A lot of small and mid-size defense vendors are operating under a dangerous assumption: that CMMC is the prime contractor's problem. It isn't. And if you're still waiting to find out what your prime requires before you take action, you may already be behind.
Here's what's actually happening — and what you need to do about it.
The CMMC program provides DoD with increased assurance that contractors and subcontractors have implemented contractually required cybersecurity standards for nonfederal information systems that process, store, or transmit FCI or CUI during contract performance. That language — subcontractors — is doing a lot of work.
Under 32 CFR § 170.23, prime contractors are required to comply and to require their subcontractors to comply with and flow down CMMC requirements throughout the supply chain at all tiers. This isn't discretionary guidance. The regulation uses the word "shall." If you're a tier-2 or tier-3 supplier receiving federal contract information from a prime, you are legally within scope.
The level you need depends on what data you handle:
If a prime knowingly awards work to a non-compliant subcontractor and misrepresents supply chain compliance, it faces liability under the False Claims Act. Beyond legal exposure, a non-compliant subcontractor can kill an entire contract bid. If a prime needs a certified supply chain to win a DoD contract and one supplier is not certified, the whole bid is at risk.
Primes know this. That's why many are already demanding compliance evidence before they'll award subcontracts — and they're not waiting for Phase 3 to ask.
The first phase of CMMC implementation began on November 10, 2025. CMMC assessment requirements are being implemented using a four-phase plan over three years, starting with self-assessments in Phase 1 and ending with full implementation in Phase 4.
Phase 2, which adds third-party Level 2 certification requirements to new contracts, begins November 10, 2026. That's not far away. And achieving Level 2 certification is not a quick process. It requires documenting and technically implementing 110 security controls, completing a System Security Plan (SSP), and in many cases, passing a third-party assessment by an authorized C3PAO.
If you haven't started, you're already under pressure.
The compliance challenge for smaller vendors isn't a matter of willingness. It's complexity meeting constrained resources.
You may not know you have CUI. Many subcontractors receive Controlled Unclassified Information in the course of normal work, in emails, shared documents, technical specifications, without recognizing it as such. But receiving even a small amount of CUI triggers Level 2 requirements across your entire relevant information environment. Ignorance of what data you're handling is not a defense.
A written policy isn't enough. CMMC Level 2 requires evidence of technical implementation, not just documented intent. That means things like multi-factor authentication, FIPS-validated encryption, and access controls configured and demonstrably in operation. Many small businesses have policies on paper that their systems don't actually enforce. That gap will be found in an assessment.
Your vendors may be your problem. The flowdown obligation doesn't stop with you. If you use a cloud service provider, managed IT provider, or any external service provider that touches the systems where CUI lives, their compliance posture affects yours. Misclassifying an MSP as out of scope is a common and costly mistake.
Your SPRS record has to stay current. Subcontractors must not only meet the standards but continuously maintain and update their compliance evidence — including SSPs, Plans of Action and Milestones (POA&Ms), and annual affirmations entered into the Supplier Performance Risk System. This is an ongoing operational requirement, not a one-time filing.
The good news is that the path forward is well-defined. The hard part is executing it with limited internal resources. Here's where to focus:
Step 1: Map your CUI. Understand exactly what sensitive data you receive, where it lives, and which systems touch it. This determines your required compliance level and scopes everything that follows.
Step 2: Know your level. FCI only means Level 1. Any CUI means Level 2 at minimum. Don't assume — verify against the actual data your subcontracts involve.
Step 3: Get a gap assessment. Before you can close gaps, you have to know what they are. A structured gap assessment against NIST SP 800-171 will tell you exactly where you stand and what has to be remediated before an assessment.
Step 4: Build your documentation. Your SSP, POA&M, and policies need to reflect what your systems actually do. Alignment between your documentation and your technical controls is what auditors are evaluating.
Step 5: Get a program manager in your corner. CMMC compliance isn't a project you finish — it's a program you maintain. Having an experienced CMMC professional guiding the process keeps you audit-ready as your systems and contracts evolve.
At Dragnet, we work specifically with defense subcontractors who need to get compliant without a large internal IT team or compliance staff. Our CMMC Program Management service is built for organizations at exactly this stage — ready to do the work, but needing an expert to lead the way.
Schedule a CMMC Discovery Call