Defense primes and the legal counsel who advise them face a structural problem that DFARS and CMMC create but neither resolves cleanly. A prime contractor that flows down DFARS 252.204-7012 and DFARS 252.204-7021 to a subcontractor remains responsible for the data it shares, yet the prime has limited practical visibility into whether the subcontractor has actually implemented the controls that those clauses require. Self-attestation is the default verification mechanism across the supply chain. In practice, what a contractor attests to and what is actually present on subcontractor systems and production floors do not always agree.
The problem is not theoretical. The MORSECORP settlement of 2025 established that material misrepresentation of NIST SP 800-171 implementation status creates False Claims Act exposure for the contractor that submitted the SPRS score. The settlement did not reach the primes that flowed CUI down to the contractor in question, but the precedent it establishes is directly relevant to primes weighing supplier risk. A prime that received CUI handling assurances from a subcontractor which subsequently fails an assessment, or which is later found to have misrepresented its security posture, is now operating in a regulatory environment where the cost of trusting self-attestation has changed.
The work this practice does for primes and counsel sits in the gap between contractual flowdown and verified supplier capability. The methods are technical and onsite. The deliverable is independent evidence about whether a supplier can actually meet the obligations its agreements describe.
The Flowdown Reality
DFARS 252.204-7012 requires the contractor to flow the clause down to subcontractors that will receive Covered Defense Information. DFARS 252.204-7021, effective November 10, 2025, requires that subcontractors hold a current CMMC certification at the level required by the prime's contract. The CMMC Final Rule at 32 CFR Part 170 codifies these requirements within the broader assessment framework that begins Phase 2 implementation on November 10, 2026.
The flowdown obligation does not by itself give the prime the right to enter the subcontractor's facility, examine its System Security Plan, or test its controls. Those rights, if they exist, must be created in the subcontract. Many subcontracts do not contain audit or inspection language that survives award. The subcontractor's CMMC posture becomes a contractual condition the prime cannot independently verify after award, and which the prime had limited tools to evaluate before award.
Counsel advising a prime on subcontractor selection or post-award compliance management often arrives at two questions that the regulations do not answer. Does the subcontractor's claimed CMMC status correspond to what is actually implemented at the subcontractor's facility, and what is the prime's exposure if it does not. The first question requires technical examination. The second is a question of attorney judgment informed by the answer to the first.
The Verification Gap
In practice, prime contractors verify subcontractor compliance through three mechanisms, none of which produces independent technical evidence. The first is a representation in the subcontract that the supplier complies with the applicable DFARS and CMMC requirements. The second is a copy of the supplier's CMMC certificate or self-assessment summary, where applicable. The third is the supplier's SPRS score, viewed through the prime's own SPRS access or reported by the subcontractor on request.
Each of these mechanisms produces a paper artifact, but none produces direct evidence of implementation. A subcontractor can hold a Conditional Final Level 2 certification, report a high SPRS score, and still have material gaps in implementation that the certification process did not surface. The structural reasons for this involve the difference between an assessment scoping decision and an operating environment, and the difference between control documentation and control performance. A prime that relies on the paper artifact alone is making an assumption about the operating environment that the artifact does not support.
The verification gap is widest for subcontractors operating at Tier 2 and Tier 3 of the supply chain, where prime visibility is lowest, and for subcontractors that operate in production environments where compliance scope extends beyond traditional IT systems. A Tier 3 machine shop running CNC programs derived from CUI-marked technical data sits inside a compliance perimeter that most paper-based verification mechanisms cannot meaningfully evaluate.
Pre-Award Technical Verification
The onsite pre-award technical verification engagement places this practice at the subcontractor's facility, with subcontractor cooperation and prime contractor or counsel sponsorship, to produce an independent evidence base for the prime's award decision.
The verification examines the subcontractor's System Security Plan against the actual configuration of in-scope systems, the artifact set against documented control performance, the SPRS score calculation against the underlying assessment object inventory, and the subcontractor's CUI handling procedures against the operating environment. Where the subcontractor operates in a manufacturing setting, the verification includes the production floor and the asset categorization decisions that govern CNC controllers, coordinate measuring machines, and other operational technology.
The deliverable is a structured report that identifies, for each of the 110 NIST SP 800-171 Rev 2 requirements, what evidence was examined, what condition was observed, and what gap exists between claimed and actual implementation. The report is written for the prime and counsel, with the technical detail necessary to support an award decision, a contract negotiation, or, in some cases, a determination that a particular supplier does not meet the prime's risk tolerance for the contract in question.
The work is consulting. It is not a CMMC assessment. The C3PAO assessment process is a separate function performed by certified assessor organizations and remains the official verification mechanism within the CMMC ecosystem. Pre-award technical verification supports the prime's commercial and contractual decision-making and does not replace, substitute for, or anticipate the C3PAO determination.
SPRS Score Validation
The SPRS score is the most accessible verification artifact available to a prime, and the most easily misread. A score is calculated by the contractor against an assessment object inventory the contractor itself defines. Two contractors with materially different security postures can report comparable scores when their assessment object inventories differ. A contractor that has narrowly scoped its assessment will report a score that reflects that scope rather than the broader operational reality.
The SPRS validation work this practice performs for primes and counsel takes the reported score and reconstructs the assessment object inventory from the underlying environment. The validation answers a specific question. Given what is actually present in the subcontractor's network and facility, what score should the contractor have reported, and how does that compare to the score on file. The output is not a recalculated SPRS submission. The output is an independent check on whether the contractor's reported score accurately represents the contractor's environment.
The MORSECORP settlement made this analysis material to a prime contractor's risk evaluation. A prime that selected a subcontractor based on a SPRS score which is later found to misrepresent the contractor's environment is operating in the same regulatory landscape as the contractor itself. SPRS validation reduces, although it does not eliminate, the prime's exposure to that landscape.
Supplier Risk in Mergers and Acquisitions
Defense contractor acquisitions increasingly include CMMC posture as part of technical due diligence. The acquirer inherits the target's CMMC certifications, SPRS scores, contracts, and the implementation reality behind those artifacts. A target with a Conditional Final Level 2 certification and material implementation gaps becomes a post-close compliance liability the acquirer assumed at the closing.
The CAGE Code transition associated with an acquisition adds a procedural dimension to the diligence question. CMMC certifications attach to specific CAGE codes. Reorganization, asset sales, and ownership transitions can disrupt the certification record in ways that affect contract eligibility under the Phase 2 rule that begins November 10, 2026. Counsel advising on a defense contractor transaction has reason to understand both the technical condition of the target and the procedural status of its CMMC artifacts.
The diligence engagement applies the same onsite verification methods as the pre-award engagement, with documentation and reporting tailored to the transaction. Reports for transaction work typically include a remediation cost estimate that supports purchase price negotiation and post-close planning.
Documentation Review Without Onsite Visit
Some engagements do not require an onsite visit. A prime evaluating a subcontractor that has provided a complete artifact package, including the System Security Plan, POA&M, supporting policies, evidence files, and SPRS calculation worksheets, can obtain useful risk information from a documentation review alone. The review identifies internal inconsistencies in the package, gaps between policy and the artifact set, and indicators of material misrepresentation that warrant either a follow-up onsite engagement or a different supplier selection.
Documentation review is faster and lower in cost than onsite verification. It produces a less complete evidence base. The choice between documentation review and onsite verification typically depends on the dollar value of the contract, the sensitivity of the CUI involved, and the prime's prior history with the supplier.
The Engagement Path
Engagements with primes and counsel begin with a scoping discussion that defines the question to be answered, the supplier or supplier set involved, and the deliverable required. Scoping is performed without obligation and without charge. The result of scoping is a written engagement description that specifies the work, the timeline, the deliverable format, and the cost.
Onsite engagements are billed at $400 per hour with travel costs at actual. Offsite documentation review is billed at $325 per hour. Engagements are normally structured as time and materials, although fixed-fee arrangements are available for well-defined scopes such as a single-supplier pre-award verification.
To begin a scoping discussion, contact David W. Koran directly at dkoran@davidkoran.com or 802-335-2662.