Elevate

CMMC Requirements: What Primes & Subs Need to Secure CUI

CMMC requirements will reshape the cybersecurity standards for approximately 220,000 companies in the Defense Industrial Base (DIB), including at least 8,300 known subcontractors. The DoD’s final DFARS rule becomes effective on November 10, 2025. Prime contractors and their subcontractors must act quickly to maintain their defense contract eligibility.

Prime contractors hold direct responsibility to ensure their subcontractors meet appropriate cybersecurity standards under CMMC 2.0 requirements, particularly for handling Controlled Unclassified Information (CUI). The DoD CMMC requirements will appear in contracts starting November 2025. These changes affect an estimated 80,000 contractors who need Level 2 or Level 3 certification. Organizations typically need 6-18 months of preparation and must invest between $34,000-$112,000 based on their size and security posture.

Navigating these new cybersecurity maturity model certification requirements presents significant challenges. This piece breaks down essential information for primes and subcontractors about securing CUI, specific requirements for each CMMC level, and practical steps to achieve compliance before the deadline.

What Are the CMMC Requirements for DoD Contractors and Subs

“DoD’s CMMC Program mandates that all organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) maintain specific cybersecurity maturity levels to protect sensitive data. CMMC provides a consistent methodology to assess compliance with cybersecurity requirements and standards set forth in the 48 CFR 52.204-21; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Basic Safeguarding of Covered Contractor Information Systems.” — U.S. Army Corps of Engineers, Major federal contracting authority, responsible for DoD contract compliance

The DoD finalized the CMMC Program Rule in October 2024. This marks a new systematic way to verify cybersecurity compliance throughout the defense supply chain. The Cybersecurity Maturity Model Certification program evaluates how contractors implement existing cybersecurity safeguards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Cybersecurity Maturity Model Certification (CMMC) Overview

The CMMC program uses a tiered model to assess compliance with cybersecurity standards at different levels. The program protects sensitive unclassified information that DoD shares with contractors and subcontractors.

CMMC 2.0 framework simplifies the original five-tier system into three distinct levels. Each level includes security requirements from existing regulations and guidelines. This streamlined structure matches prominent NIST cybersecurity standards.

DoD will roll out CMMC requirements in phases:

  • Phase 1 (Nov 10, 2025 – Nov 9, 2026): Focus on CMMC Level 1 and Level 2 self-assessments
  • Phase 2 (Starting ~12 months after Phase 1): Begin requiring Level 2 certification assessments
  • Phase 3 (Starting ~24 months after Phase 1): Add Level 3 certification to solicitation requirements
  • Phase 4 (Full implementation by 2028): All new DoD solicitations with FCI or CUI will include appropriate CMMC requirements

Companies can receive contract awards with a limited time Plan of Actions and Milestones (POA&M). This allows them to complete certain CMMC requirements within a defined timeline.

What Are the CMMC Requirements for FCI and CUI

The CMMC framework sets different requirements based on the information being handled:

CMMC Level 1 (Foundational)

  • Applies to contractors who handle only FCI – information not meant for public release that’s provided by or generated for the government
  • Requires 15 simple cybersecurity controls from FAR 52.204-21
  • Needs annual self-assessment and compliance confirmation via the Supplier Performance Risk System (SPRS)
  • Does not allow POA&Ms
  • Covers about 62% of defense contractors

CMMC Level 2 (Advanced)

  • Applies to contractors who handle CUI – information needing safeguarding or dissemination controls
  • Needs all 110 security controls specified in NIST SP 800-171 Rev 2
  • Assessment options:
    • Level 2 (Self): Self-assessment needed every three years with results in SPRS
    • Level 2 (C3PAO): Assessment by a Certified Third-Party Assessment Organization needed every three years with results in CMMC Enterprise Mission Assurance Support Service (eMASS)
  • Requires annual confirmation in both cases
  • Allows conditional status with POA&Ms that must be completed within 180 days
  • Covers about 37% of defense contractors (2% self-assessment, 35% C3PAO)

CMMC Level 3 (Expert)

  • Applies to contractors handling CUI that needs higher-level protection against advanced persistent threats
  • Prerequisites: Must achieve CMMC Level 2 (C3PAO) status first
  • Needs all Level 2 requirements plus 24 select requirements from NIST SP 800-172
  • Requires assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years
  • Allows conditional status with POA&Ms that must be completed within 180 days
  • Covers about 1% of defense contractors

Prime contractors must verify their subcontractors’ current CMMC certification or self-assessment at the right level before awarding subcontracts. Subcontractors handling only FCI need Level 1 at minimum, whatever the prime contractor’s required level. Subcontractors handling CUI must reach at least Level 2, matching the assessment type required in the prime contract.

The DoD CMMC requirements determine contract award, option exercise, and extension of performance periods.

Legal Basis for CMMC Flowdown: DFARS and 48 CFR Clauses

The legal framework for CMMC compliance and flowdown requirements depends on three significant Defense Federal Acquisition Regulation Supplement (DFARS) clauses. These clauses set cybersecurity rules throughout the defense supply chain. They create contractual requirements to protect Controlled Unclassified Information (CUI) and establish a verification system for DoD contractors at every level.

DFARS 252.204-7012: Security for Covered Defense Information

DFARS 252.204-7012 is the life-blood of cybersecurity requirements for defense contractors who handle CUI. This clause, which 48 CFR 204.7304(c) prescribes, has been active since 2017. It requires contractors to:

  • Apply all 110 security requirements from NIST SP 800-171 to implement adequate security on covered contractor information systems
  • Report cyber incidents affecting covered defense information within 72 hours
  • Keep and protect relevant logs and monitoring data for at least 90 days after incident reporting
  • Send malicious software to the DoD Cyber Crime Center (DC3) once found
  • Let DoD access additional information or equipment needed for forensic analysis upon request

The most vital part of DFARS 7012 lies in paragraph (m). It requires contractors to include the clause word-for-word in subcontracts that involve operationally critical support or covered defense information. This creates a legal chain of cybersecurity responsibility across the supply chain.

DFARS 252.204-7020: SPRS Score Verification

DFARS 252.204-7020, which came into effect in November 2023, adds teeth to DFARS 7012 through a verification system. The clause sets up:

  • A three-tier assessment approach for NIST SP 800-171 compliance: Basic (contractor self-assessment), Medium (government document review), and High (government assessment)
  • Rules for contractors to submit assessment scores to the Supplier Performance Risk System (SPRS)
  • Required verification of subcontractor SPRS scores before awarding subcontracts
  • DoD’s right to access contractor facilities, systems, and personnel for Medium or High assessments

Prime contractors must check their subcontractors’ valid assessment scores in SPRS before giving them contracts involving CUI, according to paragraph (g). The clause also requires updates to assessments every three years to stay eligible for new contracts.

DFARS 252.204-7021: Certification as Contract Condition

DFARS 252.204-7021 makes CMMC certification a legal requirement for contracts. Starting November 2025, this clause will appear in solicitations and requires contractors to:

  • Get the specified CMMC level before contract award
  • Keep certification valid throughout the contract
  • Make sure subcontractors meet appropriate CMMC levels based on their information handling
  • Check subcontractor CMMC status before awarding work

Contractors must include DFARS 252.204-7021’s substance in all subcontracts except those for commercially available off-the-shelf items, as paragraph (c) states. Prime contractors become enforcers of cybersecurity standards in their supply chains by verifying subcontractor compliance before award.

The DoD will allow conditional CMMC status for Levels 2 and 3 up to 180 days under the final rule. During this time, contractors must complete any remaining items in their Plans of Action & Milestones (POA&Ms) while staying eligible for contract award.

These DFARS clauses create legal obligations for both prime contractors and subcontractors. They must implement proper cybersecurity controls, get necessary certifications, and verify compliance throughout the supply chain.

Risks of Non-Compliance for Primes and Subcontractors

“Many contractors may think of CMMC compliance as a future item. But given the short, phased timeline and DoD discretion to require higher levels earlier, delaying preparation may increase cost, resource strain, and competitive disadvantage.” — Compass IT Compliance, Cybersecurity compliance consulting firm

CMMC non-compliance poses major risks for prime contractors and their subcontractors. The stakes are at an all-time high as enforcement gets tougher and the Department of Justice actively pursues violators throughout the defense supply chain.

False Claims Act Liability and Legal Exposure

The Department of Justice’s Civil Cyber-Fraud Initiative, launched in 2021, shows a steadfast dedication to prosecuting contractors who misrepresent their cybersecurity compliance status. Companies face triple damages, hefty fines, and public exposure under the False Claims Act (FCA) if they falsely claim NIST SP 800-171 compliance or inflate their SPRS scores.

Recent settlements paint a clear picture of these risks:

  • MORSE Corp paid $4.60 million in 2025 because they submitted false SPRS scores and failed to meet NIST SP 800-171 requirements
  • Raytheon and RTX Corporation settled for $8.30 million in 2025 after allegations of mishandling sensitive information
  • Pennsylvania State University paid $1.25 million in 2024 to resolve issues in all but one of their 15 DoD and NASA contracts

Whistleblowers received generous rewards for exposing these violations – exceeding $1 million in the MORSE case alone. Companies trigger FCA violations by submitting inaccurate SPRS scores, signing executive attestations without verification, misrepresenting compliance in contract proposals, or continuing to certify readiness while ignoring needed fixes.

Loss of Contract Eligibility and SPRS Score Impact

CMMC requirements will become a key factor in defense contract decisions starting November 10, 2025. Organizations will lose their eligibility for contract awards without valid certification at the required level, whatever their other qualifications.

This disqualification affects both new opportunities and existing relationships. Companies that wait too long risk:

  • Losing future bidding opportunities
  • Getting disqualified from existing or renewal contracts
  • Becoming less attractive as potential subcontractors

A contractor’s poor CMMC compliance history in the Supplier Performance Risk System (SPRS) can damage their reputation with procurement officers and prime contractors even after fixing technical issues. This damage can quietly cost companies millions in lost business opportunities.

Operational Delays and Supply Chain Disruption

Prime contractors must look beyond their own operations. The entire contract becomes vulnerable if their subcontractors handling CUI fail to meet CMMC requirements. These effects ripple through the entire supply chain.

Manufacturing delays caused by non-compliant partners can throw off delivery schedules and program milestones. Finding and qualifying replacement suppliers takes time and substantially extends these disruptions, which affects military operations and readiness.

Prime contractors face several risks from subcontractor non-compliance:

  • Potential FCA liability for failing to ensure subcontractor compliance
  • Project timeline and deliverable delays
  • Reduced workforce or production capacity

These disruptions affect operational readiness and put military operations at risk, which highlights the importance of proper supply chain risk management.

The risks are too high for both prime contractors and subcontractors to delay. They should make CMMC readiness their top priority now. Book a Readiness Call to get a full picture of your compliance status and create a strategic plan to meet CMMC requirements before the November 2025 deadline.

Building a CMMC Risk Management Strategy for Primes

Prime contractors have a vital responsibility under the new DoD CMMC requirements. They must verify their subcontractors comply throughout the supply chain. The implementation starts November 10, 2025, and contractors need a structured risk management approach to stay eligible and avoid legal issues.

Tiering Subcontractors by Data Sensitivity

The best way to manage CMMC risk is categorizing subcontractors based on their data handling. The minimum flowdown requirements create a tiered system:

  • FCI-Only Subcontractors: Need CMMC Level 1 self-assessment, whatever the prime’s certification level
  • CUI-Handling Subcontractors: Must achieve CMMC Level 2, with assessment type matching the prime contract
  • Critical CUI Subcontractors: Some rare cases need Level 3 certification when handling sensitive information that needs extra protection

This approach lets primes set proper security requirements without overloading their supply chain. To name just one example, subcontractors that only handle Federal Contract Information can keep Level 1 compliance even while supporting contracts where primes need Level 2 or 3 certification.

Setting Timelines and Monitoring Progress

CMMC implementation has begun, and prime contractors must set clear deadlines for their subcontractors. The first phase kicks off November 10, 2025, when new contracts will include CMMC requirements. Primes should:

  • Make an immediate list of subcontractors handling FCI or CUI
  • Check that subcontractors post current SPRS scores before November 2025
  • Make sure self-assessments happen yearly and third-party certifications every three years
  • Set up continuous monitoring between formal assessments

Monitoring helps catch security issues early and keeps security controls consistent. This ongoing alertness means tracking system use, checking audit trails, and spotting potential vulnerabilities before anyone can exploit them.

Formalizing CMMC Requirements in Contracts

Updating subcontractor agreements is a key step toward CMMC compliance. Prime contractors must:

  • Add the DFARS 252.204-7021 clause word-for-word in all FCI or CUI subcontracts
  • List the required CMMC level based on data sensitivity
  • Create verification steps since primes can’t directly check subcontractor SPRS status
  • Ask subcontractors for proof of compliance through SPRS screenshots or certificates

Yes, it is important that prime contractors review their current subcontractor agreements to check for FCI or CUI involvement and update contract language. The new DFARS clause requires primes to verify subcontractor compliance before awarding any work.

Prime contractors should create standard contract additions that spell out:

  • Information classification and handling requirements
  • CMMC level needed and assessment type
  • When to get certified and provide ongoing proof
  • What documentation they need
  • What happens if they don’t comply

CMMC compliance isn’t just about getting certified once. It needs strong contracts, clear communication, and regular checks throughout the supply chain.

Steps for Subcontractors to Achieve CMMC Level 2 Compliance

Image Source: Peak InfoSec

Subcontractors who handle CUI need CMMC Level 2 certification to stay eligible for defense contracts. The certification process needs proper security controls, good documentation, and passing a third-party assessment.

Implementing 110 NIST SP 800-171 Controls

CMMC Level 2 compliance requires subcontractors to put in place all 110 security controls from NIST SP 800-171. The requirements go beyond basic compliance. Each control has multiple assessment objectives that add up to 320 assessment objectives (AOs). These controls cover everything in security domains including:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication

Subcontractors should get a full picture to check if each control meets all assessment objectives with proper evidence. They can use any solution that meets these requirements through direct implementation or managed services.

Preparing Documentation: SSP, POA&M, Policies

Documentation serves as the foundation of CMMC compliance. Your organization’s System Security Plan (SSP) must show how you protect information systems that process CUI. While there’s no standard format, your SSP needs:

  • A system overview that describes information systems, hardware, software, and network components
  • Clear explanations of security control implementations
  • Security program management roles and responsibilities
  • Details about system connections and data flows

You also need a Plan of Action & Milestones (POA&M) that shows how you’ll fix security weaknesses found during assessments. Each POA&M must list problems found, fixes needed, important dates, people in charge, and resources needed.

Scheduling a C3PAO Assessment and Submitting to eMASS

After preparation, you can schedule an assessment with an authorized Certified Third-Party Assessment Organization (C3PAO). The assessment follows four phases:

Phase 1: Pre-assessment planning covers scope information gathering, artifact intake, team identification, and assessment plan development.

Phase 2: The C3PAO collects and analyzes evidence related to CMMC practices during the assessment.

Phase 3: Post-assessment reporting includes quality assurance reviews.

Phase 4: A 90-day window opens for fixing any shortfalls if needed.

The C3PAO sends results to the CMMC Enterprise Mission Assurance Support Service (eMASS) after the assessment. eMASS then automatically sends them to SPRS. Based on these results, you’ll get either:

  • Final Level 2 certification that lasts three years
  • Conditional Level 2 certification requiring POA&M completion within 180 days

Getting certified means careful preparation across all 320 assessment objectives. Book a Readiness Call to check your compliance status and create a roadmap for CMMC Level 2 requirements.

Tools and Support to Streamline CMMC Readiness

Defense contractors need quick and effective ways to manage their documentation and evidence for CMMC compliance. Several specialized tools can guide them through these complex requirements.

Automated Evidence Collection and Control Mapping

Modern platforms make CMMC readiness easier with continuous evidence gathering from connected systems. Tools like Secureframe automatically pull evidence from cloud environments like AWS GovCloud and Azure Government to verify all 320 assessment objectives. Onspring’s platform links requirements directly to evidence and generates up-to-the-minute SPRS scores based on current implementation status.

SPRS Scoring Tools and Policy Templates

Contractors have access to multiple resources to track and maintain their SPRS scores. The “FAR and Above” scoring tool, downloaded over 11,000 times since 2021, offers automated SPRS calculations. ComplianceForge provides detailed policy templates that cover CMMC documentation needs—including System Security Plans, POA&Ms, and Incident Response Plans.

Auditor Collaboration Modules for C3PAOs

Purpose-built platforms create smoother assessment processes. The Cyber AB CMMC Readiness Tool lets organizations share information securely with auditors and C3PAOs through permission-based access models. Secureframe’s Auditor Module gives C3PAOs a secure platform to review evidence, which reduces back-and-forth during assessments.

Book a Readiness Call to find the right tools that match your organization’s CMMC requirements and compliance needs.

Conclusion

CMMC compliance marks a turning point for the Defense Industrial Base. This piece shows how these requirements will reshape cybersecurity standards for about 220,000 companies that handle sensitive government information. The November 2025 implementation deadline is approaching fast, and contractors have limited time to prepare for a process that takes 6-18 months and costs between $34,000-$112,000.

Prime contractors have a huge responsibility under the new framework. They must achieve their own certification and verify their subcontractors’ compliance throughout their supply chain. This dual role needs careful planning, clear communication, and resilient verification mechanisms to avoid False Claims Act violations and supply chain disruptions.

Subcontractors face tough requirements too. Those handling CUI must implement all 110 NIST SP 800-171 controls that cover 320 assessment objectives across multiple security domains. On top of that, they need detailed documentation including System Security Plans and Plans of Action & Milestones before a C3PAO assessment.

The risks of non-compliance go way beyond administrative penalties. Companies that fail to meet CMMC requirements can’t win contract awards, face potential legal exposure under the False Claims Act, and damage their reputation in the defense procurement ecosystem permanently. Recent settlements in millions of dollars show how the Department of Justice takes cybersecurity violations seriously.

The good news is that tools and resources exist to make the compliance process smoother. Automated evidence collection platforms, SPRS scoring tools, policy templates, and auditor collaboration modules reduce the preparation and assessment burden by a lot.

You should start your CMMC readiness preparation right away. The phased implementation starting November 2025 will affect defense contractors of all sizes that handle FCI or CUI. A full assessment of gaps, development of remediation plans, and early scheduling of assessments will prove vital to maintain contract eligibility.

The defense supply chain needs every link to meet proper security standards. CMMC compliance strengthens our collective cybersecurity posture and protects vital national security information from sophisticated threats, despite its challenges. Your preparation today ensures your place in the defense industrial base tomorrow.

Key Takeaways

Defense contractors and subcontractors must act quickly to meet CMMC requirements that become mandatory November 10, 2025, affecting 220,000 companies in the Defense Industrial Base.

Prime contractors are legally responsible for verifying subcontractor CMMC compliance throughout their entire supply chain under DFARS clauses 252.204-7012, 7020, and 7021.

CMMC Level 2 requires implementing all 110 NIST SP 800-171 controls covering 320 assessment objectives, with third-party certification valid for three years.

Non-compliance carries severe penalties including contract disqualification, False Claims Act liability with triple damages, and recent settlements reaching millions of dollars.

Subcontractors handling CUI must achieve Level 2 certification while FCI-only contractors need Level 1 self-assessment, regardless of prime contractor requirements.

Preparation typically takes 6-18 months and costs $34,000-$112,000, making immediate action essential for maintaining defense contract eligibility.

The stakes are high: companies without proper CMMC certification will be automatically disqualified from defense contracts, potentially losing millions in business opportunities. Success requires methodical preparation across documentation, security controls implementation, and third-party assessment coordination.

FAQs

Q1. What is CMMC and why is it important for defense contractors? CMMC (Cybersecurity Maturity Model Certification) is a DoD program that verifies cybersecurity compliance across the defense supply chain. It’s crucial for defense contractors because it will be a requirement for contract eligibility starting November 2025, affecting approximately 220,000 companies in the Defense Industrial Base.

Q2. How long does it typically take to prepare for CMMC certification? Preparation for CMMC certification typically requires 6-18 months, depending on an organization’s current security posture and the level of certification needed. The process can cost between $34,000 and $112,000, making early preparation essential.

Q3. What are the different CMMC levels and who needs them? There are three CMMC levels: Level 1 (Foundational) for contractors handling only Federal Contract Information, Level 2 (Advanced) for those handling Controlled Unclassified Information, and Level 3 (Expert) for contractors requiring higher-level protection. The required level depends on the type of information handled.

Q4. What are the risks of non-compliance with CMMC requirements? Non-compliance risks include disqualification from contract awards, potential False Claims Act violations leading to significant fines, and reputational damage within the defense procurement ecosystem. Recent settlements for cybersecurity violations have reached millions of dollars.

Q5. How can prime contractors ensure their subcontractors are CMMC compliant? Prime contractors should tier subcontractors by data sensitivity, set clear compliance timelines, implement continuous monitoring, and formalize CMMC requirements in contracts. They must verify subcontractor compliance before awarding contracts, as they are legally responsible for their supply chain’s cybersecurity under DFARS clauses.