Are Your Subcontractors CMMC Compliant?

If your organization is a DoD prime contractor, ensuring your subcontractors meet CMMC compliance requirements will soon be mandatory. With the Cybersecurity Maturity Model Certification (CMMC) becoming a requirement in mid-2025, primes must be compliant upon contract award. And so must every sub handling Controlled Unclassified Information (CUI) in their supply chain.

Here’s the challenge: contracts between primes and subs are private, with no direct government oversight. That means it’s up to you to define what constitutes acceptable proof that your subcontractors are preparing for compliance.

How can you ensure your subcontractors are ready? The easiest option is to require them to obtain and pass a third-party assessment by a C3PAO. These assessments will be available next month (December 2024). But chances are they are not ready. So…

Practical Steps for Evaluating and Ensuring Sub Compliance:

1. Include Flow-Down Clauses in Contracts: Incorporate compliance requirements directly into contracts with subs to enforce alignment with your expectations. DFARS 7012 should already be in contracts with subcontractors handling CUI. But, now is the time to add CMMC assessment requirements as well.

2. Request SPRS Score: Send a letter to subcontractors requesting that they calculate and report an SPRS score. Give them a deadline for reporting—four to six weeks is reasonable.

3. Review Their SSP: To reduce the burden on subs, consider requesting a copy of their SSP instead of their SPRS score. A compliance consultant can review an SSP and quickly provide a rough estimate of how far along the organization is in the compliance process. If the sub cannot produce an SSP, it is safe to assume they have not started, and it can take a year or more for them to be ready for formal CMMC assessment.

4. Set Compliance Timelines: Establish clear timelines for subs to achieve full compliance (e.g., within 90 days of signing the contract). Ask subs to provide a Plan of Action and Milestones (POA&M) detailing the steps and schedule they intend to follow to achieve compliance.

Don’t Forget Your Vendors

Don’t forget that vendors for services and products like cloud storage, software, and even document disposal companies are also subcontractors. If your organization passes Controlled Unclassified Information (CUI) to them, they will be required to be CMMC compliant. It’s your job to ensure they meet these requirements—and that their vendors do, too.

Why This Matters

Your subcontractors’ readiness directly affects your ability to win and retain contracts with the DoD. By proactively managing compliance across your supply chain, you strengthen not only your business but also the broader defense ecosystem. Ultimately, primes have to evaluate whether each subcontractor is likely to continue being a viable business partner.