CMMC is not really a new cybersecurity initiative—it’s a core component of the DoD’s expansive cybersecurity improvement effort across the Defense Industrial Base (DIB). The latest version, CMMC 2.0, is designed to ensure that contractors and subcontractors are meeting existing information protection requirements for covered defense information and are protecting that information at a level commensurate with the risk from cybersecurity threats.

This is especially urgent for subcontractors at lower tiers of the defense supply chain. Malicious cyber actors don’t just target large prime contractors. They actively go after small and mid-sized businesses in the DIB that provide critical support and innovation because they are vulnerable. 

That’s why CMMC was designed with flowdown requirements from prime contractors to subcontractors. These requirements help ensure that every tier of the defense supply chain implements appropriate safeguards for sensitive unclassified information. 

If you’re new to CMMC 2.0, check out our on-demand webinar that explains what this framework requires, who it applies to, and how to get certified.

Why does CMMC 2.0 flow down to subcontractors?

According to FY18-FY21 data from the Federal Procurement Data System cited in the 32 CFR CMMC Program rule, the DIB included approximately 220,000 companies, with at least 8,300 known subcontractors at the time. While these numbers have likely changed significantly in the past years, this FPDS data gives us a sense of what percentage of the DIB is likely subcontractors (4%).

While this percentage may not seem significant, the loss of sensitive unclassified information at any tier of the defense supply chain can undercut U.S. technical advantage, limit and disrupt business opportunities, and compromise national security. 

For that reason, the DoD must enforce security requirements uniformly for all defense contractors and subcontractors who process, store, or transmit sensitive unclassified information on the DoD’s behalf—regardless of company size or service. The value of this information and impact of its loss does not diminish when the information moves to lower tiers of the supply chain.

That’s why CMMC 2.0 requires primes to ensure subcontractors meet CMMC requirements before awarding them subcontracts. 

In short, these flowdown requirements are not just regulatory checkboxes. They are critical for improving the security and resilience of the entire defense ecosystem. 

Now that we have a better understanding of the importance of CMMC flowdown requirements, let’s take a closer look at what they are.

CMMC flowdown requirements explained

As described in 32 CFR §170.23 and to be enforced by the final 48 CFR rule starting this year, primes have a responsibility to flow CMMC 2.0 requirements down to their subcontractors. This entails:

• Verification before award. Primes must ensure subcontractors have a current CMMC certificate or self-assessment at the required level before awarding them a subcontract.
• Appropriate levels. The CMMC level must match the type of information being flowed down from the prime contractor. Generally, Level 1 is for Federal Contract Information (FCI), Level 2 is for Controlled Unclassified Information (CUI) and Security Protection Data (SPD), and Level 3 is for rare cases involving the most sensitive CUI and Controlled Defense Information (CDI).
• Annual affirmation. Primes must ensure that subcontractors affirm continuous compliance with the required level, at least annually.
• No CMMC? No info flowdown. Primes must refrain from disseminating sensitive unclassified information (whether FCI, CUI, SPD, and/or CDI) to subcontractors that have not indicated meeting the CMMC level required,

The bottom line is if you handle sensitive unclassified information on behalf of the DoD, you will be subject to CMMC—even if you’re not the prime contractor.

Let’s take a closer look at when subcontractors can expect CMMC requirements in their subcontracts.

Minimum CMMC requirements for subcontractors

We know that prime contractors must ensure that their subcontractors have a current CMMC certificate or self-assessment at the required CMMC level appropriate to the information that is flowed down to them.

Does this mean that prime contractors and subcontractors will be required to maintain the same CMMC level? Not necessarily. 

The 32 CFR part 170 CMMC Program rule specifies minimum requirements for subcontractors that will process, store, or transmit FCI, CU, or SPD in performance of a subcontract with a prime. These minimum requirements depend on the information flowed down to them and the prime’s required CMMC level.

The applicable CMMC level and assessment type for each subcontract is as follows, according to 32 CFR §170.23:

Level 1

Level 1 is the minimum flowdown requirement for any subcontractor that handles FCI only, regardless of the required level of the prime contractor. In other words, whether a prime contractor is required to conduct a Level 1 self-assessment or Level 3 government-led assessment, their subcontractors that handle FCI only have to meet Level 1 requirements.

Level 2

Level 2 is the minimum flowdown requirement for any subcontractor that handles CUI or SPD, regardless of whether the prime is required to achieve CMMC Level 2 or 3.

The assessment requirement at this level will vary depending on the assessment required in the associated prime contract. So if the prime contractor only needs a Level 2 self-assessment, then that’s the minimum requirement for subcontractors. This will be unlikely, given that the DoD estimates that only 5% of Level 2 entities in the DIB will require a self-assessment.

If the prime needs to conduct a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) for Level 2 or the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for Level 3, then the minimum requirement for subcontractors is a Level 2 C3PAO assessment. 

Level 3

You may have noticed that the minimum flowdown requirement for subcontractors is Level 2 (C3PAO), even if the associated prime contract has a Level 3 requirement. That’s because the DoD has made a risk-based decision not to mandate the flow down of Level 3 requirements to subcontractors unless explicit guidance is provided to do so. 

Primes can flow down Level 3 requirements to subcontractors that will process, store, or transmit CUI and/or CDI that require enhanced protection against advanced persistent threats (APTs) on their behalf. However, the DoD encourages prime contractors to carefully consider the necessity of sharing this type of highly sensitive information and work with subcontractors to limit this flow down when possible to reduce the burden on subcontractors. 

What subcontractors should do now to get CMMC compliant before it’s too late

If you’re a subcontractor working with (or hoping to work with) primes like Lockheed Martin, General Dynamics, or the Defense Logistics Agency, here are the critical steps to take now to get CMMC ready and avoid losing business:

• Determine your required level: To kick off your CMMC readiness journey, review the prime contracts you’re bidding on or currently involved with. Any solicitation, requests for information (RFIs), or contracts should specify the required CMMC level. If you’re unsure or proactively getting CMMC ready, a CMMC consultant, MSP, or Secureframe expert can help confirm whether you need Level 1 (self), Level 2 (self), or Level 2 (C3PAO).
• Talk to your prime: If the CMMC level is not explicitly stated in your subcontract yet, consider reaching out to your prime contractor(s) to understand any applicable CMMC requirements flowing down from the main contract. Prime contractors should be able to provide guidance on the minimum CMMC requirements for your subcontract.
• Consider your long-term goals: When planning your CMMC compliance efforts, try to think beyond your immediate needs and how you might future-proof your business. For example, while your current contracts may only require CMMC Level 1, pursuing Level 2 certification could position your organization to handle more complex and lucrative contracts that involve CUI from primes in the future. 
• Identify and fill any gaps for your required level: Next, perform a gap analysis to identify and remediate any unmet requirements for your CMMC level. For Level 1, that means putting in place all controls to fully meet the 15 safeguarding requirements tied to FAR 52.204-21. For Level 2, you’ll need to implement controls to meet all 110 NIST SP 800-171 R2 requirements and 320 assessment objectives. While POA&Ms are allowed at this level, gaps at this stage may be red flags for primes.
• Start your documentation as soon as possible: Subcontractors pursuing Level 1 certification must collect and maintain documentation and evidence showing all 15 practices are in place and operating effectively. Subcontractors pursuing Level 2 must develop a comprehensive System Security Plan (SSP) that includes system diagrams, asset listings, data flows, and implementation statements for each control. It can be hundreds of pages long so the sooner you get started, the better.
• Submit scores and affirmation in SPRS: Contractors are responsible for confirming their subcontractors have Supplier Performance Risk System (SPRS) scores on file prior to awarding them contracts and complete and maintain an affirmation of continuous compliance on an annual basis. So if you’ve completed your CMMC assessment, submit your assessment results and affirmation into the SPRS. Note that if you need a Level 2 third-party assessment, then the C3PAO will enter your results into the Enterprise Mission Assurance Support Service (eMASS), which will electronically transmit to SPRS, for you.
• Keep your primes up-to-date on your current CMMC status. Don’t wait for a supply chain team to chase you down about unmet requirements—instead, ensure that you update your supplier portal with the latest assessment results and scores. For subcontractors of Lockheed, that means updating your Cybersecurity Compliance and Risk Assessment (CCRA) assertions in Exostar’s new Supplier Management module.

How Secureframe can help subcontractors get ahead of CMMC deadline

CMMC is designed to ensure consistent protection of sensitive information across the entire defense supply chain. For subcontractors, that means you’re not exempt—you’re essential.

With enforcement expected to start by end of year and primes already raising the bar, subcontractors who start preparing today will be best positioned to win and retain contracts in the DoD ecosystem.

Here’s how Secureframe can help you demonstrate compliance quickly and confidently:

• Automated Evidence Collection: One of the biggest challenges with CMMC is the amount of documentation required to prove compliance. Secureframe automates evidence collection across your tech stack—including AWS GovCloud, Azure Government, and Microsoft GCC High—so you can continuously pull artifacts from systems and reduce manual effort. This ensures your documentation stays current and audit-ready.
• System Security Plan (SSP) Builder: We make it simple to generate and maintain a detailed SSP, which outlines how each of the 110 controls and 320+ assessment objectives are implemented in your environment. Our own SSP was over 150 pages, and that was for a small boundary—so this feature alone can save you hundreds of hours.
• POA&M Management: If any controls aren’t fully met during your prep or assessment, our platform helps you generate and manage a Plan of Action & Milestones (POA&M). You can assign remediation owners, track deadlines, and ensure all open items are addressed before the assessment clock runs out.
• SPRS Scoring Tool: We also help you calculate and manage your SPRS score—your formal self-assessed score against the NIST 800-171 controls. Maintaining an accurate and defensible SPRS score is key to readiness, especially ahead of contract award timelines.
• Asset, Vendor, and Risk Management: Secureframe integrates with your infrastructure to automatically discover in-scope assets and link them to required CMMC practices. You can also inventory and track vendors—especially those storing or transmitting CUI or providing security functions—to ensure they meet flowdown requirements. And you can assess, manage, and remediate risk to those assets and vendors using our automation and AI workflows. 
• Policy Templates & Control Mapping: We provide pre-built policy templates aligned to the CMMC domains, which you can tailor to your environment. Each policy is mapped directly to the relevant control and test objective, helping you meet documentation requirements faster and with less guesswork.
• Cross-Framework Mapping: Many DIB contractors need to comply with multiple frameworks—like NIST 800-53, FedRAMP, or SOC 2. Secureframe maps overlapping controls across frameworks so your efforts scale. This saves time, reduces duplication, and streamlines evidence collection across all your compliance initiatives.
• Auditor Module for C3PAOs: Finally, our platform includes a dedicated Auditor Module, which allows C3PAOs to securely review your evidence and documentation in-platform—reducing the back-and-forth and improving audit efficiency. This is especially valuable for CMMC, where audit timelines can be tight and collaboration is critical.
• First-hand CMMC and FedRAMP 20x assessment experience: One of our biggest differentiators is that we’re not just building and offering tooling—we’re going through CMMC and FedRAMP 20x ourselves. That means we understand the complexity, pressure, and nuance of preparing for these frameworks and can use this first-hand experience to help you navigate the process yourself. We’ve also built out the required documentation—including a complete Customer Responsibility Matrix (CRM)—so we have it ready for any customer going through their own CMMC audit.

Request a demo to see exactly how we can reduce the cost and complexity of your CMMC certification.