EXECUTIVE BRIEF
With the CMMC contractual requirement rule (48 CFR) aiming to be finalized later this year, it is imperative for defense contractors to understand what will be required of them. Here is what you need to know:
Dig deeper and continue learning below!
Unlike prime contractors, subcontractors do not work directly with the U.S. Department of Defense (DoD) but instead work for other contractors. However, this does not exempt them from Cybersecurity Maturity Model Certification (CMMC) requirements, particularly if they handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Subcontractors may face even more scrutiny and pressure to achieve compliance and retain their contract award position.
This guide is designed specifically for subcontractors, breaking down the essential aspects of the CMMC program—its levels, the specific requirements subcontractors must meet, the implementation timeline, and practical steps to ensure you’re well-prepared to meet cybersecurity standards.
CMMC 2.0 simplifies the framework to three levels, aligning cybersecurity requirements with the sensitivity of the information involved. Here's how each level of CMMC applies to subcontractors.
CMMC Level 1 is foundational and applies to subcontractors handling FCI. It focuses on basic cyber hygiene through 17 practices drawn from Federal Acquisition Regulation (FAR) 52.204-21.
Who Needs It: Level 1 is for subcontractors without direct access to CUI.
Key Practices:
Assessment Requirements: Level 1 requires annual self-assessment. This required CMMC level is relatively straightforward and cost-effective, suiting small subcontractors.
CMMC Level 2 covers contractors and subcontractors handling CUI—sensitive information that is unclassified and requires basic safeguarding due to contractual obligations.
Who Needs It: Level 2 is for subcontractors who are managing or contractually required to manage CUI, even if they aren’t actively handling it. Most subcontractors in the DIB fall here, even without realizing it. You’re required to attain Level 2 even if your contract only stipulates that you should be able to handle CUI, regardless of whether you’re doing so.
Key Requirements:
Assessment Options:
CMMC Level 3 applies to national-security-critical contracts that require protection against Advanced Persistent Threats (APTs). This level is relevant primarily to prime DoD contractors.
Key Requirements:
Assessment: A DoD-led assessment is required through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
CMMC security requirements apply to prime contractors and their entire supply chain. Prime contractors are responsible for ensuring their subcontractors comply through DFARS clauses (most commonly DFARS 252.204-7012). Compliance cannot be bypassed if CUI is involved anywhere in the chain. Primes will expect subcontractors to meet applicable CMMC levels as part of the contract.
If you’re a subcontractor, you might already be subject to CMMC requirements without realizing it. Defense contracts often include boilerplate language that flows down compliance terms. Here's why this matters.
DFARS Mandates:
Verification by Primes:
We keep a running record of what Lockheed, Boeing, and other major primes are publicly telling their supply chains, refreshed whenever new guidance appears.
Track your prime's published CMMC guidance
The DoD structured CMMC enforcement in three phases to help manage readiness and capacity:
Phase I — November 2025: CMMC Level 1 and Level 2 (Self) requirements begin appearing in select solicitations. Contractors must self-assess, document, and report compliance in SPRS before award.
Phase II — As of July 13, 2026, the Department of War (DoW) has suspended all pending and future implementation milestones in the CMMC 2.0 phased implementation plan. In short, CMMC Level 1 (Self) and Level 2 (Self) certifications are the only maturity levels contracting officers can use during this interim period. Additionally, the DoW is conducting a review of the program and will be gathering feedback on how to improve CMMC for small- and mid-sized businesses going forward. Little is known today on the future state of third-party assessments, but your current DFARS 7012 and NIST 800-171 Rev 2 obligations remain in effect.
August 14, 2026: Industry responses to the Request for Information (RFI) are due. This is the only fixed deadline during the interim period
Mid-September 2026 (estimated): The CMMC Reform Task Force reports its findings to War Department CIO Davies
November 10, 2026: No longer the milestone date for Phase II of the CMMC rollout.
Our CMMC Prime Tracker page has the most up-to-date guidance on what RTX, Boeing, and other major primes are telling their supply chains about enforcement expectations.
Track your prime's published CMMC guidance
Small and mid-sized subcontractors face specific hurdles when trying to achieve CMMC compliance.
Fortunately, solutions like partnering with experts such as ISI are available to help lighten the load.
Preparation is critical to passing a CMMC assessment. Follow these steps to set your subcontracting business up for success.
For subcontractors navigating the complexities of CMMC compliance, working with an experienced partner like ISI can make all the difference. Why choose ISI?
Take the weight of compliance off your shoulders. Schedule a discovery call today with one of ISI’s trusted advisors.
Any subcontractor or contractor working in the DIB and handling FCI or CUI must achieve CMMC compliance at the required level outlined in their contracts.
CMMC Level 3 primarily applies to prime contractors and a select few subcontractors dealing with sensitive national security information. However, a prerequisite to Level 3 compliance is achieving a Level 2 certification.
For Level 1, subcontractors must submit self-assessment scores to SPRS or provide proof of CMMC certification. For Level 2, prime contractors will require a Level 2 (C3PAO) Certificate of Status as a prerequisite for subcontractors to work on their contracts.