Executive Brief
Supply chain risk is one of the least understood and most urgent challenges in Cybersecurity Maturity Model Certification (CMMC) compliance today.
- The Department of Defense (DoD) (also known as the Department of War) estimates approximately 118,000 contractors require CMMC Level 2
- ~1,000 firms have achieved it, and some Certified Third-Party Assessment Organizations (C3PAOs) are already booked out nine to twelve months
- Nearly half of subcontractors have already received CMMC flow-down requests from primes, according to Redspin's 2025 DIB readiness report
- Contract language requiring Level 2 is already appearing in solicitations and flowing down to subcontractors
- Replacing a non-compliant supplier can take 18 months or more
Dig deeper below to learn more.
The Awareness Gap Is Bigger Than Most Primes Realize
Supply chain is the part of CMMC that is not getting the attention it deserves.
Firms closer to the Washington D.C. beltway are generally moving. Those farther out, and those outside the cleared facility space, often have little idea what is expected of them.
The data backs this up. According to Redspin's 2025 DIB readiness report, nearly half of subcontractors surveyed had already received a CMMC flow-down request from a prime, meaning enforcement pressure is arriving well ahead of the formal rollout schedule.
ISI Chief Executive Officer David Lawrence has seen the same pattern firsthand, noting that "even the ones that are saying they're moving towards Level 2 probably aren't. One company didn't even know what DFARS was. Others said they had an SPRS score but didn't know how to submit it."
The problem compounds as you move deeper into a supply chain. By tier three, four, and five, awareness drops sharply. For many of these firms, DoD work is a small fraction of revenue, making CMMC feel low priority until a contract is suddenly at risk.
Contract Language Is Already Here
Two trends are emerging in recent solicitations:
- Deliverability risk: Supply chain readiness is becoming a delivery risk, with primes facing delays in subcontract awards and project execution when subcontractors are not prepared for Level 2 requirements
- Flow-down requirements: Solicitations are explicitly requiring primes to ensure that subcontractors handling Controlled Unclassified Information (CUI) are Level 2 certified by the time of the subcontract award
As cyber-attacks become more sophisticated and historic defense spending on the horizon, government agencies are requiring primes to implement more holistic and rigorous supply chain risk management strategies.
Lawrence is clear that "contracts that are up for recompete are going to require CMMC," and that primes need to be ensured their supply chain is getting to Level 2.
What Primes Need to Do Now
The firms that move early will have a real edge. Lawrence puts it plainly, saying "the firms that get their supply chain ahead of this are going to have a massive competitive advantage when bidding on new contracts."
- Audit CUI flow-down: Determine which suppliers genuinely need to handle CUI. One prime reduced its CUI-handling supplier list from 1,000 to 300 through careful review
- Review recompete timelines: Identify contracts with CMMC language and map when subcontractor certification is required
- Start supplier conversations now: Notifications alone are not enough. Critical and sole-source suppliers need active outreach and support
- Expand vendor pools: Build backup options for irreplaceable suppliers before a compliance gap forces a crisis decision
- Update subcontract agreements: Add representations around CMMC status, notification requirements for key personnel changes, and indemnification tied to non-compliance
What Subcontractors Need to Do
Subcontractors face the same urgency with fewer resources. Start by:
- Understanding your actual CUI exposure before assuming Level 2 applies in full
- Assess how central DoD work is to your business and what your real timeline looks like
- Decide whether compliance is best handled in-house, through a specialist Managed Service Provider (MSP), or under the prime's technology infrastructure
- Set a target assessment date and work backwards
On choosing an MSP, Lawrence advises asking whether they have taken anyone through a Level 2 assessment and whether they are Level 2 themselves, adding that "if the answer to either of those is no, they're probably not the right fit."
For smaller firms, a CUI enclave approach, where a limited group of personnel operate in a compliant environment using FedRAMP-authorized tools, can reduce scope and cost significantly. Some firms start with three to five people in an enclave, win work, and expand from there.
FAQs
Does CMMC apply to my subcontractors?
If CUI flows down to them, Level 2 requirements flow down as well. Primes are responsible for ensuring their supply chains are CMMC compliant before awarding them subcontracts.
How do I know if my supply chain is at risk?
Map which suppliers receive or handle CUI. Then assess whether they have a current SPRS score, any CMMC certification, and a credible path toward Level 2. Most contractors have never done this systematically.
What if a critical supplier won't pursue CMMC?
Start identifying backup suppliers now. For irreplaceable vendors, direct support and introductions to compliance resources may be the only path to keeping that relationship.
Can a subcontractor operate under a prime's CMMC certification?
In some cases, yes. If a small subcontractor uses a prime-provided device or enclave to handle CUI, they may not need independent certification. This requires careful scoping and agreement with the prime.
