If you’re a subcontractor in the defense supply chain, you’ve probably heard the term CMMC thrown around by your prime contractor and wondered whether it actually applies to you. Maybe you’re a small machine shop, a staffing firm, or an IT vendor supporting a larger defense contractor. The question is fair: does this whole certification thing trickle down to your level, or is it just the big primes that have to worry about it?
The short answer is: it depends on what you actually do with government information.
It’s Not Automatic — But It’s Not Optional Either
A lot of subcontractors assume one of two things: either CMMC applies to everyone in the supply chain no matter what, or it only applies to the prime and everyone below is off the hook. Both assumptions are wrong.
CMMC flows down based on one specific factor — whether your work involves handling certain types of government information. If you receive, store, process, or transmit that information as part of your role, you’re in scope. If you genuinely never touch it, you’re not.
This matters because prime contractors are responsible for making sure their subs are compliant before sharing any sensitive data or awarding a subcontract. If a prime knowingly works with a non-compliant subcontractor and misrepresents that in their compliance filings, they’re looking at serious legal exposure — including potential False Claims Act liability. So primes are paying close attention to this, and so should you.
The Two Types of Information That Determine Your Level
There are two categories of government information that determine where you fall.
The first is Federal Contract Information, or FCI. This is fairly broad — it covers information provided by or generated for the government under a contract. Think contract deliverables, specs, pricing data. If you only deal with this kind of information, you’re looking at Level 1 compliance, which is a self-assessment against 17 basic cybersecurity practices. No third-party auditor, no formal certification — just an annual self-assessment and an affirmation that you’re meeting the requirements.
The second, and more demanding, category is Controlled Unclassified Information, or CUI. This is more sensitive — technical drawings, military specifications, export-controlled data, certain program details. If your work involves receiving or handling CUI, you’re looking at Level 2, which requires meeting 110 security controls based on NIST SP 800-171. Depending on how sensitive the program is, that may mean a formal third-party assessment rather than a self-assessment.
The line between FCI and CUI isn’t always obvious from the outside, which is why many subcontractors are genuinely unsure where they land. If you’re uncertain, the right move is to ask your prime directly what type of information you’ll be receiving — they should be able to tell you, and frankly, they’re required to figure it out themselves.
What This Looks Like in Practice
Say you’re a subcontractor providing logistics support for a defense contract. You handle scheduling, shipping coordination, maybe some invoicing. You never receive technical documents or program data. In that case, CMMC likely doesn’t apply to your work at all.
Now say you’re a subcontractor providing engineering support on the same contract. You receive design files, technical specifications, and program performance data. That’s CUI. You need to meet Level 2 requirements, have your systems in order, and be able to demonstrate compliance to your prime before they can formally bring you on.
The practical reality is that major primes are already building this verification into their supplier onboarding processes. They need documentation — whether that’s a screenshot from the government’s supplier risk system or a copy of your assessment results — before they can share any covered information with you. Waiting until your prime asks for it is already too late.
The Timing Question
CMMC is rolling out in phases, and the urgency depends on where you are in the timeline. Right now, new DoD contracts are starting to include CMMC requirements. By late 2026, third-party assessments become mandatory for many Level 2 programs. By 2027, those requirements start flowing into existing contracts, not just new ones.
For subcontractors, this means the window to get ahead of it is narrowing. Getting into the queue for a C3PAO assessment — if you need one — takes time. Building out a compliant environment takes time. And your prime isn’t going to wait for you to figure it out when a contract is on the line.
The Practical Takeaway
CMMC doesn’t automatically apply to every subcontractor, but if your work involves government information in any meaningful way, the odds are good that you’re in scope at some level. The question isn’t really whether it applies — it’s whether you know which level you need and whether you’re ready to demonstrate it when your prime comes asking.
Most subcontractors who think they’re exempt haven’t actually checked. That’s worth fixing sooner rather than later.
Build your audit-ready proof with Proofyx
Automate evidence collection and policy management — always prepared for your next audit.
Proofyx Editorial Team
Compliance Intelligence
Expert analysis and regulatory guidance for organizations navigating modern compliance frameworks.
