontract requires a C3PAO assessment | Level 2 (C3PAO) | Yes— a C3PAO certification plus status in SPRS | SPRS status plus the C3PAO certificate / assessment reference and CMMC UID |
| CUI under a contract requiring Level 3 | The most sensitive CUI, where the contract requires Level 3 | Level 3 (DIBCAC) | Not a C3PAO certificate — proof is your DIBCAC Level 3 status/results transmitted via eMASS to SPRS, plus affirmation | SPRS record showing Level 3 status + affirmation |
| Not assessed yet | Any | Readiness in progress | No | An honest status letter — current posture, plan, and target date. See “What if you’re not ready yet.” |
One clarification on that last regulated tier: a subcontractor handling CUI under a Level 3 prime contract generally needs Level 2 (C3PAO) at minimum— not automatically Level 3 — unless the contract specifically requires more (32 CFR § 170.23). Read your clause; don’t assume the ceiling.
Here’s the uncomfortable part, and we’d rather you hear it from us than learn it from a subpoena: if your evidence doesn’t back your words, the honest answer may be that you can’t claim full CMMC compliance yet. That is not a dead end. It’s the line between a defensible response and a False Claims Act problem — and you almost always have something legitimate to send today.
The right CMMC provider isn’t the same for every contractor. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
Wait — can your prime just look up your SPRS score?
No. Your prime cannot pull your SPRS score or CMMC status on its own, and that’s by design. SPRS access is limited to your own company’s authorized users and to government acquisition officials. That’s exactly why primes send questionnaires and ask you to attach proof: the ball is in your court, not theirs. A prime that tells you it “already checked” is either mistaken or looking at a different system.
We went to the source. The DoD’s official SPRS Frequently Asked Questions page answers the question directly: if the cyber score of a subcontractor is required, the requester should contact the subcontractor directly— and SPRS reports are not releasable under the Freedom of Information Act. The same FAQ states that vendors are allowed to view only their own data, and that SPRS is designed for DoD acquisition employees and for vendors to access their own company information. The system simply does not give one contractor a window into another’s record.
Defense-contracts counsel say the same thing. Holland & Knight, writing on the Final Rule, notes that primes do not have automated access to view subcontractor CMMC status in SPRS. Akin Gump puts it plainly: access is limited to the entity that owns the certification, so primes must rely on documentation provided by the subcontractor. PilieroMazza adds the practical consequence: smart primes bake language into subcontracts giving them the right to requestyour assessment results, precisely because they can’t retrieve them.
This is the single most common piece of misinformation on this topic.
| The myth (found on ranking pages) | The reality (DoD + the Final Rule) |
|---|---|
| “My prime can just look up my SPRS score.” | The DoD’s SPRS FAQ tells requesters to contact the subcontractor directly; vendors see their own data only. |
| “I need to email a CMMC certificate.” | Only Level 2 (C3PAO) and Level 3 produce a certificate or DIBCAC status document. For FCI and self-assessed CUI, your proof is a self-posted SPRS status + affirmation. |
| “The prime pulls it, so I don’t have to do anything.” | The prime is required to verify before sharing FCI or CUI. The duty to produce the proof is yours. |
| “A good SPRS number is all they’ll ever want.” | Many large primes also send the CCRA questionnaire (more below). A strong score and a poor CCRA rating can coexist. |
The takeaway: proving compliance is an act youperform. Which means the quality of your response — how complete, how scoped, how honest — is entirely within your control.
What CMMC level do you actually need to prove?
Your required level is set by the type of information the prime shares with you, not by the prime’s own level. Share only FCI, and you generally need Level 1. Share CUI, and you need Level 2 at minimum. A Level 2 prime does not automatically make every supplier a Level 2 supplier — it depends on what data actually flows to you. This logic is established at 32 CFR § 170.23, and the clause that carries it into your subcontract is DFARS 252.204-7021 — the contract clause that makes CMMC a condition of award. (For the full applicability logic, see our CMMC levels explainer.)
| Level | Applies to | Security baseline | Requirements | How it’s assessed |
|---|---|---|---|---|
| Level 1 | Systems handling FCI only | FAR basic safeguarding — FAR 52.204-21, as incorporated by 32 CFR Part 170 (some 2026 deviation solicitations use the renumbered FAR 52.240-93) | 15 safeguarding requirements | Annual self-assessment + annual affirmation in SPRS |
| Level 2 | Systems that process, store, or transmit CUI | NIST SP 800-171 Revision 2 | 110 security requirements across 14 control families | Self-assessment or C3PAO assessment, as the contract specifies; annual affirmation |
| Level 3 | The most sensitive CUI | 800-171 plus a subset of enhanced requirements from NIST SP 800-172 | 110 + the added 800-172 subset | DCMA DIBCAC assessment; Level 2 (C3PAO) is a prerequisite |
Two clarifications we see contractors trip on constantly. First, CMMC Level 2 is pinned to NIST SP 800-171 Revision 2, not Revision 3 — DoD has not moved CMMC to Rev. 3, so any page telling you to assess against Rev. 3 for CMMC is wrong today. Second, a self-assessment is not a certification.“Level 2 (Self)” and “Level 2 (C3PAO)” are different statuses with different proof. Blur them in an email to a prime and you’ve made a representation you may not be able to defend.
Which one applies to you is a contract question. If you’re not sure whether the requirement should have flowed down to you at all — or at what level — start with our companion resource, the CMMC flow-down requirements matrix, which maps prime-to-sub obligations by data type. This page assumes the prime has already asked and you need to respond.
Do you need a CMMC certificate, or is your SPRS status enough?
For most subcontractors, there is no certificate to send — and that’s good news. If you handle only FCI or you’re on the Level 2 self-assessment path, no third party issues you anything. Your proof is a status you record yourself in SPRS, backed by an annual affirmation from a senior official. A certificate only exists when a C3PAO performs a Level 2 certification assessment or DIBCAC performs a Level 3 assessment. There is no CMMC wallet card.
This trips people up because primes casually ask for “your CMMC certificate,” and a nervous supplier assumes it must buy a third-party assessment to comply. Often it doesn’t. If your contract allows Level 2 (Self), you can produce valid, contract-satisfying proof in days — a scoped SPRS record and an affirmation — without a six-figure engagement you may not need.
What does the SPRS record actually show? When you or your assessor enter results, SPRS records a CMMC statusyou can screenshot. The labels are specific, and they’re what a prime’s supplier-risk team will look for:
- Final Level 1 (Self)— FCI self-assessment complete and affirmed.
- Conditional Level 2 (Self)— Level 2 self-assessment with an open, allowable POA&M.
- Final Level 2 (Self)— Level 2 self-assessment, no open gaps.
- Conditional / Final Level 2 (C3PAO)— third-party assessment, with or without an open POA&M.
- Pending Affirmation / Incomplete— not yet a usable proof of status.
That last one matters: an assessment sitting in “Pending Affirmation” is not something to forward as proof. A status is only complete once your Affirming Official — defined at 32 CFR § 170.4 as the senior representative responsible for your organization’s CMMC compliance — has affirmed it. For a C3PAO-assessed status, the C3PAO submits results into the CMMC instantiation of eMASS, which transmits automatically to SPRS (32 CFR § 170.17). So a legitimate Level 2 (C3PAO) status will appear in both the certificate the C3PAO gives you and your SPRS record.
What to send your prime — and what to hold back
Send the smallest complete package that proves your status; reserve your full SSP, POA&M, and control artifacts for a controlled review, if ever. A prime has a legitimate need to confirm your status before sharing covered information. It does not have a standing need to hold a copy of your entire security program — and handing one over creates risk for both of you.
There’s a security reason, not just a privacy preference. Your SSP and POA&M describe your system boundaries, your gaps, and your remediation timeline. That’s a roadmap to your weak points. Worth knowing: even the formal assessment process doesn’t ship your raw artifacts around — for C3PAO and DIBCAC assessments, the eMASS workflow records artifact names and cryptographic hashes (32 CFR § 170.17), not the artifacts themselves. If the government’s own system doesn’t collect your full artifact library, a commercial prime has no default claim to it either.
So structure your proof as a package, not a document dump. A strong prime-ready CMMC proof packet has seven parts:
- 1.Cover response — the prime's request date, the subcontract or solicitation reference (if safe to include), what they asked for, and your point of contact.
- 2.Information-handling statement — whether you handle FCI only, CUI, or neither on your own systems, and whether covered data is processed, stored, or transmitted in your environment.
- 3.Current status summary — your level and status (Level 1 Self, Level 2 Self, Level 2 C3PAO, Conditional, Final, or in progress), assessment type, assessment date, and affirmation status.
- 4.CAGE and scope mapping — your CAGE code, the system boundary the status covers, and what work that scope supports.
- 5.SPRS / CMMC proof — the SPRS score or status for a self-assessment; the CMMC UID and C3PAO or DIBCAC reference for a certified status.
- 6.SSP / POA&M evidence — the SSP name, date, and version; a redacted table of contents or evidence index; a POA&M summary by control family and status — not the full files.
- 7.Limitations and non-claims — the sentences that protect you: “This is Level 2 (Self), not Level 2 (C3PAO).“ “This scope covers [system], not the entire company.“ “Full SSP and POA&M are available only through a controlled review.“
Want it as a one-page worksheet? Grab the Prime-Safe CMMC Proof Packet Checklist — the seven parts plus a keep/redact list, free to download.
How much to share is a judgment call, and it should scale with what the prime actually needs and how sensitive your material is. We use a simple ladder — climb only as high as the request justifies.
| Rung | What you share | What it proves | Sensitivity | When to use it |
|---|---|---|---|---|
| 1 | Status summary (level, status, date, CAGE, scope) | You have a current, scoped status | Low | Every first response |
| 2 | SSP metadata (name, version, date) | Your SSP exists and is current | Low–medium | Prime asks for a documentation basis |
| 3 | Redacted SSP table of contents / evidence index | Your documentation is real and organized | Medium | Prime wants more than a number |
| 4 | POA&M summary by control family and status | Your gaps are tracked, with dates | Medium–high | Conditional or in-progress status |
| 5 | Controlled review of selected artifacts (NDA, secure portal, or screen-share) | Specific controls are implemented | High | A high-sensitivity program or documented diligence |
| 6 | Full SSP / POA&M | Deep, end-to-end disclosure | Highest | Only with a clear need, protective terms, and counsel |
Most prime requests are fully satisfied at rungs 1 through 4. If a prime insists on your full SSP and POA&M by email, that’s your cue to slow down and offer a controlled review instead — which brings us to the words you actually put in the message.
What can you safely show in an SPRS or CMMC screenshot?
A screenshot can support your status, but treat it like a sensitive business record: show what proves the point, redact everything else. A prime needs to see your status, score, scope, date, and CAGE. It does not need to see unrelated systems, other customers’ data, internal notes, or the personal details of your staff. Redacting well signals competence — and protects information the prime has no need to hold.
| Keep visible | Redact or omit |
|---|---|
| Your CAGE code for the covered system | CAGE codes or entries for unrelated business units |
| Assessment date and status date | Usernames, email addresses, and personal contact details |
| CMMC status and (for Level 2) the score | Internal reviewer notes and comments |
| The scope / system boundary the status covers | Any other supplier's or customer's data visible on screen |
| Affirmation date and CMMC UID | Screenshots showing anything outside the prime's need-to-know |
Add a date-stamp and a one-line caption tying the image to the CAGE and scope. A stale, unlabeled screenshot is weak evidence; a current, clearly scoped one closes the question.
The exact email to send your prime
Your reply should be short, specific, and careful: answer the request, state your true status, attach only safe evidence, and offer a controlled path for anything deeper. The templates below are starting points — adapt them to your contract and never overstate your status. Pick the one that matches where you actually are.
Template A — You hold Final Level 2 (C3PAO) status
Subject: CMMC status evidence — [subcontract / supplier request reference]
Thanks for the request. For the system boundary supporting this work, our current status is Final Level 2 (C3PAO) as of [date].
Below (and attached) are our status summary, CAGE mapping, assessment scope, CMMC UID, C3PAO assessment reference, and current affirmation status for the applicable environment.
Because our detailed SSP, POA&M, and control artifacts contain sensitive security information, we don’t distribute full copies by email. If your supplier-risk process needs additional review, we’re glad to coordinate a controlled review through a secure channel.
Template B — You hold a Level 2 self-assessment (SPRS) status
Subject: NIST SP 800-171 / CMMC Level 2 (Self) status — [reference]
For the applicable environment, our current status is [Conditional/Final] Level 2 (Self)as of [date]. Summary below by CAGE code, assessment date, score/status, scope, SSP name/version/date, and POA&M status if applicable.
To be precise: this is a self-assessment status, not a C3PAO certification. If the subcontract requires Level 2 (C3PAO), please confirm the clause and required assessment type so we can align our response.
Template C — You’re in progress and not certified yet
Subject: CMMC status and readiness — [reference]
We want to be accurate rather than optimistic. We are currently in CMMC implementation and are not representing that we hold Final Level 2 (C3PAO) status. Our current evidence includes [current SPRS/NIST status if any], SSP status, our remediation roadmap, our target assessment window, and the provider assisting us.
If a current CMMC status is required before award, please confirm the required level and assessment type, and whether CUI will be processed, stored, or transmitted on our systems, so we can respond precisely.
Template D — Declining a full-SSP request without sounding evasive
We can provide our status summary, CAGE and scope mapping, SSP metadata, an evidence index, and POA&M status — enough to support our current status. Because the full SSP and POA&M contain sensitive security and remediation detail, we don’t send unrestricted copies by email. If deeper diligence is required, we can support a controlled review under appropriate confidentiality and handling terms.
Notice what every template does: it names the status precisely, attaches proportionate proof, and states what you are notclaiming. That last habit isn’t just good manners — it’s your best protection, for the reason we’re about to cover.
Your SPRS score, affirmation, and Conditional vs. Final status
An SPRS score runs from −203 to +110, and it’s calculated by subtractingpoints from the maximum — not by adding up from the bottom. A Level 2 assessment starts at the maximum of 110 (one point per requirement), and each NOT MET requirement subtracts its weight. Because the heaviest requirements are worth 3 or 5 points and there are many of them, deductions can total more than 110 — which is how a score lands as low as −203. A prime wants a current score tied to a real assessment date, scope, and CAGE, not a bare number (32 CFR § 170.24).
The score also gates whether you can be Conditional or must be Final. Under 32 CFR § 170.21, to qualify for a POA&M-based conditional status your assessment score divided by the total number of Level 2 requirements must be at least 0.8— a minimum of 88 out of 110. And the rule is strict about what you can defer: only requirements worth one pointare POA&M-eligible, with one narrow exception — CUI Encryption (SC.L2-3.13.11) may go on a POA&M at a 3-point value if encryption is employed but not yet FIPS-validated. Every 3- and 5-point requirement must be fully implemented, and a short list of requirements can’t be deferred at all — most notably your System Security Plan (CA.L2-3.12.4), which must be in place at the time of assessment or the assessment can’t proceed. From there:
- Conditional statusmeans you passed the minimum bar with an allowable POA&M open. You can be awarded work in this state, but the clock is running.
- Final status means the POA&M is closed. Under § 170.21, a Level 2 POA&M must be closed out — via a closeout assessment — within 180 daysof the conditional status date, or the conditional status expires. Level 1, by contrast, allows no POA&M at all.
Then there’s the affirmation, which is where the legal weight lives. The rule requires your Affirming Official to affirm continuous compliance annually, in SPRS, for each CMMC UID(a 10-character identifier SPRS generates for each assessed system). An affirmation isn’t paperwork. It’s a formal attestation that your system still meets the requirements. Make it without a reasonable basis, and you’ve created recurring exposure every year you renew it.
When you send a prime your proof, tie the score to its context: the CMMC UID, the CAGE code, the scope, the assessment date, and the affirmation date. A score with no context is weak evidence — and a score that doesn’t match your documentation is worse than weak. It can become the government’s evidence against you.
The one mistake that turns a compliance gap into a legal problem
The fastest way to turn a manageable gap into a federal case is to represent a status your evidence can’t support. Under the False Claims Act, a self-reported cybersecurity score is a representation the government can — and now does — test. Two Department of Justice settlements make the stakes concrete, and both are exactly the scenario a nervous subcontractor faces: someone posted a number that wasn’t true.
MORSE Corp — $4.6 million (DOJ, March 2025)
According to the Justice Department’s own release, the Cambridge, Massachusetts defense contractor submitted an SPRS score of 104in January 2021 — near-perfect. After engaging a third party, MORSE learned its actual score was −142on the weighted DoD assessment scale. It didn’t correct the score until June 2023. The company admitted it had also used non-compliant email hosting and lacked a consolidated System Security Plan. It agreed to pay $4.6 million; the whistleblower who filed the case received 18.5% — about $851,000.
LOGZONE — $507,144 (DOJ, June 2026)
The Huntsville, Alabama contractor self-reported a perfect 110 in October 2021 for two Navy contracts. A DCMA assessment in February 2024 put the real score at −170— near the bottom of the range. LOGZONE agreed to pay $507,144, including $253,572 in restitution. The detail that should get every contractor’s attention: DOJ’s public release identifies no whistleblower— the government found the gap by comparing the self-reported score against its own assessment. Summit 7’s chief security evangelist Jacob Horne, speaking publicly after the settlement, predicted many more cases like it as CMMC enforcement ramps up.
The lesson isn’t “don’t get assessed.” It’s the opposite: your score, your SSP, your POA&M, and your affirmations are contract-performance evidence tied to payment. Both settlements resolved allegations tied to the older NIST SP 800-171 self-assessment, which is the exact foundation of CMMC Level 2 — and the CMMC affirmation is the same kind of representation, made annually. So when a prime asks you to prove compliance, the temptation to round up disappears the moment you realize the number is a legal record. Send what’s true. If what’s true isn’t enough yet, respond honestly — and fix the gap.
What if you’re not CMMC-ready yet?
You can prove progress honestly — you just can’t call progress certification. If you have no SPRS score, a stale one, or a contract that requires a C3PAO assessment you haven’t scheduled, you’re behind on an obligation that has existed for years under DFARS 252.204-7012 — but you still have a legitimate response. A readiness letter, your current status if any, your SSP status, a POA&M with real dates, a scheduled assessment, and the provider category helping you can all show a prime you’re moving. None of that replaces a required current status, but it keeps you in the conversation instead of getting cut.
Here’s what your in-progress evidence can and cannot claim:
| You have… | It proves… | It does notprove… |
|---|---|---|
| A gap assessment | You know your deficiencies | Certification |
| A current SSP | You've documented your system | Full implementation |
| A POA&M with dates | You're tracking remediation | That controls are already met |
| An SPRS self-assessment score | Your current self-assessed status | Level 2 (C3PAO) certification |
| A scheduled C3PAO assessment | Intent and a timeline | A passed assessment |
| Conditional Level 2 status | An official conditional status | Final status |
There’s real urgency here, and it’s not manufactured. The rollout is phased under 32 CFR § 170.3: Phase 1 began November 10, 2025 and runs through November 9, 2026; Phase 2 begins November 10, 2026 and brings C3PAO certification requirements for applicable Level 2 contracts; Phase 3 begins November 10, 2027; and Phase 4 / full implementation begins November 10, 2028, when CMMC becomes a condition of award across applicable contracts. Meanwhile, major primes are already imposing deadlines aheadof the government schedule. And the pool of authorized C3PAOs is finite — as demand climbs toward Phase 2, wait times climb with it. If you need a third-party assessment, the calendar is not your friend.
If your evidence gap is real, the next move is matching the gap to the right kind of help — not guessing. (A referral or lead-routing relationship may apply when we match you; see the disclosure below.)
▶ Get matched with source-checked provider options for your gap
Tell us your level, scope, environment, and deadline, and Find My CMMC Path maps your situation to the provider categorythat fits — readiness, managed IT/security, evidence software, a CUI enclave, or a C3PAO — before you request quotes. It routes to a category, not a named provider, and it isn’t a score, a ranking, or compliance advice. Do not submit CUI, drawings, or sensitive contract details.
What if the prime is asking for the wrong level — or you’re not sure you handle CUI?
Don’t ignore the request, and don’t blindly accept a blanket level either — ask for the basis in writing. A prime can impose its own business requirements, but the regulatoryflow-down follows the information and the assessment type. If a prime says “we’re Level 2, so you’re Level 2,” but only FCI actually flows to you, the regulatory minimum is likely Level 1 — though the prime may still require more for its own risk reasons. Get the data type in writing so you’re pricing and planning against reality.
Two short scripts do the work.
To confirm the level: “To make sure we provide the right CMMC evidence, can you confirm whether this subcontract will require us to process, store, or transmit FCI or CUI on our systems, and whether the applicable flow-down requires Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO)?”
To confirm CUI: “Can you identify what information will be FCI versus CUI, how it will be transmitted, and whether we’re expected to store or process it on our own systems versus accessing it in your controlled environment?”
That last distinction matters more than most subs realize. If you only ever view CUI inside the prime’s portal and never download it to your systems, your scope — and your required proof — can look very different than if the CUI lands in your email and file shares. “We don’t think it’s CUI” is not a determination; the marking and the contract are. When in doubt, ask, and document the answer. For the full logic on when and what flows down, see our CMMC flow-down requirements matrix.
What if your MSP, cloud, or CUI enclave is part of the scope?
If an outside provider touches the environment that stores, processes, transmits, or protects your CUI, your proof needs to explain the responsibility split — what you control, what they control, and what evidence is inherited. “We use a compliant cloud” is not proof of anything by itself. A prime — and an assessor — will want to see how the pieces fit.
The concepts to get right: an External Service Provider (ESP) or Cloud Service Provider (CSP) may handle part of your covered environment, and a Customer Responsibility Matrix (CRM) documents which security requirements the provider satisfies versus which remain yours. Where a cloud service stores, processes, or transmits covered defense information, DFARS 252.204-7012 requires the provider’s offering to meet the FedRAMP Moderate baseline (or a DoD-accepted equivalent) — the exact obligation MORSE Corp was found to have missed with its email host. If you’re on Microsoft GCC High, AWS GovCloud, or a dedicated CUI enclave, your packet should name the environment and reference the CRM, not just the brand.
| Environment | Evidence to include | Where it’s documented | Prime-safe summary | Full-artifact risk |
|---|---|---|---|---|
| Microsoft GCC High / GCC | Which controls the platform covers vs. yours | CRM + SSP references | "CUI resides in [environment]; shared-responsibility per CRM" | High — don't send full config exports |
| AWS GovCloud | Inherited controls + your configuration responsibilities | CRM + SSP | Named environment + inheritance summary | High |
| Third-party CUI enclave | Enclave scope, what it isolates, provider attestations | CRM + SSP + provider docs | "CUI isolated in [enclave]; boundary per SSP" | High |
| Managed by an MSP/MSSP | Division of duties for control operation | CRM / responsibility matrix + SSP | "Controls operated by [MSP] under [agreement]" | Medium–high |
Inheriting a control is fine; being unable to show howyou inherit it is not. Document the split, then share the summary — not the raw configuration.
What primes are actually asking for right now
Beyond your SPRS proof, expect a questionnaire — and confirm your specific prime’s requirements against its own supplier portal, because they vary and they change. The largest defense primes have moved ahead of the government’s schedule, and several use a shared industry questionnaire in addition to your SPRS status. Knowing what’s coming lets you prepare one clean package instead of scrambling per request.
The mechanism most subs haven’t heard of is the CCRA — the Cybersecurity Compliance and Risk Assessment, a standardized questionnaire developed under the Defense Industrial Base Sector Coordinating Council and delivered through Exostar. It draws on NIST SP 800-171, and suppliers complete it once and share results reciprocally with primes that accept it. It does notreplace CMMC; it’s how a prime collects structured evidence alongside your SPRS status. Two things follow: a strong SPRS score and a poor CCRA rating can coexist, and primes use both.
Here’s what specific primes have publicly signaled. Treat every row as a starting point and confirm it against the prime’s current supplier portal — these are reported signals, not verified contract terms, and they change.
| Prime | What’s reported | How to confirm it |
|---|---|---|
| Boeing | CMMC at the level named in the solicitation as a condition of award for FCI/CUI suppliers; binding minimums via its supplier cybersecurity supplement | Boeing supplier portal / your buyer |
| Lockheed Martin | CMMC readiness expectations published for suppliers | Lockheed Martin supplier CMMC page |
| Northrop Grumman | SPRS score plus additional cyber questions at onboarding/renewal; a founding participant in the CCRA effort | Northrop Grumman supplier resources |
| RTX / Raytheon | Updated supplier certification requirements ahead of federal deadlines | RTX supplier portal |
| General Dynamics | Requirements set at the division level (GDMS, GDLS, GDIT differ), including SPRS-score and annual-certification expectations | The specific GD division's supplier page |
Don’t have your prime on this list? Find your own answer, fast. Read the DFARS clauses in your subcontract (look for 252.204-7012, 252.204-7021, and the CMMC notice provision 252.204-7025), check your prime’s supplier-cybersecurity portal, and — if anything is unclear — ask your buyer in writing to state the required level, assessment type, and whether CUI will flow to your systems. That written answer is worth more than any third-party summary, and it’s the record you’ll want if the requirement is ever disputed.
Which CMMC provider category fits your gap?
If your proof packet is missing pieces, the right kind of help depends on the gap — and the categories are not interchangeable. Readiness and documentation gaps point one direction; a scattered-CUI problem points another; formal assessment points to a C3PAO only when you’re ready to be assessed. Matching the gap to the category is how you avoid overpaying for the wrong engagement. This is the logic behind The CMMC Path Framework, our methodology for mapping a contractor’s situation to a provider category — it routes to a category, never a named provider, and it is not a score, a ranking, or compliance advice.
| If your gap is… | The category to look at | Why |
|---|---|---|
| You don't know your scope or level | RPO/RP or federal-contracts counsel | Clarifies applicability before you spend |
| SSP/POA&M incomplete | RPO/RP or vCISO (readiness) | Documentation and control mapping |
| Technical controls not implemented | CMMC-focused MSP/MSSP | Implements and manages the controls |
| CUI scattered across email and file shares | CUI enclave / secure collaboration | Shrinks your scope and centralizes CUI |
| Evidence collection is chaotic | GRC platform | Tracks controls, evidence, and POA&Ms |
| You're ready for a formal Level 2 assessment | C3PAO | Performs the certification assessment |
One rule protects you here, and it’s a real regulatory constraint, not a suggestion: keep readiness help and formal assessment separate.Under the CMMC ecosystem’s conflict-of-interest rules (32 CFR § 170.8 and related provisions), the same organization generally cannot both prepare you for a Level 2 certification and serve as your C3PAO for that assessment where the conflict applies. If a single vendor offers to “get you ready and certify you” in one package, ask exactly how it maintains independence — and be skeptical.
▶ Compare provider categories before you request quotes
Don’t collect five quotes from five different kinds of vendors and try to compare apples to fax machines. Find My CMMC Pathmaps your level, CUI scope, assessment type, environment, and timeline to the category that fits — so the quotes you request are the right ones.
What we verified for this guide
We hold ourselves to primary-source citation on every consequential claim. Here’s the backbone behind this page — each item verified July 2026.
| What we verified | Primary source |
|---|---|
| Primes must contact a subcontractor directly for its cyber score; vendors view their own data only | DoD SPRS FAQ |
| Subcontractor flow-down by FCI/CUI and level | 32 CFR § 170.23 |
| Level 2 self-assessment status, fields, and CSP considerations | 32 CFR § 170.16 |
| Level 2 C3PAO results, eMASS-to-SPRS, artifact names/hashes, 180-day closeout | 32 CFR § 170.17 |
| POA&M eligibility (88 minimum; 1-point rule; SC.L2-3.13.11 exception; SSP not deferrable) and subtractive scoring | 32 CFR §§ 170.21 & 170.24 |
| Phased rollout dates (Phase 1–4) | 32 CFR § 170.3 |
| Affirming Official and annual affirmation | 32 CFR Part 170; SPRS FAQ |
| The CMMC contract clause and prime verification duty | DFARS 252.204-7021 |
| Level 2 baseline is NIST SP 800-171 Rev. 2 | NIST SP 800-171 Rev. 2 |
| Conflict-of-interest separation for readiness vs. assessment | 32 CFR § 170.8 |
| False Claims Act enforcement on false SPRS scores | DOJ — MORSE, $4.6M; DOJ — LOGZONE, $507,144 |
Frequently asked questions
What is the fastest way to prove CMMC compliance to a prime?
Send a scoped status summary first: your CAGE code, assessment type, current CMMC or SPRS status, assessment date, scope, affirmation status, and CMMC UID if you have one. Do not start by sending your full SSP, POA&M, or artifact library — reserve those for a controlled review if the prime's diligence genuinely requires it.
Can a prime contractor see my SPRS score directly?
No. The DoD's SPRS FAQ instructs that if a subcontractor's cyber score is required, the requester should contact the subcontractor directly, because vendors can view only their own data. That's why primes ask you to provide proof rather than looking it up themselves.
Is an SPRS score enough to prove CMMC compliance?
Sometimes. It can support a Level 2 (Self) or NIST SP 800-171 status, but it is not the same as Level 2 (C3PAO) certification. Tie the score to your assessment date, scope, CAGE, SSP metadata, POA&M status, and affirmation so it reads as current evidence rather than a bare number.
Do subcontractors need a CMMC certificate?
Only for Level 2 (C3PAO) and Level 3, which involve a third party or DIBCAC. For FCI (Level 1) and self-assessed CUI (Level 2 Self), there is no certificate; your proof is a self-posted status in SPRS plus an annual affirmation.
Should I send my SSP and POA&M to a prime contractor?
Not automatically. Start with SSP metadata, a scope summary, a redacted table of contents, and a POA&M summary by control family and status. Reserve full copies for a controlled review under an NDA, a secure portal, or a clearly justified diligence request, because these documents reveal your security gaps.
Can I say I'm CMMC certified if I completed a self-assessment?
No. A self-assessment is not a C3PAO certification. Use precise language such as Level 2 (Self) status or a NIST SP 800-171 self-assessment posted in SPRS unless you hold an official Level 2 (C3PAO) or Level 3 (DIBCAC) status.
Do all subcontractors under a Level 2 prime need Level 2?
No. A subcontractor's required status depends on what information flows to it and what systems handle that information. Under 32 CFR § 170.23, FCI-only work generally maps to Level 1 and CUI drives Level 2; a Level 2 prime does not automatically make every supplier Level 2.
What is a CMMC UID?
A CMMC Unique Identifier is a 10-character code that SPRS generates for each assessed information system. It is useful proof only when matched to the correct CAGE code, system boundary, assessment type, and status date.
What's the minimum SPRS score to prove Level 2, and can I use a POA&M?
For a conditional Level 2 status, your score must be at least 88 of 110 (a ratio of 0.8), and only one-point requirements may go on a POA&M — with a narrow exception for CUI encryption that is employed but not FIPS-validated. Your System Security Plan and several other requirements cannot be deferred, and any POA&M must be closed within 180 days.
What if I'm still working toward CMMC?
Give an honest readiness package: your current SPRS status if any, SSP status, a POA&M with real dates, a target assessment window, and what you are not claiming. Do not imply a current final certification you have not achieved, because an inaccurate representation can create False Claims Act exposure.
Can the same company prepare us and then assess us?
Generally no, where the conflict applies. CMMC ecosystem rules require readiness and formal certification-assessment roles to stay separate, so a firm that prepared you may be barred from performing your C3PAO assessment. Ask any vendor offering "prep and certification" exactly how it maintains independence.
What if we use an MSP or a cloud provider?
Your packet should explain the shared-responsibility split — what the provider controls, what you control, and what evidence supports inherited controls, typically via a Customer Responsibility Matrix. "We use a compliant cloud" is not proof on its own.
What should I do before sending anything?
Confirm the prime's request, identify your FCI/CUI handling, match the request to your true status, remove sensitive detail from your first-response evidence, and state clearly what you are and are not claiming. When in doubt about scope or applicability, confirm with an RP/RPO or a federal-contracts attorney before you respond.
The bottom line
Proving CMMC compliance to a prime is not about handing over your whole security program — it’s about giving the right people the right proof, in the right amount, without overstating a thing. Your prime can’t pull your status; you provide it. What you send depends on your level and your assessment path. And the safest response is always the honest one, scoped tightly, tied to your SPRS record.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.