Who Needs CMMC Certification? A Guide for the Defense Supply Chain

The question we hear most often from companies new to the defense supply chain is straightforward: does CMMC apply to us? The short answer is almost certainly yes if you hold a DoD contract. The longer answer involves understanding what information you handle, where you sit in the supply chain, and which exemptions — if any — apply to your situation.

The Cybersecurity Maturity Model Certification (CMMC) is designed to protect sensitive information across the entire Defense Industrial Base (DIB). This does not mean only the large prime contractors building weapons systems. It means every organization in the supply chain that touches Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — from the machine shop fabricating parts to the IT services company managing network infrastructure to the consulting firm analyzing acquisition data.

This guide clarifies who needs CMMC certification, at what level, how requirements flow through the supply chain, and which organizations may be exempt.

The Fundamental Rule

The rule is simple: if your organization processes, stores, or transmits FCI or CUI under a DoD contract, you will need CMMC certification at the appropriate level as CMMC requirements are phased into contracts.

Information Type	CMMC Level Required	Assessment Type
Federal Contract Information (FCI)	Level 1 (Foundational)	Annual self-assessment
Controlled Unclassified Information (CUI) — routine	Level 2 (Advanced)	Self-assessment
Controlled Unclassified Information (CUI) — critical	Level 2 (Advanced)	C3PAO third-party assessment
Critical CUI on high-priority programs	Level 3 (Expert)	Government-led assessment

The determining factor is not your company's size, revenue, or role — it is the type of information that flows through your systems. A 10-person machine shop that handles CUI in the form of technical drawings needs the same Level 2 certification as a Fortune 500 defense prime.

Prime Contractors

Prime contractors are the most obvious candidates for CMMC certification. These are the organizations that hold direct contracts with the Department of Defense and are the primary point of contact for contract performance.

Why Primes Need CMMC

• They receive CUI and FCI directly from the government
• They generate CUI through their contract performance (engineering data, test results, specifications)
• Their contracts will explicitly specify the required CMMC level through DFARS clause 252.204-7021
• They are responsible for flowing down CMMC requirements to their subcontractors

Prime Contractor Obligations

Beyond achieving their own certification, prime contractors have supply chain management responsibilities:

1. Flow-down identification — Primes must identify which subcontractors will handle FCI or CUI and ensure those subcontractors achieve the appropriate CMMC level
2. Contract clause inclusion — The DFARS CMMC clause must be included in subcontracts where FCI or CUI is involved
3. Verification — Primes are expected to verify that subcontractors hold the required CMMC certification before passing them sensitive information

What we tell clients who are prime contractors: your supply chain is your vulnerability. If a subcontractor fails to achieve certification, your contract performance is at risk. Start engaging your critical subcontractors on CMMC readiness now.

Subcontractors at Every Tier

This is where many organizations are caught off guard. CMMC does not stop at the prime contractor. Requirements flow down through the entire supply chain to every subcontractor that handles FCI or CUI.

How Flow-Down Works

Consider a simplified supply chain:

Department of Defense
    └── Prime Contractor (Level 2 C3PAO required)
        ├── Tier 1 Subcontractor A (handles CUI → Level 2 required)
        │   └── Tier 2 Subcontractor C (handles CUI → Level 2 required)
        └── Tier 1 Subcontractor B (handles only FCI → Level 1 required)
            └── Tier 2 Subcontractor D (no FCI/CUI → no CMMC required)

Each node in the supply chain is evaluated independently based on the information it handles:

• Subcontractor A receives technical drawings marked as CUI from the prime → Level 2 required
• Subcontractor C receives a subset of that CUI from Subcontractor A → Level 2 required
• Subcontractor B receives contract schedules and performance data (FCI, not CUI) → Level 1 required
• Subcontractor D provides a service that does not involve FCI or CUI → No CMMC requirement

The Subcontractor Reality

In our experience, the subcontractor tier is where CMMC compliance faces its greatest practical challenges:

• Awareness gap — Many small subcontractors deep in the supply chain are not yet aware of CMMC requirements
• Resource constraints — Small businesses may lack the budget and personnel to implement 110 NIST 800-171 controls
• Multiple prime relationships — A subcontractor may support multiple primes with different CMMC level requirements
• Unclear data classification — Subcontractors sometimes receive information without clear CUI markings, making it difficult to determine the required CMMC level

If you are a subcontractor, the most important action you can take is to clarify with your prime contractor exactly what type of information you handle and what CMMC level your subcontract will require.

Types of Organizations That Need CMMC

CMMC applies across a wide range of organizations in the DIB. Here are common categories and their typical CMMC level requirements:

Manufacturing and Production

Organization Type	Typical Information Handled	Likely CMMC Level
Weapons system component manufacturer	Technical drawings, specifications (CUI)	Level 2
Electronics manufacturer (defense)	Circuit designs, test data (CUI/ITAR)	Level 2
Machine shop producing to DoD specs	Engineering drawings (CUI)	Level 2
Raw material supplier with no specs	Purchase orders, delivery schedules (FCI)	Level 1
Packaging and shipping contractor	Shipping manifests, schedules (FCI)	Level 1

Professional Services

Organization Type	Typical Information Handled	Likely CMMC Level
Engineering consulting firm	Technical analysis, design data (CUI)	Level 2
Management consulting on defense programs	Program data, acquisition info (CUI)	Level 2
Accounting firm providing contract audit services	Financial data, contract details (FCI or CUI)	Level 1 or Level 2
Staffing agency providing cleared personnel	Personnel records, contract admin (FCI)	Level 1
Legal services for contract disputes	Contract terms, performance data (FCI)	Level 1

IT and Technology

Organization Type	Typical Information Handled	Likely CMMC Level
Software developer for DoD systems	Source code, system docs (CUI)	Level 2
Cloud service provider hosting CUI	CUI data at rest and in transit	Level 2 (plus FedRAMP)
Managed IT services for a defense contractor	Access to CUI environment	Level 2
Help desk provider (no CUI access)	Ticket data, user info (FCI)	Level 1
Cybersecurity monitoring provider	Security logs, vulnerability data (potentially CUI)	Level 2

Facilities and Support

Organization Type	Typical Information Handled	Likely CMMC Level
Facilities maintenance on a DoD installation	Building plans, security info (potentially CUI)	Level 1 or Level 2
Janitorial services on a DoD base	Contract schedules (FCI)	Level 1
Food services contractor	Delivery schedules, pricing (FCI)	Level 1
Construction contractor on classified facility	Building specs, security plans (CUI)	Level 2

Who Is Exempt from CMMC

Not every organization that does business with the DoD needs CMMC certification. The following exemptions apply:

COTS Providers

The most significant exemption is for providers of Commercial Off-the-Shelf (COTS) products. Under the CMMC framework and FAR 52.204-21, organizations that provide only COTS items to the government are generally exempt from CMMC requirements.

What qualifies as COTS: Products that are sold to the general public in the commercial marketplace, without modification for government use. Examples include standard commercial hardware, software licenses, office supplies, and commercial vehicles purchased without modification.

What does NOT qualify as COTS:

• Products modified to meet DoD-specific requirements
• Products configured with government-specific settings that involve CUI
• Products sold exclusively or primarily to government customers
• Services bundled with COTS products that involve FCI or CUI

The COTS exemption is narrower than many organizations believe. If you modify, customize, or configure a commercial product for a DoD customer, and that process involves CUI (such as DoD-specific technical requirements), the COTS exemption likely does not apply.

What we tell clients: if you are relying on the COTS exemption, document your analysis thoroughly. If your products cross the line from pure COTS to modified or customized, you may need CMMC certification, and discovering this mid-contract is far worse than preparing proactively.

Organizations Handling No FCI or CUI

If your contract with the DoD involves no FCI or CUI whatsoever, CMMC does not apply. However, this is an extremely narrow scenario. Almost any contract involves some non-public information generated under the contract, which qualifies as FCI. The practical reality is that nearly every DoD contractor handles at least FCI.

Grants and Cooperative Agreements

CMMC applies specifically to contracts. Organizations that receive DoD funding through grants or cooperative agreements (rather than contracts) are not subject to CMMC, although they may still be subject to NIST 800-171 requirements through other regulatory mechanisms.

Foreign Entities

The CMMC framework was designed for the U.S. defense industrial base. Foreign entities performing on DoD contracts may be subject to different cybersecurity requirements depending on the applicable international agreements, although CUI protection requirements generally extend to foreign subcontractors handling CUI under U.S. contracts.

Common Misconceptions

After advising numerous organizations on CMMC applicability, these are the misconceptions we encounter most frequently:

"We're too small to need CMMC"

CMMC has no size threshold. A sole proprietorship with one DoD contract that involves CUI needs Level 2, just like a large corporation. The 110 controls apply regardless of your organization's size. The DoD has acknowledged the burden on small businesses but has not exempted them.

"We don't handle CUI, so we don't need CMMC"

If you handle FCI — which virtually every DoD contractor does — you need at least Level 1. Level 1 is a self-assessment with 17 practices, but it is still a formal requirement that will appear in contracts.

"Our prime handles the cybersecurity, so we're covered"

Each organization in the supply chain is independently responsible for its own CMMC certification. Your prime contractor's Level 2 certification does not cover your organization. If you handle CUI as a subcontractor, you need your own Level 2 certification.

"CMMC is only for IT companies"

CMMC applies based on information handling, not industry sector. A welding shop, a logistics company, or a consulting firm needs CMMC certification if they handle FCI or CUI on a DoD contract. The cybersecurity controls must be implemented on whatever systems process that information — whether that is a sophisticated IT network or a single laptop and email account.

"We can just stop handling CUI to avoid Level 2"

This is technically possible but often impractical. If your contract requires you to handle CUI to perform the work, you cannot simply refuse the CUI and still fulfill the contract. Some organizations have successfully restructured their operations to avoid CUI handling — for example, by having all CUI work performed in a government-furnished facility — but this requires careful planning and government agreement.

"Cloud services handle our compliance for us"

Using a FedRAMP-authorized cloud service helps but does not eliminate your CMMC obligations. Cloud services operate under a shared responsibility model. The cloud provider is responsible for the security of the cloud infrastructure, but you are responsible for the security of your data in the cloud, your configurations, your access controls, and your user behavior. Many NIST 800-171 controls relate to organizational practices (training, incident response, risk assessment) that no cloud provider can satisfy on your behalf.

How to Determine Your CMMC Requirements

Follow this step-by-step process to determine whether you need CMMC certification and at what level:

Step 1: Inventory Your DoD Contracts

List every active and anticipated DoD contract and subcontract. Include both prime contracts and subcontracts at any tier.

Step 2: Identify Information Types

For each contract, determine whether you handle:

• No FCI or CUI — Contract may not require CMMC (rare)
• FCI only — Level 1 required
• CUI — Level 2 required (self-assessment or C3PAO, determined by contract)

Review the following contract documents:

• DFARS clauses (252.204-7012 for CUI, 252.204-7021 for CMMC)
• Statement of Work / Performance Work Statement
• DD Form 254 (for classified contracts, which may also involve CUI)
• Government-furnished information markings
• Flow-down requirements from prime contractors

Step 3: Determine Assessment Type

For Level 2, the contract specifies whether self-assessment or C3PAO assessment is required. If the contract has not yet been issued, consult the solicitation or engage with the contracting officer.

Step 4: Assess Your Highest Requirement

If you hold multiple contracts with different CMMC levels, your certification should cover the highest level required. An organization certified at Level 2 inherently satisfies Level 1. Certify to the highest level you need, and all lower-level requirements are met.

Step 5: Scope Your Environment

Identify every system, network, and facility where FCI or CUI is processed, stored, or transmitted. This defines the boundary of your CMMC assessment. For detailed guidance on CUI scoping, see our CUI guide.

Preparing Your Supply Chain

If you are a prime contractor or higher-tier subcontractor, you have a responsibility to prepare your supply chain:

1. Identify affected subcontractors — Determine which of your subcontractors will handle FCI or CUI
2. Communicate requirements — Notify subcontractors of their CMMC obligations and the timeline
3. Include CMMC in subcontracts — Ensure the DFARS CMMC clause flows down to all applicable subcontracts
4. Verify certification — Confirm that subcontractors hold the required CMMC certification before sharing FCI or CUI
5. Develop alternatives — Identify backup suppliers in case current subcontractors cannot achieve certification in time

Supply chain readiness is a competitive advantage. Primes that have a certified supply chain will be better positioned to win DoD contracts than those scrambling to replace non-compliant subcontractors at proposal time.

Timeline Considerations

The CMMC phased rollout means requirements will appear in contracts gradually, but organizations should not wait:

• If you handle CUI and anticipate C3PAO assessment — Begin preparation now. Level 2 remediation and assessment typically takes 6-18 months.
• If you handle CUI and anticipate self-assessment — Begin preparation within the next 6 months. Self-assessment still requires implementing all 110 controls.
• If you handle only FCI — Begin Level 1 preparation within the next 3-6 months. The 17 practices are straightforward but must be documented and affirmed.
• If you are uncertain — Clarify your data classification and contract requirements as soon as possible. The worst position is discovering at proposal time that you need a certification you do not have.

The defense industrial base is large, diverse, and interconnected. CMMC certification touches every part of it — not just the household-name primes, but the thousands of small and mid-size businesses that form the backbone of the defense supply chain. Understanding where you fit and what you need is the first step toward maintaining your ability to compete for DoD work.