Prime Contractor Requiring CMMC Certification? What You Actually Owe — and What to Do First

By The Defense Compliance Report Editorial Team · Last reviewed: June 2026 · Last verified: June 18, 2026 · ~20-minute read

Not affiliated with the Cyber AB, the U.S. Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

A prime contractor requiring CMMC certification just changed your week — so let’s make the next move the right one.

Here’s the bottom line. Don’t assume the prime’s level is your level, and don’t assume “certified” means a third-party audit. What you owe starts with one question — will you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)? — and is finalized by the clause, the CMMC status, and the assessment type your prime flows down. Under 32 CFR 170.23, the subcontractor section of the CMMC Program Rule: if you’ll process, store, or transmit FCI or CUI, the flow-down clause attaches. If you won’t, it doesn’t — regardless of what a blanket prime email says.

That’s the answer. Now the catch — and it’s the reason most suppliers overspend in the first two weeks: the rule is only the floor.A prime can contractually require more than 32 CFR 170.23 demands, and many do. Below, we’ll show you how to tell the difference, the exact email to send your prime today, what evidence is safe to hand over, what you must never put in a supplier form, and which type of help to line up before you spend a dollar.

Your prime’s demand, decoded in one screen

Need to respond to the prime today? Jump straight to the 8-question clarification email ↓

The right help depends on your situation — here’s how to find it

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

This is independent educational research, not legal, contractual, or compliance advice. Confirm how the rules apply to your specific situation with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. We put the full category breakdown — and the conflict-of-interest rule that trips up half of first-time buyers — further down this page.

What “a prime contractor requiring CMMC certification” actually means

A prime contractor requirement usually means one of two things: the prime is flowing down a CMMC obligation it received from the government, or it’s screening suppliers before award. But “CMMC certification” is too vague to act on until you know the information being flowed down, the contract clause, the required level, and the assessment type — because “certified” can describe four very different outcomes that cost wildly different amounts.

Defense primes are not lawyers writing to other lawyers. They’re supply-chain teams sending a lot of emails fast. So “get CMMC certified” is shorthand, and shorthand is where panic and overspending start.

The Cybersecurity Maturity Model Certification (CMMC) program lives in two regulations. The policy sits in 32 CFR Part 170, effective December 16, 2024. The contract mechanics — the clauses that actually appear in your paperwork — arrived in the DFARS final rule, effective November 10, 2025. Between those two rules, “certification” can mean any of these:

• CMMC Level 1 (Self) — you self-assess against the 15 basic safeguarding requirements in FAR 52.204-21, and affirm it. This protects FCI.
• CMMC Level 2 (Self) — you self-assess against the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, score it, and post it to SPRS.
• CMMC Level 2 (C3PAO) — a Certified Third-Party Assessment Organization assesses you against the same 110 requirements. This is what most people mean by “certified.”
• CMMC Level 3 (DIBCAC) — Level 2 plus 24 selected enhanced requirements assessed by the government’s Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC).

There’s also a fifth possibility that isn’t a CMMC status at all: an internal supplier-readiness milestone or a portal requirement the prime set on its own, ahead of any clause landing in your subcontract.

Why the word “certification” is costing you money

Here’s the distinction the rest of the internet keeps blurring, so we’ll be blunt: a self-assessment is a CMMC status, not a certification.A certification is a third-party (C3PAO) or government (DIBCAC) assessment. The difference isn’t pedantic — it’s the difference between roughly $40,000 and well past $100,000 (we break the numbers down later). If your prime says “get certified,” your first job is to find out whether they mean a C3PAO assessment or simply a posted self-assessment. That single question might save you $60,000 or more.

Data flow comes before tooling — every time

The single most expensive mistake we see is buying infrastructure before mapping data. Your CMMC path is driven by whether FCI or CUI lands on your systems. 32 CFR 170.23 is explicit that requirements apply to contractors and subcontractors “at all tiers” that process, store, or transmit FCI or CUI on their information systems. No covered information on your systems, no flow-down trigger from the information itself. So before you price a single license, you map the data. See our CMMC scope reduction guide for how to do this correctly.

Does CMMC actually flow down to you as a subcontractor?

Yes, CMMC can flow down to subcontractors — but not simply because you sell something to a defense prime. Under 32 CFR 170.23, flow-down depends on whether you’ll process, store, or transmit FCI or CUIin performing the subcontract, and on the CMMC status the prime’s own contract requires. Subcontracts solely for commercially available off-the-shelf (COTS) items are excluded from the flow-down clause.

The flow-down rule is short, and we’ll give it to you straight from the regulation. 32 CFR 170.23 says prime contractors “shall comply and shall require subcontractors to comply with and to flow down CMMC requirements” throughout the supply chain. Then it lays out exactly what you owe:

Three things in that table end most of the search:

• The switch is FCI vs CUI. FCI-only work points to Level 1. CUI points to at least Level 2.
• For CUI, your assessment type follows the prime’s Level 2 requirement — Self or C3PAO. The one exception: under a Level 3 prime, your minimum is Level 2 (C3PAO), not Level 3.
• Flow-down never forces a subcontractor up to Level 3. Even under a Level 3 prime, your minimum is Level 2 (C3PAO). You’d only need Level 3 if your own contract independently required it — a government determination, not a flow-down.

The COTS exclusion — and why it might not save you

DFARS 252.204-7021— the contract clause that carries CMMC into your subcontract — says at paragraph (f)(1) that the clause flows into subcontracts “excluding commercially available off-the-shelf items.” So if you sell pure, unmodified COTS products, the CMMC flow-down clause shouldn’t attach. We confirmed that language directly in the clause text on Acquisition.gov.

The caution: most supplier relationships aren’t clean COTS. The moment you add configuration, integration, engineering, support, or any service that involves FCI or CUI, you may be back in scope. If your relationship is mixed, confirm it with counsel rather than assuming the exclusion applies.

“All our suppliers must be Level 2” is broader than the rule

Plenty of primes send a blanket notice that every supplier needs Level 2. They’re allowed to set supplier-qualification standards — but a company-wide policy is not the same thing as the regulatory floor. Regulatory flow-down depends on the information type and the contract requirement. If no CUI flows to you and the contract requirement is Level 1, the rule points to Level 1, even if the prime’s general policy says otherwise. That gap between “the rule” and “the prime’s policy” is the whole game, and we tackle it head-on next. (For the full prime-to-sub mechanics, see our CMMC flow-down requirements guide.)

What CMMC level and assessment type do you actually owe?

Your level is set by the contract clause and the information that flows to you, not by a generic checklist and not automatically by the prime’s level.FCI-only work points to Level 1 (self-assessment). CUI work points to Level 2 at minimum, with the assessment type — self-assessment or C3PAO certification — set by the contract requirement. Level 3 is for the most sensitive CUI and is not the default subcontractor outcome.

Use this decoder when the prime is vague

The one thing the other guides won’t tell you: the rule is the floor, not the ceiling

Here’s our editorial read, and the regulation backs it. 32 CFR 170.23 sets a minimumfor flow-down. But three different things can be driving your prime’s demand, and they aren’t the same:

• the CMMC status the contracting officer inserted in the solicitation or contract — that’s regulatory, through DFARS 252.204-7025 and 252.204-7021;
• the terms of your specific subcontract — contractual; and
• the prime’s own supplier-qualification policy — commercial.

A prime is free to require more than the regulatory floor: a higher level, a specific SPRS score, a “green” questionnaire rating, or proof you’ve booked an assessment. The DFARS final rule’s preamble in the Federal Register states plainly that a higher CMMC level than required is permissible. None of that is the prime overstepping — it’s usually their own liability talking. So the real question isn’t “are they allowed to?” (usually yes). It’s “is this the regulatory requirement, my subcontract’s terms, or the prime’s policy?” Getting that answer in writing is how you avoid buying a Cadillac when the contract calls for a Camry.

Can a prime require CMMC before you win — or keep — the work?

Yes. When the solicitation or contract requires it, your CMMC status becomes an eligibility issue before award, not a nice-to-have. DFARS 252.204-7025 makes a current CMMC status in SPRS — at the required level, with a current affirmation — a condition of award. DFARS 252.204-7021 then requires the prime to verify your status before it awards you a subcontract.

One relief valve worth knowing: the final rule defines “current” so that, for Levels 2 and 3, a Conditional status counts for up to 180 days (32 CFR 170.21; DFARS 252.204-7021). That means you may be eligible for award with a Conditional CMMC status— not only a Final one — while you close out a compliant plan.

The phased timeline — and the date you should actually circle

CMMC is rolling out in four phases tied to the November 10, 2025 effective date (32 CFR 170.3(e); confirmed on the DoD CIO’s CMMC page). The wording matters, so here’s what each phase actually says:

The date to plan backward from isn’t only Phase 1 — it’s Phase 2, November 10, 2026, when DoD intends to include Level 2 (C3PAO) certification for applicable solicitations and contracts as a condition of award (with discretion to delay some requirements to an option period). If your subcontract renews or your next award lands after that date and CUI is involved, your clock started yesterday.

The DFARS clauses in your prime’s email, decoded

If your prime’s notice cites a string of DFARS clauses, here’s what each one means for you.The first three — 7012, 7019, and 7020 — are the older NIST SP 800-171 self-assessment regime that has been in force for years. The last two — 7021 and 7025 — are the CMMC layer. Many prime emails reference both, and confusing them is a common source of panic.

The practical takeaway: a NIST SP 800-171 DoD Assessment score (7019/7020) is notthe same as a CMMC status (7021/7025), though they’re built on the same 110 requirements. If your prime references both, answer each on its own terms.

What should you send back to the prime today?

The goal of your first response is simple: turn a vague demand into a documented decision. Not to prove compliance (you can’t prove it for a requirement you haven’t scoped), not to buy time (that starts a bad dynamic), and not to volunteer evidence you haven’t thought through. Your first move is eight questions, sent in writing. Here’s exactly what to ask.

What’s safe to share — and what never to send in a supplier form

Once the prime sends answers, you’ll need to provide evidence. Here’s where people make expensive security mistakes: they email raw system security plans, network diagrams, or assessment reports in response to a supplier portal prompt. The rule doesn’t require that, and doing it creates its own risk.

Which type of CMMC provider do you need?

Once you know your level and assessment type, the question becomes: who helps you get there? The CMMC provider ecosystem has five distinct categories, and matching to the wrong one wastes time and money:

The conflict-of-interest rule that trips up half of first-time buyers: the Cyber AB’s Code of Professional Conduct bars a C3PAO from assessing an organization it provided consulting, advisory, or implementation services to — with a three-year prohibition window. If a firm offers to both fix and certify you in the same engagement, that’s a red flag and a conflict. Hire your remediation support and your assessor separately. See: RPO vs C3PAO.

Check your SPRS status before you do anything else

Before you plan, budget, or engage a provider, check your current SPRS status. You may already have a status from a prior self-assessment, and that status — or its gap — is the foundation of everything else. What to look for:

• Status type: Final or Conditional? (Conditional gives you up to 180 days to close the POA&M.)
• CMMC level: Is it the level — or higher — that the prime requires?
• Affirmation date: Is the annual affirmation current?
• System boundary: Does the UID correspond to the system that will perform this subcontract?
• Assessment age: For Level 2, does the assessment need to be refreshed (three-year cycle)?

Prime contractor CMMC certification FAQ