If you’re a defense subcontractor reading this, your situation just got more urgent than you probably realize.
Prime contractors aren’t waiting for the November 10, 2026 enforcement deadline anymore. They’re already vetting their supply chains. They’re already replacing non-compliant subs. And under DFARS 252.204-7021, they’re legally required to verify your CMMC status before they can award you another subcontract — even one you’ve held for years.
The question isn’t whether CMMC requirements apply to your business. They do. The question is whether you’ll be ready when your prime asks for proof — or whether they’ll quietly move your work to a competitor who already has it.
Yes, CMMC Applies to Subcontractors. There Are No Exemptions.
Let’s settle the most common misconception first. We’ve heard it from dozens of subcontractors over the past year: “We’re a subcontractor, so the prime’s certification covers us, right?”
Wrong. And it’s the kind of wrong that costs contracts.
The legal foundation is 32 CFR § 170.23, which establishes flowdown requirements for the entire defense supply chain. The rule is direct: prime contractors shall require subcontractors to comply with CMMC requirements at every tier. The word matters. “Shall” is binding. There’s no discretion.
If a subcontractor handles only Federal Contract Information (FCI), Level 1 Self-Assessment is the minimum. If a subcontractor handles Controlled Unclassified Information (CUI), Level 2 Self-Assessment is the minimum. If the prime’s contract requires Level 2 (C3PAO) certification and the sub handles CUI, the sub also needs Level 2 (C3PAO) — not Level 2 Self. If the prime is a Level 3 (DIBCAC) program and the sub handles CUI, the sub still needs Level 2 (C3PAO) at minimum.
Notice what’s not on that list: a tier exemption. A revenue threshold. A small business carve-out. A “we only do a small amount of defense work” exception.
There’s exactly one exclusion in the rule: commercial off-the-shelf (COTS) items. If you’re selling a commodity product available on the open market, the flowdown doesn’t apply. Beyond that narrow category, if your systems process, store, or transmit FCI or CUI for a DoD contract, you’re in scope. Period.
The Prime’s Job Just Got Harder. That’s Why They’re Already Vetting You.
Most subcontractors don’t realize how much liability the prime carries for their sub’s compliance. Once you understand it, the prime’s behavior makes sense.
Under DFARS 252.204-7021, before a prime can award a subcontract, they must verify the subcontractor has a current CMMC certificate or self-assessment at the appropriate level. They have to confirm it’s posted in the Supplier Performance Risk System (SPRS). They have to maintain that verification on an ongoing basis — not just at award.
And under the False Claims Act, if a prime affirms their supply chain is compliant when it isn’t, that affirmation becomes a federal misrepresentation. The Department of Justice recovered $52 million across nine cybersecurity FCA settlements in fiscal year 2025, and Deputy AAG Brenna Jenny made it clear in January 2026 that these cases are about misrepresentations — not data breaches. The prime doesn’t have to be hacked to be sued. They just have to say their supply chain is compliant when it isn’t.
That’s why primes are already moving. Lockheed Martin, RTX (which includes Raytheon, Collins Aerospace, and Pratt & Whitney), Boeing, General Dynamics, and Elbit America they’ve all sent supplier notices. They’ve all updated their supplier registration forms. They’ve all started filtering uncertified subs out of their bid lists. RTX explicitly closed the door on the old self-attestation model and now requires every defense supplier to hold an active CMMC certification at the appropriate level.
If your prime hasn’t asked yet, that’s not protection. That’s a lagging indicator. The conversation is coming.
This is the part most subs underestimate. The consequences aren’t just “you might lose a future bid.” They’re more immediate, and they hit on multiple fronts.
You get replaced on existing teaming arrangements. When your prime is preparing a bid for a new contract or recompeting an existing one, they’ll evaluate their subcontractor team against the CMMC requirements in the solicitation. If your CMMC status doesn’t match what the contract requires, you’re out. Not “out next year.” Out of that bid. The prime needs a certified team to win the work, and they will not risk an entire contract on a single non-compliant sub.
Your prime stops sharing CUI with you. Even if you keep an active subcontract, the prime is legally prohibited from flowing CUI down to a non-compliant sub. That means the work you can perform shrinks. The prime brings the CUI-touching portions in-house or routes them to a certified competitor, and you’re left with the FCI-only fragments if anything.
You face direct False Claims Act exposure. If you submitted an SPRS score that doesn’t accurately reflect your security posture, you’ve made a federal representation. Whistleblower filings on cybersecurity increased substantially in fiscal year 2025, and the DOJ expects that trend to continue. The FCA awards whistleblowers up to 30 percent of any government recovery which is a meaningful incentive for a former IT employee or quality manager who knows your controls weren’t actually in place.
You lose your competitive position permanently. Industry analysts estimate between 33,000 and 44,000 companies will exit the defense market between 2025 and 2027 because compliance costs exceed their defense revenue. That sounds bad and for those leaving, it is. But for subcontractors who stay and certify, the calculus flips. The pool shrinks. Primes have fewer compliant options. Certified subs become preferred partners. The companies that get certified now will own the post-2026 supply chain.
The level you need depends on one thing: the type of information your prime shares with you. Not your size. Not your contract value. The data.
Walk through your current subcontracts and answer three questions for each one.
One. What information has your prime shared with you to perform this work? Look at the actual files, drawings, specifications, statements of work, technical data packages, and email communications. If it’s FCI only basic contract information that isn’t publicly releasable but isn’t sensitive you’re at Level 1. If any of it is marked CUI, or if it’s technical drawings, specifications, or covered defense information, you’re at Level 2.
Two. What CMMC level does the prime contract require? Look at the DFARS 252.204-7021 clause in the prime’s contract. The required CMMC level will be specified. If the prime contract requires Level 2 (C3PAO) and you handle any CUI from that prime, you also need Level 2 (C3PAO).
Three. Where does that information actually live in your environment? This is the scoping question, and it’s where most subs lose money before they even start. Map every system, server, workstation, cloud service, email account, and storage device that touches FCI or CUI. The smaller your CUI footprint, the cheaper your compliance becomes. Subs who isolate CUI to a tight enclave certify 10 systems instead of 200. Same controls. A fraction of the cost.
If you can’t answer these questions confidently, that’s the signal to bring in a Registered Practitioner before you do anything else. Guessing your scope is the single most expensive mistake a subcontractor can make at this stage.
If you’re starting today and your prime requires Level 2, here’s what your timeline actually looks like.
Weeks 1 through 4: scoping and gap assessment. Define your CUI boundary. Score your environment against the 110 NIST SP 800-171 controls. Get your real SPRS score not a guess.
Months 2 through 6: remediation. Close gaps. Implement multi-factor authentication on every system that touches CUI, not just VPN. Deploy FIPS-validated encryption. Build out your System Security Plan with mappings to your actual environment. Develop your Plan of Action and Milestones for the controls you can defer (only 1-point controls qualify, and there are 22 of them out of 110).
Months 6 through 9: documentation, evidence collection, internal readiness review. This is where subs without engineering depth often stall. Building defensible evidence for 110 controls is a meaningful body of work, and assessors check evidence not policies.
Months 9 through 18: C3PAO scheduling and assessment. C3PAO wait times are currently running 6 to 12 months and are getting longer every quarter. By Q3 2026, projections show C3PAOs scheduling new clients into 2028 or beyond. The companies getting certified today started this process in 2024 or early 2025.
The math is simple. If you start now and move efficiently, you can be in process — with a booked C3PAO, an active remediation plan, and a defensible SPRS score — by November 2026. If you wait until summer, you’re not making it.
A few things consistently separate subs who manage CMMC efficiently from those who burn through their budgets and still fail their assessments.
Tight CUI scoping. This is the single highest-leverage decision you’ll make. Subs who define their CUI enclave before they buy a single tool typically certify a fraction of the systems and spend a fraction of the money. Subs who skip scoping end up trying to certify their entire environment.
An RP who can fix what they find. A Registered Practitioner who hands you a gap report and walks away has done about 20 percent of the actual work. The remaining 80 percent implementing access controls, redesigning your network, building documentation, training personnel, deploying encryption is engineering work. Choose an RP backed by an engineering team, or budget for a separate vendor and a longer timeline.
Pricing CMMC into your bids. CMMC compliance costs are allowable contract costs under FAR. You can factor certification, remediation, and ongoing maintenance into your contract pricing. Most subs absorb these costs as overhead, which kills their margins. Adjusting your pricing changes the entire economics.
Treating your annual affirmation seriously. Your annual affirmation is a federal representation that you remain in continuous compliance. Drift between your SSP and your actual environment is the most common cause of post-certification False Claims Act exposure. Build recurring evidence collection into your operations from day one — not as a quarterly scramble.
If you’re a subcontractor and you haven’t started, you can probably still get certified before November 2026 but only if you start now and only if your starting posture isn’t a complete green field. If you’ve been operating under DFARS 252.204-7012 for years and you’ve already implemented the 110 NIST 800-171 controls, you’re in better shape than you think. If you’ve been running a self-assessed SPRS score that doesn’t reflect actual implementation, your remediation timeline is longer.
Either way, the worst position to be in is “doing nothing while your prime quietly evaluates a replacement.” Being in process with a completed gap assessment, an active remediation plan, and a booked C3PAO is vastly better than waiting. It also gives your prime a defensible answer when they ask about your status, which they will.
Rudram Engineering has a CMMC Registered Practitioner on staff in-house, not outsourced who works directly with subcontractors across the Defense Industrial Base. Our RP scopes your CUI environment, scores your gaps against all 110 NIST 800-171 controls, and builds a remediation roadmap prioritized by what your prime actually needs from you. And because we’re a systems engineering firm not just a compliance consultancy when your remediation requires architectural changes, our engineering team executes them.
One team. From your first call to your C3PAO certification.
Schedule Your Free 30-Minute CMMC Readiness Assessment
No cost. No obligation. You’ll know exactly where you stand and what your prime’s CMMC requirements actually mean for your business.
Rudram Engineering, Inc. | Rockledge, FL | Serving the Defense Industrial Base for 18+ years Trusted by NASA, the U.S. Air Force Academy, Raytheon, and Thales Avionics
