CMMC, Guide

Oh Shit, I Need CMMC – A Subcontractor’s Survival Guide

October 1, 2025October 1, 2025By 0 comments0 likes
Oh Shit, I Need CMMC – A Subcontractor’s Survival Guide

If you are reading this, you are probably a subcontractor in the Defense Industrial Base (DIB), and there is a good chance your prime contractor has dropped a bombshell: you need to be compliant with CMMC. Maybe they asked for your System Security Plan (SSP). Maybe they requested your Supplier Performance Risk System (SPRS) score. Maybe they simply said, “No CMMC, no contract.”

Yep, they aren’t bluffing. Primes are legally obligated to enforce cybersecurity requirements down their supply chain. If you want to keep your contracts, you need to understand why they are suddenly all over you about it, what has changed with the law, and what you must do next.


This is your survival guide. This is for the companies that actually build, ship, and service the defense sector every day.

The Wake-Up Call — Why Your Prime Contractor Suddenly Cares So Much

CMMC Is Now the Law

For years, contractors heard about CMMC as if it were some far out in the future program. Draft rules, pilot assessments, for a while it did feel like a moving target. That changed on September 10, 2025, when the Department of Defense published the Final Rule in Title 48 of the Code of Federal Regulations (CFR). This was the missing link that tied policy (32 CFR Part 170) directly to contracts.

The new rules make CMMC a condition of award. Starting November 10, 2025, contracting officers will begin inserting CMMC requirements into solicitations. By November 2028, every applicable DoD contract will require it.

Two DFARS clauses are now the backbone of enforcement:

DFARS 252.204-7025 — The Pre-Award Provision

Think of this as the checkpoint. Contracting officers use it to screen out non-compliant bidders before awards are made.

  • Specifies Required Level: The clause spells out exactly which CMMC level is required for that solicitation (Level 1 Self, Level 2 Self, Level 2 Certification, or Level 3 DIBCAC).
  • Condition of Award: If you do not have a current CMMC status in SPRS and an annual affirmation on file, you are ineligible. No exceptions.
  • UID Requirement: You must provide your CMMC Unique Identifier (UID) for each in-scope system. Contracting officers verify these UIDs against SPRS before award.
  • Conditional Status: For Levels 2 and 3, a “Conditional” status with a valid POA&M may still get you an award, but you must close every item within 180 days. Fail to close them and you lose your status.

DFARS 252.204-7021 — The Post-Award Contract Clause

Once awarded, the obligations never stop.

  • Maintain Status: You must keep your certification current for the entire contract term, including option years and extensions.
  • Annual Affirmations: An affirming official must submit compliance affirmations in SPRS annually for each UID.
  • UID Updates: If new systems are brought into scope, you must generate new UIDs in SPRS and provide them to the contracting officer.
  • Mandatory Flow-Down: Primes must insert this clause into all subcontracts involving FCI or CUI. Subcontractors cannot escape it.

The phased rollout is selective inclusion between 2025 and 2028, universal enforcement after November 10, 2028. The only permanent exemption is for COTS-only contracts.

Mandatory Flow-Down

The government does not contract directly with you. That “lack of privity” means the DoD cannot enforce CMMC against you directly. Instead, it enforces against your prime, and your prime enforces against you.

Primes are on the hook if they send Controlled Unclassified Information (CUI) to a non-compliant sub. If you fail, they fail. The risk is real. They face contract termination, bad SPRS scores, and False Claims Act exposure.

So when your prime demands proof of your compliance, they are protecting their own business and making sure they do not get dragged into liability because of you.

The False Claims Act – Why You Can’t Fake It

The False Claims Act (FCA) is the government’s favorite tool for punishing misrepresentation. If you inflate your SPRS score or claim compliance without evidence, you are exposed, even as a subcontractor.

Penalties are nothing to laugh at. Companies found in violation can owe triple damages and civil fines. On top of that, whistleblowers, whether they are employees, primes, or competitors, can file suits and earn a percentage of the recovery. Suspension, debarment, and reputational damage can follow, leaving you cut off from federal work entirely.

This is not theory. An aerospace supplier paid $9 million after falsely claiming compliance while storing CUI in unsecured systems. A healthcare contractor was fined more than $1 million for failing to secure sensitive data they had sworn was protected. A university conducting research faced millions in penalties for saying one thing on paper while leaving critical data exposed.

Do not attempt to pull one over on the government. A low but accurate SPRS score is safer than a high one you cannot back up.

Potential Penalties

  1. Treble (Triple) Damages

You could owe three times the government’s damages.

  1. Civil Fines Per Violation

Each false claim/statement can carry a penalty of $14,000–$28,000+ per instance.

  1. Whistleblower Risk

Employees, primes, or competitors can file qui tam suits. Whistleblowers may earn 15–30% of the government’s recovery.

  1. Debarment / Loss of Contracts

Subs found to have lied about cybersecurity can be suspended or barred from federal work, and primes may cut ties.

  1. Reputational Damage

False reporting erodes trust with primes and the DoD, making it harder to win future work.

The Subcontractor’s Survival Plan

So what do you actually do? First, get some help from someone that knows what they are doing – preferably a consultant that has been through assessments (LCCA, CCA), a C3PAO, or a MSP that is certified. Then confirm your level and scope.

If you handle only Federal Contract Information (FCI), you fall under CMMC Level 1. That means 17 practices and a self-assessment. If you handle CUI, you need Level 2, which requires implementing all 110 practices in NIST SP 800-171 and usually means a third-party certification from a C3PAO. Level 3 is reserved for the small percentage of contractors that handle the most sensitive programs such as hypersonics or advanced weapons.

Once you know your level, scope tightly. Limit where CUI lives in your environment. Using a FedRAMP Moderate cloud like Microsoft GCC High or AWS GovCloud can save you months of work.

Next, run a gap analysis. Compare your current environment against NIST SP 800-171 and document what you have, what you lack, and what needs fixing. This becomes the foundation for your System Security Plan and your Plan of Action and Milestones. Without it, you are flying blind.

With your gaps identified, build your documentation. The SSP is the story of how you meet each control, often stretching beyond 100 pages. The POA&M is the action plan for what you do not yet meet. Together, they form the evidence that supports your SPRS score.

Submitting your SPRS score is required. If you are not in the system, you will not even be considered. That score must be accurate, current, and defensible. Many primes now require a screenshot of your SPRS status before they award you any work.

From there, begin closing gaps and preparing for assessment. Implement the basics like MFA, encryption, logging, and security training. Write policies that reflect how you actually operate. Conduct a pre-assessment to catch weaknesses before your C3PAO does. Finally, book your C3PAO early. Waiting too long could mean losing your place in line and losing contracts along with it.

Do Not Get Burned by Your Vendors

One of the most common mistakes subs make is assuming their MSP, CSP, or ESP has compliance handled. If they touch CUI, they are part of your scope. Even if they “do everything,” you cannot outsource accountability. If they fail, you fail.

Cloud Service Providers must meet FedRAMP Moderate or equivalent. Using commercial Microsoft 365 or AWS tenants is not enough. MSPs and MSSPs do not need their own CMMC certification, but if they access or store your CUI, their environment becomes your responsibility. External Service Providers must provide a Customer Responsibility Matrix to outline which tasks are on them and which are on you.

This is where many subs get burned. You must require proof from your providers. Ask for their SSP, POA&M, and FedRAMP documentation. Put security terms into their contracts. Tie payments to evidence, not promises. A provider that refuses to sign on to your security requirements is a red flag you cannot ignore.

If a provider touches CUI, they are part of your scope. Even if they “do everything,” you cannot outsource accountability. If your provider fails, you fail. Believe me, I have seen it with my own eyeballs, firsthand.

CSPs

  • Must meet FedRAMP Moderate or equivalent.
  • Commercial Microsoft 365 or AWS is not enough; GCC High or GovCloud may be required.
  • Always confirm in the FedRAMP Marketplace.

MSPs/MSSPs

  • Do not need their own CMMC certification by default.
  • If they access or store your CUI, their environment becomes your responsibility.
  • Strongly consider using a certified MSP to reduce risk.

ESPs

  • Must provide a Customer Responsibility Matrix (CRM) outlining shared security tasks.
  • Any ESP with admin rights, log access, or visibility into your systems is in-scope and must be documented in your SSP and CRM.

Scoping Guidance

  • Security Protection Assets (SPAs) and Contractor Risk Managed Assets (CRMAs) are always in scope if they can provide access to CUI.
  • Per DFARS 252.204-7012, providers with admin rights or logs containing sensitive data are considered in-scope external systems and must be secured at the same level as CUI.
  • Even if a provider isn’t intentionally handling CUI, logs with usernames, passwords, or tokens are “CUI-adjacent” and must be encrypted, access-controlled, and properly managed.

Verification Steps

  1. Add flow-down clauses to provider contracts.
  2. Request their SSP, POA&M, and FedRAMP status.
  3. Require evidence, not promises (certifications, access records, encryption documentation).
  4. Tie payments to compliance deliverables.

If a provider is not certified: You must demonstrate risk reduction through measures like log scrubbing, credential hashing, or limiting provider access via jump boxes or privileged access management.

Timeline and Costs: The Harsh Reality

CMMC readiness is not something you can pull off in a month. Most subs need nine to twelve months to scope, remediate, document, and prepare for an assessment. If you are already strong on NIST 800-171, you may move faster. If you are starting from nothing, expect it to take longer.

The costs vary, but you should expect to spend a good bit on gap analysis, policy and SSP support, remediation tools, assessment fees, and ongoing annual costs. A small company that scopes tightly and moves CUI to a secure cloud can keep costs on the lower end. A large or complex environment will land higher.

The point is that if you wait until a solicitation drops, you are already too late.

The Department of Defense is tightening supply chain security, primes are legally required to enforce it, and subcontractors who ignore it will be cut out.

You can survive this, but only if you act now. Confirm your level. Scope smart. Document everything. Score honestly. Verify your vendors. Perform a Mock Assessment. Book your C3PAO.

The subcontractors who are certified will not just survive. They will be the ones their primes want to call first.

Shameless Plug – Get in touch with us! We can help!

Leave a Reply

Your email address will not be published.

Social Share Buttons and Icons powered by Ultimatelysocial