CMMC Requirements for Subcontractors

Concerns about lack of cybersecurity in the defense industry supply chain are certainly justified. In 2020 there were 1,001 data breaches and 155.8 million records exposed in the U.S. alone. Because of these omnipresent threats, nearly 80 percent of senior IT and IT security executives believe their organizations lack sufficient protection against cyberattacks, particularly with the rise of working from home.

To protect controlled unclassified information (CUI) in the supply chain and reduce risk to national economic security and national security, the Department of Defense instituted the Cybersecurity Maturity Model Certification (CMMC) program. It requires any company working with the DoD—including both sub-contractors and prime contractors—to verify that they meet a standard of cybersecurity consistent with NIST-800-171 through a third-party audit.  

What are the CMMC requirements for subcontractors?

The question of whether or not CMMC applies to subcontractors was clarified in the DoD interim rules that went into effect November 30, 2020. In short, it does. 

Requests for information and requests for proposal will include language requiring the prime contractor to have CMMC certification and will specify the level required: CMMC Level 1, CMCC Level 2 or CMCC Level 3 or higher. Contractors must insert this same clause in all sub-contracts, excluding those solely for the acquisition of commercial off-the-shelf (COTS) products or for purchases below the micro-purchase threshold (currently $10K). 

For contracts effective October 1, 2025, the contractor is responsible for ensuring that all subcontractors have the appropriate level of CMMC certification. Requirements for certification itself, which is administered by the CMMC-Accreditation Body (CMMC-AB), are the same regardless of a company’s role as prime or sub-contractor.

The prime contractor determines the subcontractor’s required certification level based on the information that will flow to the sub-contractor or supplier during fulfillment of the contract. This could mean that the sub-contractor only needs to meet CMMC Level 1 requirements even though the prime contract has a Level 3 requirement. However, handling any CUI or Federal Contract Information (FCI) will require the sub-contractor to get Level 3 certification. 

What CMMC means for your business?

If a prime contractor wants to keep working with you even if you can’t achieve CMMC certification in time or choose not to pursue it, there are a few work around options that are common in federal contracting. One is that the prime contractor provides working space for sub-contractors within the prime’s secured and compliant facilities. Prime contractors could also provide subcontractors with pre-configured, secure laptops. In order to proceed with either of these options, primes are required to put into writing that they are taking on the responsibility of providing a compliant environment for the subcontractor in a given contract. Typically, primes are unlikely to take on this liability and risk. 

Whether either option will be offered to you as a subcontractor will depend on your relationship with the prime contractor and how available alternatives are to your products or services. That means that no matter how large or small your business, the stakes are high if you want to continue doing business in the defense industry. Even small businesses with just one or a few servers will have to take the same steps as large businesses to comply with CMMC requirements and get certified. 

Depending on where your business currently stands in compliance, preparing for a CMMC Level 3 audit can take a considerable amount of time, so it’s not too early to get started. You can begin by getting familiar with what constitutes CUI and whether or not you anticipate handling it in future contracts. That will help you determine which CMMC certification level to comply with. 

After you determine what CMMC level you need, it’s time to conduct a self-assessment of your current compliance status. This is an important step, since your prime contractors will likely ask questions about your CMMC status if they haven’t already.

Start your compliance journey with Hyper Vigilance 

At Hyper Vigilance, our goal is to make getting CMMC compliant as simple and accessible as possible for companies of all sizes with our straightforward pricing model and full-service compliance management solutions. An easy way to get started is to find out where you stand today with a compliance readiness inspection. Get in touch with us to begin your journey to CMMC certification.