CMMC 101: What Defense Subcontractors Need to Know about the Cybersecurity Maturity Model Certification

Why it matters

Most defense contractors and subcontractors have heard of Cybersecurity Maturity Model Certification (CMMC). If you’re doing work with the Department of Defense as a contractor or subcontractor, the clock is ticking for you to become compliant:

• You must be CMMC compliant to the stated level before you can bid on projects. It could take 12 to 18 months to get ready for a certification.
• This isn’t just an IT concern. CMMC can require cloud migrations, physical security upgrades, facility segregation and changes to how staff handles information.
• Companies that self-attest without actually meeting the requirements could be subject to federal liability and harsh penalties under the False Claims Act.

What Is Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) dates back to an executive order issued by President Obama in November 2010, when it was developed to improve the cybersecurity posture of vendors and contractors that offer products and services to the Department of War (DoW). CMMC isn’t just an IT-only framework but also covers physical security, personnel practices, data handling and operational controls.

All non-COTS (commercial off-the-shelf procurement) contracts will require CMMC Compliance by 2028.

CMMC differs from other compliance frameworks, where companies can self-attest without scrutiny. The current version, CMMC 2.0, is essentially the government’s codified application of the NIST 800-171 cybersecurity framework and is designed to be rigidly enforced.

However, many contractors and subcontractors don’t understand what compliance truly demands. The widespread assumption that CMMC is a light lift and that you have plenty of time and couldn’t be further from the truth. Prime contractors are already moving, and some are sending letters to subcontractors, demanding status updates as soon as 30 to 45 days.

CMMC is not an issue you can put off until the future; it’s an active and growing business requirement. Delaying adoption means you could lose eligibility for future work, be removed from supply chains and potentially face compliance exposure and violations you never anticipated.

CMMC 2.0 has three certification levels:

• Level 1: This level has 17 basic cybersecurity requirements, and while self-attestation is permitted, companies must document the controls they have implemented.
• Level 2: The second level has 110 requirements that are directly aligned with NIST 800-171. It is the level most defense subcontractors will be working toward, and it requires certification by a Certified Third-Party Assessment Organization (C3PAO).
• Level 3: This builds on Level 2, is reserved for the most sensitive work, and requires a formal government audit conducted by a DoW representative.

Does CMMC Apply to You?

CMMC applies to anyone who touches federal contract information (FCI) or controlled unclassified information (CUI) including prime contractors, subcontractors, sub-subcontractors and suppliers at every tier.

Each contract specifies the certification level required for each tier. For example, a prime contractor may need Level 2, while a subcontractor handling less sensitive work may only need Level 1.

However, your company needs to meet the required CMMC level to even bid on such contracts. Many smaller companies may think that because they are several tiers removed from the DoW, CMMC does not apply to them.

For example, a metal parts manufacturer that makes rocket tips assumed CMMC didn’t fully apply to their company. However, an investigation found its top three customers all sold to prime contractors. The company was in scope and didn’t even know it.

In another case, a small ammunition manufacturer in Michigan believed CMMC didn’t apply because it had only one computer and lacked an IT department. However, it still had to implement a secure mail server and make physical security upgrades, including badge readers and cameras, and environmental controls.

CMMC is About More than IT and Defense Work

The scope question isn’t just about IT. It includes physical premises, personnel, transport, storage and even the building where covered work is done. Professional services firms, engineering companies and even facilities maintenance contractors could be subject to CMMC if their contractors are involved in CUI or defense-related work.

CMMC is also likely to expand beyond the DoW. For example, the General Services Administration has already developed its own version with slightly higher requirements, and other agencies, such as the Department of Energy and the EPA, are likely to follow. As a result, you should think of CMMC readiness not as a one-time compliance event but as a long-term investment.

Beware Software Vendors With an Easy Fix

Some software vendors are marketing platforms as turnkey CMMC solutions. However, this is a dangerous oversimplification, and while software can be part of the solution, it is not the entire picture. CMMC requires companies to take ownership of their whole governance layer, including policies, procedures, and structures around how people handle sensitive information.

Even if a software platform is technically compliant, companies will be responsible for how their employees actually use it. CMMC cannot be addressed by simply writing a check, and any company that purchases a software solution and self-attests to compliance without meeting all requirements remains at risk of liability.

Do You Know Where You Stand on CMMC Readiness?

Scope surprises are among the most common and most expensive discoveries during CMMC evaluations. A readiness assessment is the fastest way to understand your exposure, reduce your scope, and build a realistic path forward. Learn how our cybersecurity risk consultants can help you evaluate your environment and prepare for certification before prime contractors or a contract deadline forces the issue.