In December 2025, Northrop Grumman told its suppliers directly: CMMC requirements can't be waived, regardless of relationship history. It was a moment the defense supply chain had been building to for years. 

Primes aren't just passing CMMC requirements down the chain. They're being held accountable for verifying compliance at every tier, and the pressure that creates lands squarely on subcontractors.

For smaller organizations in the DIB, this shift has a specific implication: your prime's compliance posture is now directly tied to yours. That has changed the nature of subcontractor oversight from a paperwork exercise into an active supply chain management problem, and understanding what's actually being asked of you and why is the key to staying contract-eligible.

How subcontractor oversight became a Prime responsibility

Under the 48 CFR CMMC acquisition rule that took effect in November 2025, prime contractors carry legal responsibility for confirming that every subcontractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) meets the appropriate CMMC level before work begins. That responsibility has three components: verifying CMMC status before awarding a subcontract, ensuring subcontractors affirm continued compliance at least annually, and refraining from sharing FCI or CUI with any sub that hasn't demonstrated the required status.

This arrangement essentially deputizes primes as the front-line enforcers of cybersecurity compliance across the supply chain. The DoD can't directly audit 80,000 organizations, so it built a structure where primes do that verification work and bear the consequences if they get it wrong. If a prime fails to validate subcontractor compliance and something goes wrong, they face potential False Claims Act penalties, contract termination, and impacts to future award eligibility.

That liability is why major primes began moving ahead of government deadlines. Raytheon updated supplier certification requirements in early 2025. Lockheed Martin followed with targeted outreach to suppliers showing low SPRS scores, asking them to validate readiness for Level 2 C3PAO assessments. Boeing and Elbit Systems of America issued formal supplier notices over the summer and fall. By the time Northrop Grumman's letter went out, the pattern was clear: waiting for Phase 2 in November 2026 was no longer a viable strategy for subs whose primes had already set their own enforcement deadlines.

The oversight gap that creates risk across the defense supply chain

For primes, validating subcontractor compliance at scale is genuinely difficult. SPRS scores aren't visible to primes directly. Subcontractors have to supply proof themselves, whether a printout of their SPRS self-assessment score, a C3PAO certification letter, or documentation of their compliance posture. Across a supply chain of hundreds or thousands of vendors, managing that verification process through emails and spreadsheets is error-prone and hard to audit.

This creates a compounding problem. Primes that can't see past their Tier 1 suppliers have real blind spots about where CUI is flowing and who has actually implemented the required controls. Subcontractors that haven't documented their compliance posture become a liability to their prime, even if their actual security practices are solid.

For subcontractors, the practical risk is getting removed from consideration for future work before any formal government deadline ever arrives. Several primes have already indicated that organizations without current CMMC status won't receive CUI under new awards, regardless of prior relationship. Sole-source arrangements don't create exceptions. Primes don't have the legal authority to issue contracts to non-compliant subs.

Which CMMC level applies to subcontractors?

Which CMMC level applies to a given subcontractor is one of the most consistently misunderstood parts of the flowdown framework. Primes can't simply push their own certification level down to everyone in their supply chain. The required level has to match the type of information being shared.

If the only information flowing to you is FCI (general federal contract information that isn't publicly releasable) you need Level 1, which involves a self-assessment and affirmation. If your work involves CUI, which includes controlled technical data, export-controlled information, and other categories of sensitive program information, you need Level 2. Most organizations at Level 2 will require a third-party assessment by an accredited C3PAO, though some may qualify for self-assessment depending on their specific contract.

If you're not certain which category you fall into, the right first step is reviewing your contract for DFARS clauses, particularly 252.204-7012, and having a direct conversation with your prime. Ask them explicitly whether CUI is being flowed down to your organization under this contract, and get that answer in writing if you can.

There's also a more proactive question worth raising: can the contract or data handling arrangement be structured so that CUI doesn't enter your environment at all? This isn't always possible, but it's more feasible than most subs assume. If a prime can deliver work products, access credentials, or technical data in a way that keeps raw CUI on their systems rather than yours, you stay at Level 1. The certification cost difference between Level 1 and Level 2 is significant. Level 1 is a self-assessment with no third-party audit requirement, while Level 2 typically involves months of preparation and an assessment by an accredited C3PAO that can run well into six figures.

If you raise this with your prime and they're open to it, the conversation to have is about CMMC scoping: specifically, what information you actually need access to in order to perform your work, and whether there are ways to give you functional access without transferring CUI into your environment. Some primes have restructured data handling arrangements for lower-tier subs exactly this way. Others can't do it because of program requirements or the nature of the work. Either way, ask before you assume Level 2 is inevitable.

What subcontractors need to have ready

When a prime asks for proof of CMMC compliance, there are a few things they're typically looking for. A current SPRS score on file, based on a completed NIST 800-171 self-assessment, is the baseline. That requirement has been in place since DFARS 252.204-7012 went into effect in 2017, so if you haven't submitted a score, you're already behind on an existing obligation.

Understanding what that score actually represents is important. NIST 800-171 has 110 security requirements, each worth a set number of points in the scoring model. A perfect score is 110. Organizations that haven't implemented all the controls score lower, and because some controls carry more weight than others, a score can drop into negative territory if high-value requirements are missing. Primes can't pull your SPRS score directly; you have to provide it to them, typically as a printout or screenshot from the SPRS portal. A score below 70 or 80 tends to trigger scrutiny from primes, although there's no officially codified threshold. A negative score is a significant red flag and will likely prompt a prime to ask hard questions about your remediation timeline before they'll flow CUI to you.

A raw SPRS number without supporting documentation is also harder for a prime to evaluate. Your System Security Plan (SSP) documents what controls you have in place and how your environment is scoped. The Plan of Action & Milestones (POA&M) captures the gaps and your plan to close them, with timelines. A low SPRS score paired with a credible, actively maintained POA&M is a much better position to be in than a low score with no documentation at all. 

Most organizations heading toward Level 2 C3PAO certification, will need 6-9 months to get from current state to assessment-ready, and assessor availability may been constrained. C3PAO waitlists and costs may grow as demand outpaces the supply of authorized assessors. Phase 2 of the CMMC rollout begins in November 2026, but with primes setting their own earlier requirements, the compliance window for many subcontractors is already closing.

Getting certified is also not the end of your compliance obligations. CMMC requires annual affirmations (formal statements that your organization continues to meet the required level) and your prime is responsible for ensuring you make those affirmations on schedule. Compliance has to be maintained continuously, not just demonstrated at the point of assessment. 

If your environment changes significantly after certification, whether that means adding new systems, onboarding new personnel with CUI access, or changing your cloud infrastructure, that can trigger a reassessment requirement. The Cyber AB has been working through guidance on what counts as a "significant change," but the principle is that your SSP needs to reflect your actual environment at all times, not just at the moment your C3PAO reviewed it. Organizations that treat certification as a finish line tend to find themselves scrambling before renewals.

The False Claims Act problem subcontractors often underestimate

One area that tends to get more attention at the prime level but applies equally to subcontractors is False Claims Act exposure. When you submit a NIST 800-171 score to SPRS, make a self-attestation at Level 1, or provide compliance assurances to your prime, those statements are formal representations tied to contract eligibility and payment. If a subcontractor knowingly overstates its compliance posture and that misrepresentation flows up into the prime's commitments to the government, liability can attach directly to the sub.

Fiscal year 2025 saw a record number of qui tam filings under the False Claims Act, and potential whistleblowers in the defense supply chain include current employees, former employees, competitors, and other subcontractors. Being downstream from a prime isn't a shield. Documenting your compliance work, your gap remediation, and your assessment history is the kind of record that matters if assertions are ever scrutinized.

What good oversight looks like from Primes

Primes navigating this well aren't treating subcontractor oversight as a one-time certification check. They're building processes to map which subcontractors receive CUI versus FCI, maintain current verification of SPRS scores and certification status, track annual affirmation requirements across their supplier base, and document the oversight steps taken in a format that can survive an audit or investigation.

That last point is increasingly important. Flowing a CMMC clause down into a subcontract is a legal requirement, but it doesn't constitute oversight. In an enforcement environment where the False Claims Act applies and whistleblower filings are at record levels, documented follow-up and verification carry real legal weight.

Subcontractors who make that oversight easy by maintaining current documentation, responding promptly to compliance inquiries, and proactively sharing their SPRS status are simply better supply chain partners. That matters more as primes face pressure to demonstrate they've done their due diligence before contract award.

How to find out what your Prime requires

The DoD's phased rollout schedule is just one set of deadlines. Your prime's internal requirements are often a different, earlier set. The April 2026 Cyber AB Town Hall addressed this confusion directly, noting that many subcontractors are hearing urgency from customers and assuming it reflects a new government deadline when it often reflects a business decision the prime has made independently.

The most direct way to find out where you stand is to ask. Request a meeting with your prime's supplier management or cybersecurity compliance team and ask three specific questions: 

• What CMMC level are you requiring for our scope of work? 
• What is your internal deadline for subcontractors to demonstrate that status? 
• And what documentation do you need from us to verify compliance? 

Primes that are running a mature oversight process will have clear answers to all three. If the answers are vague, that's useful information too. It tells you that the prime hasn't fully built out their verification process yet, which means you likely have a short window to get ahead of it.

Getting started if you’re behind on CMMC compliance deadlines

If your organization hasn't completed a NIST 800-171 self-assessment and gotten a score into SPRS, that's the first concrete step. From there, a gap analysis against the 110 NIST 800-171 controls will tell you how far you are from Level 2 readiness and what needs to be remediated before you can schedule a C3PAO assessment. You can also use our free CMMC self-assessment tool to gauge your readiness and get specific advice on where to prioritize your efforts. 

There are two conversations worth having now: one with your prime to confirm which CMMC level applies and whether CUI can be kept out of your environment. The other is with your internal team to understand your current security posture and build a realistic timeline. Waiting until a contract renewal or a formal notice from a contracting officer means you'll be managing a certification process under real time pressure, at a point when assessor availability may be tighter than it is today.

Secureframe Defense is an end-to-end CMMC compliance platform built specifically for defense contractors and subcontractors. The platform deploys a CMMC-compliant CUI enclave in under 30 minutes, automates gap analysis against NIST 800-171, generates your SSP and POA&M from your actual environment, maintains a live SPRS score, and connects you with vetted C3PAOs for your assessment. Organizations that would otherwise spend 12 to 18 months and $100K or more preparing for a Level 2 assessment have gotten there in as little as 4 to 8 weeks. Talk to a CMMC expert to see how it works.