What is the difference between a first-tier and lower-tier subcontractor for CMMC?

CMMC requirements flow down regardless of tier. A second-tier subcontractor (sub to a sub) that handles CUI has the same CMMC obligations as a first-tier sub. The prime is responsible for ensuring that all subcontractors in their CUI supply chain meet applicable CMMC requirements before CUI is transferred. In practice, lower-tier subs often don't receive this guidance from the tier above them — which creates compliance gaps and legal exposure for every party in the chain. [VERIFIED: CMMC Final Rule 32 CFR Part 170 §170.19(c); DFARS 252.204-7021(c)(4)]

Defense Subcontractor Requirements: Flowdown, CMMC & CUI Compliance (2026)

Q: Do defense subcontractors need CMMC certification?

Yes, if the subcontract involves Controlled Unclassified Information (CUI) or requires performance on certain DoD programs. CMMC requirements flow down from prime contracts to all subcontractors in the CUI supply chain. The CMMC level required depends on the type of CUI handled and what is specified in the prime contract. Subcontractors cannot receive CUI from a prime under a CMMC-covered contract unless they meet the applicable CMMC level. [VERIFIED: CMMC Final Rule 32 CFR Part 170 §170.19, DFARS 252.204-7021]

Q: What DFARS clauses flow down to subcontractors?

The key DFARS clauses that must flow down to subcontractors handling CUI include: DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), DFARS 252.204-7019 (NIST SP 800-171 DoD Assessment Requirements / SPRS score), DFARS 252.204-7020 (NIST SP 800-171 DoD Assessments / government audit rights), and DFARS 252.204-7021 (CMMC Requirements, phasing in 2025-2026). Primes are contractually required to include these clauses in subcontracts where applicable. [VERIFIED: DFARS Part 252, 32 CFR Part 170 §170.19(b)]

Q: What is CUI and how does it affect subcontractors?

Controlled Unclassified Information (CUI) is information that requires safeguarding per federal law or regulation but is not classified. For defense subcontractors, CUI typically includes technical specifications, drawings, export-controlled data (ITAR/EAR), contract performance information, and certain financial data. Once a subcontractor receives CUI from a prime, they are legally required to protect it under DFARS 252.204-7012 and NIST SP 800-171. The prime cannot transfer CUI to a subcontractor that doesn't have the required protections in place. [VERIFIED: 32 CFR Part 2002 (CUI Rule), DFARS 252.204-7012]

Q: What insurance does a defense subcontractor need?

Insurance requirements vary by prime and program, but most defense subcontracts require: Commercial General Liability ($1M-$5M per occurrence), Professional Liability / Errors & Omissions ($1M-$5M), Cyber Liability ($1M minimum, increasingly $5M+), Workers' Compensation (statutory limits), and Automobile Liability if using vehicles. Programs involving classified work or high-value hardware may require additional coverage. Always request the prime's Standard Terms & Conditions before quoting — they specify exact insurance requirements. [AI-GENERATED typical ranges based on defense subcontract community reporting; verify with your prime's legal team]

Q: How long does it take to get on a prime's approved vendor list?

Getting on an approved vendor list (AVL) at a major prime typically takes 3–18 months. The timeline depends on the prime's qualification process complexity, how closely your capabilities match active program needs, your existing certifications (CMMC, AS9100, ITAR registration), and whether a program manager is actively looking for what you offer. Large primes like Lockheed and RTX have formal supplier qualification programs with defined steps. Smaller primes and non-traditional defense companies like Anduril can move faster but have equally rigorous technical vetting. [AI-GENERATED estimate based on defense supply chain community reporting]

Why Defense Subcontractors Are Exposed

The defense industrial base has a compliance blind spot: most of the cybersecurity and regulatory burden flows from DoD to prime contractors — but the actual work, including handling the most sensitive technical data, often happens at the sub level. [AI-GENERATED] context

The gap is widening. As CMMC requirements phase into prime contracts through 2026, primes are under legal obligation to ensure their subcontractors comply. Many are just now auditing their supply chains. Subcontractors who aren't ready are being replaced.

⚠️ "I'm just a sub" is not a defense. DFARS 252.204-7012 explicitly requires primes to flow these requirements to all subcontractors handling Covered Defense Information at every tier. Your legal obligation exists the moment CUI touches your systems — regardless of which tier you're at. [VERIFIED] DFARS 252.204-7012(m)

Free Weekly Briefing

CMMC deadline countdown + defense bid alerts

Get the weekly brief defense contractors actually read — deadlines, new contract awards, compliance changes.

No spam. Unsubscribe anytime.

Free Tool

Check Your CMMC Readiness in 5 Minutes

Your prime contractor is responsible if you fail compliance — know your exact gaps before they find out.

Take the Free Assessment →

DFARS Flowdown Requirements

DFARS (Defense Federal Acquisition Regulation Supplement) clauses are requirements written into prime contracts that must be passed down — "flowed down" — to subcontractors. Some clauses are mandatory flow-downs; others are at prime discretion. For cybersecurity, the mandatory ones create direct subcontractor obligations. [VERIFIED] DFARS Part 244, DFARS 252.204-7012(m)

DoD → Prime

Source of obligation DFARS clauses are written into the prime contract at award. The prime's contracting officer ensures inclusion per the solicitation requirements.

Prime → First-Tier Sub

Required flowdown via subcontract Prime must include cybersecurity DFARS clauses in all subcontracts where the sub will handle CUI or perform work on covered systems.

Sub → Lower Tiers

Continues through all tiers The obligation flows down to every tier where CUI is handled. A 3rd-tier sub handling export-controlled drawings has the same DFARS obligations as the prime.

Key DFARS Clauses That Flow to Subcontractors

DFARS Clause	What It Requires	Applies When
252.204-7012	Safeguard CUI; report cyber incidents to DoD within 72 hours; provide malware to government on request; maintain SSP	Anytime you handle Covered Defense Information (CDI) or operate systems touching DoD networks
252.204-7019	Maintain current SPRS score in PIEE; conduct annual NIST 800-171 self-assessment	Any subcontract involving CUI where 7012 flows
252.204-7020	Allow DoD to conduct assessments of your covered systems; provide access and documentation on request	Same scope as 7019; government audit rights
252.204-7021	Obtain CMMC certification at the level specified; maintain certification throughout contract performance	Contracts with CMMC requirements phasing in 2025–2026; flows to subs handling CUI
252.204-7008	Cloud computing services used for CUI must be FedRAMP authorized or equivalent	When you use cloud services as part of your CUI environment
252.225-7048	Export-controlled items must comply with ITAR/EAR; restrictions on foreign nationals handling technical data	Any work involving export-controlled defense articles or technical data

[VERIFIED] DFARS clause texts at acquisition.gov; 32 CFR Part 170 (CMMC Final Rule)

CMMC Assessment Scope for Subcontractors

CMMC scope for a subcontractor is defined by the same boundary that defines your CUI environment: every system, person, and process that touches Controlled Unclassified Information is in scope. The size of that boundary determines how expensive and time-consuming certification will be. [AI-GENERATED] scoping guidance

What Defines Your CUI Boundary as a Sub

What the prime sends you: Technical drawings, specs, contract performance information, export-controlled data — if it's CUI, it creates scope
How you receive it: Email, file share, physical media — every channel that CUI crosses enters scope
Where you store it: Workstations, servers, cloud drives — all in-scope systems require CMMC compliance
Who touches it: Any employee or contractor with access to in-scope systems must be part of your security program

ℹ️ Scope reduction is your best tool. Before spending $50K+ on CMMC readiness, ask: can you reduce scope? If CUI is currently scattered across your entire IT environment, a focused CUI enclave — a segmented environment specifically for CUI handling — dramatically reduces both the scope and the cost of certification. This is a legitimate and DoD-approved strategy. [AI-GENERATED] strategy guidance

CMMC Level Required for Subs

Scenario	CMMC Level	Assessment Type
Sub handles FCI only (Federal Contract Information, no CUI)	Level 1	Annual self-assessment
Sub handles CUI per DFARS 252.204-7012	Level 2	Third-party C3PAO assessment (most subs)
Sub supports critical programs with advanced CUI types	Level 3	Government (DCSA) assessment
Sub handles no government information	Not required	N/A

[VERIFIED] CMMC Final Rule 32 CFR Part 170 §170.19; DFARS 252.204-7021(c)(4)

CUI Handling Obligations

Once CUI enters your systems, you are legally responsible for its protection. The requirements aren't negotiable — they're federal law by way of Executive Order 13556 and 32 CFR Part 2002. [VERIFIED] 32 CFR Part 2002, DFARS 252.204-7012

What Counts as CUI in Defense Subcontracts

CUI in defense work commonly includes:

Technical drawings and specifications — anything with engineering detail about a covered defense system
ITAR-controlled technical data — technology for developing, producing, or maintaining defense articles on the USML
EAR-controlled items — items on the Commerce Control List requiring export licensing
Contract performance information — pricing, subcontractor data, delivery schedules that DoD considers sensitive
Personally Identifiable Information (PII) of DoD personnel or contractors
Unclassified Naval Nuclear Propulsion Information (UNNI) — separate CUI category for relevant programs

Required CUI Protections

Protection Category	Requirement	Source
Marking	Documents containing CUI must be marked "CUI" per the National Archives CUI Registry categories	32 CFR Part 2002 [VERIFIED]
Encryption at rest	CUI stored on systems must be encrypted using FIPS 140-2 validated cryptography	NIST SP 800-171 §3.13.16 [VERIFIED]
Encryption in transit	CUI transmitted over networks must use FIPS-validated encryption (TLS 1.2+)	NIST SP 800-171 §3.13.8 [VERIFIED]
Access control	Limit CUI access to personnel with need-to-know; multi-factor authentication required	NIST SP 800-171 §3.1, §3.5 [VERIFIED]
Incident reporting	Report cyber incidents affecting CUI to DoD within 72 hours via dibnet.dod.mil	DFARS 252.204-7012(c) [VERIFIED]
Destruction	Destroy CUI when no longer needed using NIST SP 800-88 media sanitization guidelines	32 CFR Part 2002.16, NIST 800-88 [VERIFIED]
Cloud storage	Cloud services holding CUI must be FedRAMP authorized at Moderate or equivalent	DFARS 252.204-7008 [VERIFIED]

What Primes Look For When Qualifying Subs

The era of "we'll deal with compliance later" is ending. Primes are actively auditing subcontractor compliance posture — partly because they're legally required to, and partly because a sub's cybersecurity failure can compromise the prime's contract, reputation, and program. [AI-GENERATED] qualification framework context

The Sub Qualification Checklist

Before awarding a subcontract involving CUI, mature prime contractors typically verify:

Active SAM.gov registration — must be current and not excluded
SPRS score on file — visible in PIEE; negative scores or absent scores are immediate red flags
CMMC certification status — required for contracts with CMMC requirements in scope (phasing in)
System Security Plan (SSP) — documented and current; primes increasingly request a copy or summary
ITAR/EAR registration — required if the sub will handle ITAR-controlled technical data; must be registered with DDTC
Cyber liability insurance — minimum $1M, increasingly $5M for programs with significant CUI
Technical qualifications — relevant certifications, past performance on similar programs
Small business status — primes have subcontracting plan requirements; SB status opens additional opportunities
Quality management system — ISO 9001 or AS9100D for manufacturing; CMMI for software
Export compliance program — documented ITAR/EAR program with a DECO or compliance officer designated

Insurance & Bonding Requirements

Insurance minimums vary by prime and program. These are common ranges for defense subcontracts: [AI-GENERATED] ranges — verify with prime's terms and conditions

Coverage Type	Typical Minimum	Notes
Commercial General Liability	$1M–$5M per occurrence	Named additional insured for prime and government often required
Professional Liability / E&O	$1M–$5M	Required for engineering, IT, and services subs
Cyber Liability	$1M–$5M	Increasingly required; covers breach notification, forensics, ransomware
Workers' Compensation	Statutory limits	Required in all states where employees work
Automobile Liability	$1M combined single limit	Required if vehicles used for contract performance
Performance Bond	50–100% of subcontract value	Common for construction; less common for services; required by some primes for high-value hardware

Getting on Prime Vendor Lists

The six defense primes and major non-traditional companies all have different qualification processes. Here's what each looks for and how to get in. [AI-GENERATED] qualification guidance based on publicly available supplier program information

Lockheed Martin

Largest Prime

Register at lockheedmartin.com/suppliers — Exostar portal for pre-qual
CMMC Level 2 increasingly required for CUI-handling subs
AS9100D or ISO 9001 strongly preferred for hardware
ITAR registration required for most programs
Cyber liability insurance minimum $5M common on major programs
Longest qualification cycle: 6–18 months typical

RTX (Raytheon / Collins)

Aerospace + Defense

Supplier portal: suppliers.rtx.com — registration starts qualification
CMMC requirements being incorporated into new subcontracts
AS9100D required for aerospace components and assemblies
Active SPRS score and SSP summary often requested
Nadcap accreditation needed for special processes (heat treat, welding)
Timeline: 4–12 months for approval on specific programs

Northrop Grumman

Space + Cyber

Supplier registration through SAP Ariba portal
Strong cybersecurity focus — CMMC posture evaluated early
Space programs require ITAR registration and additional vetting
Classified programs require facility clearance (FCL) — plan 6–12 months
Small business and diversity certifications (8(a), SDVOSB) open doors
Technical interview with program manager sometimes required

L3Harris

C5ISR + EW

Supplier portal: l3harris.com/company/suppliers
Communications and electronic warfare programs are primary focus
ITAR-heavy programs require DDTC registration
CMMC requirements being phased in per contract
Smaller org relative to LM/RTX — faster qualification possible
Timeline: 3–9 months typical for technology subs

General Dynamics

Land + Mission Systems

Supplier registration: generaldynamics.com/suppliers
GDIT (IT arm) has strong cybersecurity sub requirements
Land systems programs require manufacturing quality certifications
Active security programs may require personnel security clearances
Strong preference for small businesses to meet subcontracting plan goals
Timeline: 4–10 months for first award

Anduril

Non-Traditional

Emerging prime — no legacy supplier portal yet; sourcing often direct
Fastest-growing program areas: autonomous systems, counter-UAS, JADC2
Technical bar is high — deep domain expertise required
Cybersecurity posture evaluated rigorously for any sub with system access
Faster qualification decisions than traditional primes
Track programs via USASpending.gov and Pulse contract tracking

✅ Track prime contract awards with Pulse. The fastest way to identify sub opportunities is to monitor when primes win new contracts in your capability area. A prime that just won a $500M ground systems contract will be procuring sub-components within 60–180 days. Pulse tracks DoD contract awards by keyword and prime so you can reach out before the formal solicitation.

Getting Sub-Ready: Your Action Plan

Compliance isn't built overnight. The subs who win in the next 18 months are the ones who started today. [AI-GENERATED] prioritization guidance

Get on SAM.gov and Keep It Current

Active SAM.gov registration is the minimum entry requirement for any DoD subcontract. Registration expires annually — a lapsed registration locks you out. Verify your CAGE code, NAICS codes, and business size certifications are accurate. This is free and takes 30 minutes.
Calculate and Submit Your SPRS Score

Run a NIST SP 800-171 self-assessment (use the SPRS Score Calculator), document your results in an SSP, and submit your score via PIEE. A positive score in SPRS is now effectively a prerequisite for subcontract awards. Negative scores are visible to primes and flag you as high risk.
Define and Reduce Your CUI Boundary

Before spending money on CMMC readiness, map exactly where CUI enters, moves, and is stored in your environment. If CUI is scattered broadly, consider implementing a CUI enclave — a dedicated, hardened environment for CUI handling — to reduce certification scope and cost.
Close NIST SP 800-171 Gaps

Run the CMMC Readiness Assessment to identify your current gaps. Build a POA&M with realistic dates. Focus on high-weight controls first (MFA, incident response, malware protection, encryption). Document everything — evidence is what assessors actually evaluate.
Get Your ITAR/EAR House in Order

If you're handling technical data for defense articles, verify whether ITAR registration with the State Department (DDTC) is required. For commercial technologies with defense applications, confirm your EAR classification. Export control violations carry criminal penalties — this isn't optional paperwork.
Engage a C3PAO for CMMC Level 2

If CMMC Level 2 is in your near-term contracts, engage an authorized C3PAO now — schedules are filling up. A pre-assessment gap analysis (from an RPO or C3PAO) typically costs $5K–$15K and tells you exactly what needs to be fixed before you spend on a full assessment. See the C3PAO Assessment Guide for selection criteria.

ITAR and EAR Export Control Obligations

Export controls are a distinct — and frequently misunderstood — obligation for defense subcontractors. They run parallel to CMMC and DFARS, and non-compliance carries criminal penalties. [VERIFIED] 22 CFR Parts 120–130 (ITAR), 15 CFR Parts 730–774 (EAR)

	ITAR	EAR
Governing agency	State Department (DDTC)	Commerce Department (BIS)
Controls what	Defense articles and services on the U.S. Munitions List (USML)	Dual-use items on the Commerce Control List (CCL)
Subcontractor registration	Required if you manufacture, export, or provide brokering for USML items	No registration required; license required for specific exports
Foreign national access	Deemed export rule — foreign nationals may require authorization even on US soil	Deemed export applies to specified items; EAR99 generally unrestricted
Violation penalties	Up to $1M per violation; criminal prosecution possible	Up to $1M+ per violation; denial of export privileges

[VERIFIED] 22 CFR Part 120 (ITAR definitions); 15 CFR Part 730 (EAR scope); DDTC.state.gov

Frequently Asked Questions

Do defense subcontractors need CMMC certification?

Yes, if the subcontract involves CUI. CMMC requirements flow down from prime contracts under DFARS 252.204-7021. Subcontractors that handle CUI on CMMC-covered contracts need to meet the applicable CMMC level — usually Level 2, which requires a C3PAO assessment. Subs that only handle FCI (Federal Contract Information) need Level 1, which is a self-assessment. Subs with no government information in scope don't need CMMC. [VERIFIED] CMMC Final Rule 32 CFR Part 170 §170.19; DFARS 252.204-7021

What DFARS clauses flow down to subcontractors?

The key cybersecurity clauses that must flow down when CUI is involved: DFARS 252.204-7012 (safeguarding and incident reporting), 252.204-7019 (SPRS score), 252.204-7020 (government audit rights), and 252.204-7021 (CMMC, phasing in). Export control: 252.225-7048. Cloud: 252.204-7008. Primes are contractually required to include these in applicable subcontracts. If your prime hasn't included them — and you're handling CUI — you should ask why. [VERIFIED] DFARS Part 252

What is CUI and how does it affect subcontractors?

CUI (Controlled Unclassified Information) is government-created or government-handled information that requires protection under law or regulation but isn't classified. For defense subs, it commonly includes technical specs, drawings, export-controlled data, and contract performance data. Once CUI touches your systems, DFARS 252.204-7012 and NIST SP 800-171 apply. Primes cannot lawfully transfer CUI to a subcontractor that doesn't have adequate protections in place. [VERIFIED] 32 CFR Part 2002 (CUI Rule); DFARS 252.204-7012

What insurance does a defense subcontractor need?

Requirements vary by prime and program. Common requirements: Commercial General Liability ($1M–$5M), Professional Liability / E&O ($1M–$5M), Cyber Liability ($1M–$5M, growing in requirement), Workers' Comp (statutory), and Auto Liability if vehicles are used. Always request and review the prime's Standard Terms & Conditions before submitting your proposal — specific insurance requirements are spelled out there. [AI-GENERATED] typical ranges; verify with your prime

How long does it take to get on a prime's approved vendor list?

3–18 months at major primes, depending on program complexity and how closely your capabilities match active needs. The fastest path: identify a program manager who has an active need for your capability (use Pulse to find recent awards), build a direct relationship, and enter qualification already having SPRS, SAM.gov, and any required certifications current. Cold submissions to supplier portals move slowly. Program manager relationships move faster. [AI-GENERATED]

What is the difference between a first-tier and lower-tier sub for CMMC?

No difference. CMMC obligations flow regardless of tier. A third-tier sub handling export-controlled drawings has identical DFARS obligations to the prime. In practice, lower-tier subs often don't receive proper guidance from the tier above them — this is a compliance gap that creates legal exposure all the way up the chain. If you're a lower-tier sub and your direct customer hasn't given you CUI-handling requirements, that's a conversation you need to initiate. [VERIFIED] CMMC Final Rule 32 CFR Part 170 §170.19(c); DFARS 252.204-7021(c)(4)

Sources & Verification

DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. Mandatory flowdown clause. acquisition.gov [VERIFIED]
DFARS 252.204-7019, -7020, -7021 — NIST 800-171 assessment requirements and CMMC requirements. acquisition.gov/dfars [VERIFIED]
CMMC Final Rule (32 CFR Part 170) — CMMC program including flowdown requirements at §170.19. ecfr.gov [VERIFIED]
32 CFR Part 2002 — CUI Program implementing regulations. Defines CUI categories, marking, and handling. ecfr.gov [VERIFIED]
ITAR (22 CFR Parts 120–130) — International Traffic in Arms Regulations. DDTC.state.gov for registration and compliance. [VERIFIED]
EAR (15 CFR Parts 730–774) — Export Administration Regulations. BIS.doc.gov. [VERIFIED]
Prime supplier qualification program details — Based on publicly available supplier portal information and defense supply chain community reporting. [AI-GENERATED] — verify directly with each prime's supplier team.

Free Tool

Check Your CMMC Readiness in 5 Minutes

Defense subcontractor compliance starts with knowing your score — take the free 5-minute assessment now.

Take the Free Assessment →

Defense Subcontractor Requirements: Flowdown, CMMC & CUI Compliance

Why Defense Subcontractors Are Exposed

CMMC deadline countdown + defense bid alerts

Check Your CMMC Readiness in 5 Minutes

DFARS Flowdown Requirements

Key DFARS Clauses That Flow to Subcontractors

CMMC Assessment Scope for Subcontractors

What Defines Your CUI Boundary as a Sub

CMMC Level Required for Subs

CUI Handling Obligations

What Counts as CUI in Defense Subcontracts

Required CUI Protections

What Primes Look For When Qualifying Subs

The Sub Qualification Checklist

Insurance & Bonding Requirements

Getting on Prime Vendor Lists

Getting Sub-Ready: Your Action Plan

Get on SAM.gov and Keep It Current

Calculate and Submit Your SPRS Score

Define and Reduce Your CUI Boundary

Close NIST SP 800-171 Gaps

Get Your ITAR/EAR House in Order

Engage a C3PAO for CMMC Level 2

ITAR and EAR Export Control Obligations

Frequently Asked Questions

Sources & Verification

Check Your CMMC Readiness in 5 Minutes

Get the weekly CMMC brief — free