DoD Subcontractors: What You Need to Know About CMMC Standards

On January 31st last year, the CMMC V1.0 was published. From that point, there’s

been more information released, informing the relevant parties about the CMMC Accreditation Body (AB).

As time passes, the direction of the CMMC becomes more transparent and concise. And the AB will continue to add details and provide stability to the ecosystem. Currently, applications for four levels of assessors and assessment organizations are being accepted.

A Sticking Point for Subcontractors

Compared to previous cybersecurity compliance programs, the CMMC framework is far more demanding for DoD suppliers.

For one, come the date of award, CMMC compliance will be required of contracts. And while NIST 800-171 and similar previous programs made self-certification “declarations” of compliance an option, that’s not the case with CMMC. Instead, prime contractors will face the rigorous demands of an array of assessors meant to enforce rigid compliance.

Here’s the issue: most prime contractors have the abundant resources for thorough due diligence on this front. While these organizations can trust themselves internally to follow the correct policies and procedures, there’s the matter of their subcontractors.

More importantly, subcontractors themselves play a pivotal role in the industry—yet they’ve been somewhat neglected in the wake of CMMC.

With that said, how can subcontractors ensure that they’re up to the challenge as CMMC standards kick into high gear?

Below, we’ll take a look at how smaller businesses and subcontractors should prepare for this monumental shift. But it also applies to prime contractors wanting to ensure their external partners are up to standards.

Questions Subcontractors Must Ask Themselves:

Some experts suggest that prime contractors should give their subcontractors a questionnaire. However, we recommend that subcontractors ask themselves the questions below to suss out where they stand with the CMMC:

1. Have you performed a stringent assessment on where your company stands with CMMC compliance?

2. Provided you’ve answered ‘yes’ to the above question, what level of CMMC are you compliant with?

3. Has your company undergone a third-party CMMC assessment or readiness?

4. Provided you’ve answered ‘yes’ to the above question, at what level did the third-party assessor rate your compliance?

5. What is your goal for CMMC compliance? At which level do you wish to be certified?

6. Do you have a target date for obtaining your CMMC certification at your desired level? If so, what is that date?

7. Which CMMC requirements aren’t feasible for your company? (Check out: CMMC Guide: Breaking Out Required CMMC Controls by Level)

8. Do you have any lingering compliance issues to solve regarding NIST SP 800-171 requirements?

9. Do you fully grasp what’s seen as Controlled Unclassified Information (CUI)?

10. Are you entirely aware of where your CUI is stored, processed, or transmitted right now, if relevant?

11. How informed and updated are you about CMMC regulations?

Any subcontractors reading this blog should benefit from asking themselves these questions.

Moreover, prime contractors will want to ask these questions to themselves – and their partners – to ensure everyone is on point.

Subcontractors Now Find Themselves Facing Scrutiny

The world for defense subcontractors used to look a lot different. Namely, previous RFPs allowed these individuals or small businesses to fly under the radar. It’s because subcontractors had no direct government contracts. Nor did they respond directly to RFPs

Prime contractors didn’t even necessarily need to request the System Security Plans from all their suppliers. Beyond that, they often overlooked NIST SP 800-171. While the contract flow-down clause should have discouraged such oversights, it’s taken the CMMC standards to kick things into high gear.

Combining both the CMMC framework and contract flow-down clause means that subcontractors should expect much more scrutiny.

Subcontractors Must Know Their Role

Subcontractors need to know how the CMMC framework applies to them compared to their prime contracting counterparts.

For one, subcontractors who are not planning to be compliant then an alternative would be to have access to the Prime contractor’s CMMC compliant environment. It’s worth noting that subcontractors can’t rely on prime contractors for their support or to cater to non-compliance, which is a massive business risk for all parties.

The above notion might be what ends up costing less prepared subcontractors down the line. Prime contractors will begin doling out surveys – and assessments – to figure out which of their partners are most compliant. Shoring up subcontractors will reduce supply chain risk.

Subcontractors also need to know that the CMMC can’t be retroactively applied to an RFP. Thus, individual defense suppliers will be affected at different times by the CMMC requirements. It all depends on when contracts expire, renew, or are re-negotiated.

Preparing for Grey Areas

This section – like much of this post – discusses an issue that impacts prime contractors and subcontractors.

Ambiguities and grey areas have always existed in compliance programs—the CMMC will be the same. It’s integral to define and hone strategies that manage the interpretational clashes by suppliers and assessors over compliance requirements (one of the main reasons CMMC RPO’s are important).

Subcontractors can work themselves in favor of their prime contractors by addressing this issue. And prime contractors can perform their own due diligence on this front and assess whether their subcontractors are up to standards. (Click here for a self-assessment)

Keeping Your Ears to the Ground

While information about the CMMC is becoming more abundant as the whole framework takes form, it’s still in its infancy. (Sign up for our newsletter to get the latest updates on CMMC)

Proactivity will be a must as the standards evolve and tweaks are made. You currently can download a CMMC Assessment Guide that will teach you the ins and outs of CMMC processes, detailing what assessors will prioritize with documentation or artifacts. Staying on top of this information could be pivotal with regards to assessor training.

  • CMMC Level 2 Assessment Guideline


  • CMMC Level 3 Assessment Guideline


The Dawn of the CMMC Marketplace

Currently, there’s an online platform/website where registered assessors, assessment companies, registered practitioners, and providers are made available to those who need help

Here’s the link to visit the CMMC-AB Marketplace:

Subcontractors Need to Prepare for the CMMC

Right now, the CMMC might not seem like the imminent reality that it already is. However, those who are on the cutting room floor will be fully prepared for the near future. The more involved and informed subcontractors are with CMMC standards and frameworks, the more appealing they’ll be to prime contractors.

On a parting note for any prime contractors reading this blog, start communicating with your subcontractors about the CMMC ASAP to help ensure everyone is ready.

Need CMMC Advice to get you started? As Registered Practicing Organization with the CMMC-AB, we are currently helping DoD focused firms prepare for their certification. Reach out to learn more about our cybersecurity services.

author avatar
Ali Allage CEO
A visionary leader in cybersecurity, with expertise that encompasses a deep understanding of the latest cybersecurity trends, technologies, and best practices, making a significant impact on enhancing organizational security postures in the digital age.