When must subcontractors be CMMC Level 2 certified?

Phase 1 began November 10, 2025 — self-assessments are active in contracts now. Phase 2 begins November 10, 2026, when C3PAO-assessed Level 2 certification becomes mandatory for applicable contracts. Given a 6–18 month preparation timeline, subcontractors who haven't started need to begin immediately. [VERIFIED: 32 CFR Part 170, 48 CFR DFARS Final Rule effective November 10, 2025]

What does CMMC Level 2 cost for a subcontractor?

The full cost depends on your starting compliance posture. Gap assessment: $5,000–$25,000 [VERIFIED: modusadvanced.com citing industry data]. Remediation (IT controls, MFA, encryption, policies): varies widely. C3PAO formal assessment: typically $20,000–$50,000 depending on scope and organization size [AI-GENERATED estimate — costs vary by C3PAO and scope]. Total first-year cost for most SMBs: $75,000–$150,000 [AI-GENERATED range — seek C3PAO quotes for your specific environment]. These costs may be treated as allowable overhead or G&A in contract pricing. [VERIFIED: kovr.ai citing DoD guidance]

What is a C3PAO and how do I find one?

A C3PAO (CMMC Third-Party Assessment Organization) is an organization authorized by the Cyber Accreditation Body (Cyber AB) to perform official CMMC Level 2 and Level 3 assessments. Find certified C3PAOs at cyberab.org/Catalog. The assessment involves reviewing policies, testing controls, and interviewing staff, typically taking 2–4 weeks. [VERIFIED: Cyber AB, DoD CIO dodcio.defense.gov/CMMC/]

What is CUI and how do I know if I handle it?

Controlled Unclassified Information (CUI) is information requiring safeguarding under law, regulation, or government-wide policy. For defense subcontractors, CUI commonly includes technical drawings, design specifications, contract performance data, and engineering files. Check your contract for DFARS 252.204-7012 — its presence signals CUI handling requirements. If you receive government-furnished equipment (GFE), design files, or technical manuals from your prime, you almost certainly handle CUI. [VERIFIED: DFARS 252.204-7012, 32 CFR Part 2002]

How long is CMMC Level 2 certification valid?

CMMC Level 2 certification is valid for 3 years from the date of assessment. Annual affirmations of continued compliance are required during that period. Reassessment by a C3PAO is required before the certification expires to maintain eligibility for DoD contracts. [VERIFIED: 32 CFR Part 170, DFARS 252.204-7021]

CMMC Level 2 for Subcontractors: The Complete 2026 Guide

In This Guide

What CMMC Level 2 Requires: The 110 Controls
Flow-Down Requirements: When Your Prime Requires Level 2 From You
Timeline: When Subcontractors Need to Be Certified
Cost Breakdown: Gap Assessment, Remediation, C3PAO Assessment
Step-by-Step Readiness Checklist
Common Mistakes Subcontractors Make
How to Find a C3PAO Assessor
CUI Handling for Subcontractors
Frequently Asked Questions

⚡

Quick answer: Yes, subcontractors handling CUI must achieve CMMC Level 2 — 110 NIST SP 800-171 controls, verified by a certified C3PAO. Flow-down comes from DFARS 252.204-7021. Phase 2 (C3PAO mandatory) starts November 10, 2026. Preparation takes 6–18 months. Start now.

1. What CMMC Level 2 Requires: The 110 Controls

CMMC Level 2 is built entirely on NIST Special Publication 800-171 Revision 2, which defines 110 security requirements across 14 control families. Every control is identical between the two standards — CMMC Level 2 is the verification mechanism that you actually implement them. VERIFIED: NIST SP 800-171 Rev 2 csrc.nist.gov

The 14 control families span everything from who can access your systems to how you respond to incidents. For subcontractors, the most impactful and often-missed families are Access Control (22 requirements) and System and Communications Protection (16 requirements).

Domain	Abbr	Controls	What It Covers
Access Control	AC	22	Who can access CUI and how access is enforced
Awareness and Training	AT	3	Security training for all CUI-handling staff
Audit and Accountability	AU	9	Logging, monitoring, and retaining audit records
Configuration Management	CM	9	Baseline configs, patch management, change control
Identification and Authentication	IA	11	User identity verification, MFA, passwords
Incident Response	IR	3	Breach detection, reporting, and recovery plans
Maintenance	MA	6	Secure system maintenance and access controls
Media Protection	MP	9	Protecting and sanitizing CUI-bearing media
Personnel Security	PS	2	Background screening and termination procedures
Physical Protection	PE	6	Physical access controls to CUI environments
Risk Assessment	RA	3	Periodic vulnerability scanning and risk reviews
Security Assessment	CA	4	Evaluating controls and maintaining plans
System and Communications Protection	SC	16	Network segmentation, encryption, boundary protection
System and Information Integrity	SI	7	Anti-malware, security alerts, patch remediation

📌

Key distinction: NIST SP 800-171 defines what you must do. CMMC Level 2 proves — through a third-party C3PAO assessment — that you actually do it. DFARS 252.204-7012 has required the 110 controls since 2017 via self-attestation. CMMC replaces self-attestation with verification. VERIFIED: DoD CIO dodcio.defense.gov/CMMC/About/

Conditional Certification

CMMC allows conditional certification if you achieve at least 80% compliance scores. You get 180 days to remediate the remaining gaps identified in your Plan of Action & Milestones (POA&M) before Final Level 2 certification. This is not a loophole — gaps must be closed within the window. VERIFIED: 32 CFR Part 170

Annual affirmations of continued compliance are required throughout your 3-year certification period. Your organization's Affirming Official must attest that controls remain implemented. VERIFIED: DFARS 252.204-7021, 32 CFR Part 170

2. Flow-Down Requirements: When Your Prime Requires Level 2 From You

Flow-down is the contractual obligation for a prime contractor to pass CMMC requirements to every subcontractor that handles FCI or CUI. DFARS 252.204-7021 requires primes to verify that subcontractors hold the appropriate CMMC level before awarding subcontracts. VERIFIED: DFARS 252.204-7021 acquisition.gov

This is not optional paperwork. Failure to properly flow down and verify subcontractor compliance can expose the prime to contract termination, withheld payments, suspension, and debarment — and they know it. As a result, primes are increasingly making CMMC compliance a hard gate for supplier qualification. VERIFIED: DFARS 252.204-7021

Which CMMC level applies to you?

CMMC doesn't assign levels by company size or revenue — it assigns them by the data sensitivity of what you receive:

If You Handle…	CMMC Level	Assessment Type
Only Federal Contract Information (FCI) — purchase orders, basic shipping	Level 1	Annual self-assessment uploaded to SPRS
Controlled Unclassified Information (CUI) — drawings, specs, designs, technical manuals	Level 2	C3PAO third-party assessment every 3 years + annual affirmation
CUI related to critical national security programs (high risk)	Level 3	Government-led DIBCAC assessment

⚠️

Important: A subcontractor at a lower tier than the prime does not automatically inherit Level 2. If the prime keeps higher-sensitivity data out of your environment, you may only need Level 1. The key question: does CUI physically flow to your systems? If yes, you're Level 2. Document data flows carefully — scoping decisions can significantly reduce your compliance cost. SEEK EXPERT ADVICE

What primes are required to do

Include DFARS 252.204-7021 clauses in subcontracts where CUI or FCI flows
Verify subcontractor CMMC status and SPRS score before awarding subcontracts
Confirm subcontractor certification remains current throughout contract performance
Flow requirements further downstream when their own subcontractors hire lower-tier vendors

Primes are incentivized to check early and often. If a sub gets breached, contracting officers will ask why the prime trusted them. Expect supplier qualification questionnaires from large primes (Raytheon, Northrop Grumman, Lockheed Martin, L3Harris) to include CMMC certification status verification. VERIFIED: DFARS 252.204-7021

3. Timeline: When Subcontractors Need to Be Certified

The 48 CFR Final Rule took effect November 10, 2025, launching CMMC implementation. The DoD uses a four-phase rollout spanning four years. VERIFIED: 48 CFR DFARS Final Rule, Federal Register September 10, 2025

NOW ACTIVE

Phase 1 — November 10, 2025

CMMC requirements appear in new solicitations. Self-assessments required for Level 1 and select Level 2 contracts. C3PAO assessments optional but may be required for defense-sensitive CUI programs. SPRS scores must be current for contract award eligibility.

CRITICAL DEADLINE — 6 months away

Phase 2 — November 10, 2026

C3PAO assessments become mandatory for Level 2 contracts. Self-assessment alone no longer satisfies Level 2 requirements for CUI-handling contracts. With a 6–18 month preparation timeline, subcontractors who haven't started are already behind. This is the most important deadline for the majority of defense SMBs.

Phase 3 — November 10, 2027

Level 2 extends to renewals and options

CMMC Level 2 requirements extend to contract renewals and option exercises. Level 3 DIBCAC requirements activate for designated programs. Existing contract holders cannot avoid CMMC when they renew.

Phase 4 — November 10, 2028

Full implementation across all contracts

CMMC requirements apply to all applicable DoD contracts with FCI or CUI. No exemptions for legacy contracts, small businesses, or commercial item acquisitions that touch covered defense information.

🔴

Preparation reality check: The average defense SMB takes 12–18 months to reach audit-readiness from a baseline starting position. A 2024 study found only 1% of defense contractors were fully ready for CMMC deadlines. The average SPRS score across surveyed contractors was 12 out of a required 110. VERIFIED: Breaking Defense 2024 survey, businesswire.com October 2025 study Phase 2 is six months away. Start immediately.

Check the CMMC Phase 2 Deadline countdown page for a month-by-month action table and real-time countdown to November 10, 2026.

4. Cost Breakdown: Gap Assessment, Remediation, C3PAO Assessment

Total CMMC Level 2 costs vary widely based on your starting compliance posture, company size, and how much IT infrastructure needs upgrading. The table below provides realistic ranges for defense SMBs.

Cost Component	Typical Range	Data Label	Notes
Professional gap assessment	$5,000 – $25,000	VERIFIED	Identifies control gaps and prioritizes remediation. RPOs often included. Source: modusadvanced.com, intersecinc.com
System Security Plan (SSP) development	$3,000 – $15,000	AI-GENERATED	Documentation of all 110 controls, assessment boundary, and CUI flows. Often included in gap assessment or remediation engagement.
IT remediation (MFA, encryption, network segmentation, audit logging)	$20,000 – $60,000	AI-GENERATED	Highly variable. SMBs with modern cloud tools spend less; organizations with legacy on-premise infrastructure spend more.
Managed security services (MDR/SIEM) — 1 year	$12,000 – $36,000	AI-GENERATED	Many SMBs must outsource 24/7 monitoring to satisfy audit logging and incident response controls cost-effectively.
C3PAO formal Level 2 assessment	$20,000 – $50,000	AI-GENERATED	Varies by C3PAO firm, scope, and organization size. Includes documentation review, testing, and staff interviews. Solicit quotes from 2–3 C3PAOs.
Total first-year estimate	$75,000 – $150,000	AI-GENERATED	Industry-wide range for defense SMBs. Organizations with strong existing security posture may be below this range. Seek quotes for your environment.

Can you recover CMMC costs through contract pricing?

CMMC compliance costs may be treated as allowable overhead (OH) or general and administrative (G&A) costs in your contract pricing — similar to ISO certifications or other business expenses. This means you can potentially include certification costs in your fully burdened rates. VERIFIED: kovr.ai citing DoD guidance

Formal clarification on whether initial certification costs are explicitly "allowable" under FAR Part 31 remains pending from the DoD. SEEK EXPERT ADVICE from a DCAA-familiar pricing consultant before allocating costs.

💡

Cost reduction strategy: Scoping is your biggest lever. If you can isolate CUI-handling systems from your general business network — a process called "CUI enclave" design — you dramatically reduce the number of systems in scope for assessment. A smaller assessment boundary means lower remediation costs and faster C3PAO assessment time.

5. Step-by-Step Readiness Checklist

These seven steps are the standard CMMC Level 2 readiness path for subcontractors, in sequence. Each builds on the previous.

Review your contracts for CUI indicators

Look for DFARS 252.204-7012, 252.204-7021, or "Covered Defense Information" language. If present, assume CUI flows to you. Ask your prime directly if unclear. VERIFIED: DFARS 252.204-7012

Map your CUI — where does it live and flow?

Create a data flow diagram showing every system that stores, processes, or transmits CUI. This defines your assessment boundary and determines the scope of everything that follows.

Conduct a gap assessment against all 110 controls

Score yourself against NIST SP 800-171. Use a professional RPO ($5K–$25K) or structured self-assessment tools. Prioritize gaps by point weight — Access Control (22 controls) and System Protection (16 controls) have the most score impact. VERIFIED: NIST SP 800-171 Rev 2

Build your System Security Plan (SSP) and POA&M

Document every control — implemented, planned, or not applicable. For gaps, create a POA&M with remediation timelines and owners. Both documents are mandatory for your C3PAO assessment.

Remediate gaps — highest-impact controls first

Prioritize: multi-factor authentication (IA family), CUI encryption at rest and in transit (SC family), access control policies (AC family), audit logging (AU family), and incident response plan (IR family). Budget 6–18 months. VERIFIED: modusadvanced.com, elevateconsult.com on preparation timeline

Engage a C3PAO and schedule your assessment

Find an authorized C3PAO at cyberab.org/Catalog. Request quotes from 2–3 firms. The formal assessment takes 2–4 weeks once scheduled and includes documentation review, control testing, and staff interviews. VERIFIED: Cyber AB cyberab.org, DoD CIO dodcio.defense.gov/CMMC/

Submit to SPRS and maintain annual affirmations

After certification, update your SPRS record at sprs.apps.mil. Certification is valid for 3 years with annual affirmations required. Set calendar reminders — a lapsed certification makes you ineligible for new subcontract awards. VERIFIED: DFARS 252.204-7021, 32 CFR Part 170

Use the CMMC Readiness Assessment tool to get an instant gap analysis against all 14 control families and a prioritized remediation roadmap.

6. Common Mistakes Subcontractors Make

❌

Assuming your prime covers you

Your prime's CMMC certification covers their environment only. DFARS 252.204-7021 explicitly requires subcontractors to comply at their own assigned level. "The prime is certified" is not a defense. VERIFIED: DFARS 252.204-7021

❌

Assuming you don't handle CUI because you make physical parts

Machine shops, fabricators, and component manufacturers regularly handle CUI in the form of technical drawings, CAD files, material specifications, and tolerance documents. If your prime sent you design files, you almost certainly handle CUI. VERIFIED: strikegraph.com, modusadvanced.com on manufacturing CUI

❌

Starting with the C3PAO before remediating gaps

C3PAO assessors identify deficiencies requiring correction before certification. If you enter the assessment with major gaps, you fail the initial assessment and pay for remediation time plus a re-assessment. Do the gap work first.

❌

Not scoping your assessment boundary before spending money

Remediating your entire network when only a CUI-handling enclave is in scope wastes six figures. Invest in scoping first — a properly defined assessment boundary is the highest-ROI step in the whole process. SEEK EXPERT ADVICE from an RPO before you spend on IT upgrades.

❌

Treating CMMC as a one-time project

Certification expires in 3 years and requires annual affirmations. If your controls regress between assessments, you risk failing your affirmation. CMMC is an ongoing security posture requirement, not a checkbox to close.

❌

Waiting until Phase 2 to start preparation

Phase 2 starts November 10, 2026. Full preparation takes 6–18 months. If you start in October 2026, you're not getting certified in time. The C3PAO scheduling backlog alone can add months. Organizations that start now have a window to avoid a supply chain exclusion crisis.

7. How to Find a C3PAO Assessor

A CMMC Third-Party Assessment Organization (C3PAO) is an independent organization authorized by the Cyber Accreditation Body (Cyber AB) to perform official CMMC Level 2 assessments. Only C3PAOs that appear in the Cyber AB Marketplace are authorized to issue certifications that count. VERIFIED: Cyber AB cyberab.org, DoD CIO dodcio.defense.gov/CMMC/Assessments/

Step 1: Use the official Cyber AB Marketplace

The official directory of authorized C3PAOs is at cyberab.org/Catalog. You can filter by geographic region, industry specialization, and organization size. Only organizations listed here can provide CMMC certification that DoD accepts. VERIFIED: Cyber AB cyberab.org

Step 2: Consider also engaging an RPO first

A Registered Provider Organization (RPO) helps you prepare for the C3PAO assessment without conducting it. RPOs identify gaps, help you remediate, and optimize your SSP and POA&M. Using an RPO before your C3PAO engagement increases your first-assessment pass rate and reduces total cost. RPOs are also listed in the Cyber AB Marketplace. VERIFIED: workstreet.com, cispoint.com on RPO role

⚠️

Critical: The RPO and C3PAO must be separate organizations for objectivity. A firm that prepares you for the assessment cannot also conduct the official assessment. Be wary of any firm offering both services — the Cyber AB prohibits this for assessment objectivity. VERIFIED: workstreet.com citing Cyber AB requirements

What the C3PAO assessment involves

Documentation review: Assessors examine your SSP, POA&M, policies, and procedures for all 17 CMMC domains
Control testing: Evidence of implementation — audit logs, access control records, training records, backup tests
Staff interviews: Assessors interview personnel to verify that documented procedures are actually followed
Site inspection: Physical security controls for on-premise CUI environments

The formal assessment typically takes 2–4 weeks from start to completion, once all documentation is in order. Build buffer time into your project timeline for potential remediation after the initial assessment review. VERIFIED: modusadvanced.com

8. CUI Handling for Subcontractors

Controlled Unclassified Information (CUI) is information that requires safeguarding pursuant to law, regulation, or government-wide policy — but is not classified. The DoD CUI Registry (cui.archives.gov) lists every authorized CUI category. For defense subcontractors, the most common CUI types are: VERIFIED: 32 CFR Part 2002

Technical data: Engineering drawings, CAD files, material specifications, test results
Manufacturing data: Process sheets, fabrication instructions, quality control data
Export-controlled information: ITAR-controlled technical data, EAR-controlled items
Contract performance data: Cost and schedule reports, deliverable content referencing government programs
Government-furnished data: Any data or documents physically provided by the government or prime for your performance

Identifying CUI in your environment

Start with your contracts. DFARS 252.204-7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting") in your subcontract is the clearest indicator. If you receive files from your prime to perform your work, assume those files contain CUI until you can confirm otherwise with your contracting point of contact.

📁

CUI marking: CUI should be labeled "CUI" in the header or footer of documents. If your prime isn't marking CUI properly, that's a compliance issue on their side — but it doesn't reduce your obligation to protect information that meets the CUI definition. When in doubt, treat it as CUI. SEEK EXPERT ADVICE for specific classification questions.

Key CUI protection requirements for subcontractors

Encryption in transit and at rest: CUI must be encrypted using FIPS-validated cryptography (AES-128 minimum, AES-256 recommended) whenever it's transmitted electronically or stored on removable media. VERIFIED: NIST SP 800-171 controls 3.13.8, 3.13.10
Access control: Only personnel who need CUI for their job duties should have access. Implement least-privilege access and document user roles. VERIFIED: NIST SP 800-171 Section 3.1
Multi-factor authentication: Required for all privileged accounts and all remote access to systems processing CUI. MFA is one of the highest-weight controls in the self-assessment scoring. VERIFIED: NIST SP 800-171 control 3.5.3
Cloud storage: If you store CUI in cloud services, the service must meet FedRAMP Moderate equivalency or higher. Do not store CUI in standard commercial cloud services that lack FedRAMP authorization. VERIFIED: DFARS 252.204-7012 paragraph c(4)
Cyber incident reporting: Incidents affecting CUI must be reported to the DoD within 72 hours via the DIBNet portal. Failure to report is a contract violation. VERIFIED: DFARS 252.204-7012 paragraph c(1)
Media sanitization: Before disposing of or repurposing equipment that stored CUI, sanitize it per NIST SP 800-88. Simply deleting files or formatting drives is not sufficient. VERIFIED: NIST SP 800-171 control 3.8.3, NIST SP 800-88

Ready to check your compliance posture?

Run a free CMMC readiness assessment — see exactly where you stand against all 14 control families and get a prioritized action plan.

Run CMMC Assessment → View Phase 2 Timeline Ask the Community

Frequently Asked Questions

Do subcontractors need CMMC Level 2? ▼

Yes — if you handle Controlled Unclassified Information (CUI). DFARS 252.204-7021 requires prime contractors to flow CMMC requirements down to subcontractors who receive FCI or CUI. The level required depends on what data you handle: Level 1 for Federal Contract Information only, Level 2 for CUI, Level 3 for critical national security CUI. Most defense subcontractors handling technical drawings, specifications, or design files will need Level 2. VERIFIED: DFARS 252.204-7021, 32 CFR Part 170

When is the Phase 2 deadline for subcontractors? ▼

Phase 2 begins November 10, 2026. From that date, C3PAO-assessed Level 2 certification becomes mandatory for applicable contracts. Phase 1 (now active since November 10, 2025) already requires self-assessments in contracts and C3PAO assessment for defense-sensitive programs. Given a 6–18 month preparation timeline, subcontractors who haven't started are already behind schedule. VERIFIED: 32 CFR Part 170, 48 CFR DFARS Final Rule

What is the CMMC flow-down requirement? ▼

Flow-down is the obligation for prime contractors to pass appropriate CMMC requirements to every subcontractor that receives FCI or CUI. Under DFARS 252.204-7021, primes must verify subcontractor compliance before awarding subcontracts and maintain that verification throughout contract performance. Subcontractors must also flow requirements further downstream if they hire their own lower-tier vendors who receive the data. VERIFIED: DFARS 252.204-7021, DFARS 252.204-7012

How much does CMMC Level 2 cost for a small subcontractor? ▼

Total first-year costs for most defense SMBs range from $75,000 to $150,000, including gap assessment ($5K–$25K), IT remediation, and C3PAO assessment fees. VERIFIED: Gap assessment range from modusadvanced.com, intersecinc.com AI-GENERATED: Total range estimate The biggest cost variables are your starting compliance posture and your assessment boundary scope. Organizations with modern cloud environments and existing security tooling can be below this range; legacy on-premise environments are often above it. Request quotes from 2–3 C3PAOs and RPOs for your specific situation.

Can a subcontractor do a self-assessment for CMMC Level 2? ▼

Only for non-prioritized, non-critical CUI contracts. Most Level 2 contracts require a formal third-party assessment by a C3PAO. Starting November 10, 2026 (Phase 2), C3PAO assessments are mandatory for Level 2 contracts. Self-assessment alone is not sufficient for CMMC Level 2 certification when a C3PAO assessment is required. Check your specific contract language — if it references "Level 2 (C3PAO)," a C3PAO assessment is required. VERIFIED: 32 CFR Part 170, DFARS 252.204-7021

Where do I find an authorized C3PAO? ▼

The official directory of authorized C3PAOs is the Cyber AB Marketplace at cyberab.org/Catalog. Only organizations listed there can issue CMMC certifications recognized by DoD. Filter by region, size, and specialization. Request quotes from at least 2–3 organizations to compare scope coverage and pricing. VERIFIED: Cyber AB cyberab.org, DoD CIO dodcio.defense.gov/CMMC/Assessments/

How long does CMMC Level 2 certification last? ▼

CMMC Level 2 certification is valid for 3 years from the date of assessment. During that period, annual affirmations of continued compliance are required from your organization's Affirming Official. Before the certification expires, you must undergo a new C3PAO assessment. A lapsed certification makes you ineligible for new contract awards under solicitations requiring Level 2. VERIFIED: 32 CFR Part 170, DFARS 252.204-7021

What happens if my subcontract gets awarded before I'm certified? ▼

During Phase 1 (through November 9, 2026), self-assessments may satisfy some Level 2 contracts. However, after Phase 2 begins November 10, 2026, new contracts requiring C3PAO-assessed Level 2 cannot be awarded to uncertified organizations. Primes must also verify your status before subcontract award — an uncertified sub can cause a prime to lose their contract eligibility. Don't wait for your prime to flag the issue; verify your status proactively. SEEK EXPERT ADVICE for specific contract timing questions.

Sources & Verification

NIST SP 800-171 Rev 2 — Protecting Controlled Unclassified Information in Nonfederal Systems. csrc.nist.gov
32 CFR Part 170 — CMMC Program Final Rule, Federal Register October 15, 2024. federalregister.gov
DFARS 252.204-7021 — Cybersecurity Maturity Model Certification Requirements. acquisition.gov
DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. acquisition.gov
48 CFR DFARS Final Rule — Effective November 10, 2025. Federal Register September 10, 2025. federalregister.gov
DoD CIO CMMC — Official CMMC program page including assessment levels and C3PAO requirements. dodcio.defense.gov/CMMC/
Cyber AB Marketplace — Official directory of authorized C3PAOs and RPOs. cyberab.org/Catalog
32 CFR Part 2002 — Controlled Unclassified Information (CUI) program rule. ecfr.gov

Data labels: VERIFIED = cited above. AI-GENERATED = plausible estimate, no verified public source. SEEK EXPERT ADVICE = contract-specific, consult qualified CMMC consultant or legal counsel.