When a Subcontractor Needs CMMC Certification and When It Does Not

The Subcontractor Receives the Notice

A defense prime contractor sends a notice to its supply base. The notice explains that CMMC requirements will appear in upcoming subcontracts, that suppliers should prepare to demonstrate compliance, and that suppliers who cannot demonstrate compliance may be ineligible for future work. The notice usually cites 32 CFR 170.23 but does not quote it. The subcontractor receives the notice and faces three possible interpretations. The first is that the company is fine, because it is only a small supplier and the requirement is for the prime. The second is that the company must obtain CMMC Level 2 certification from an external assessor, because that is what the public discussion suggests. The third is that the company must figure out what it actually does in performance of the subcontract, then map that to the language of the regulation.

The first interpretation is wrong as a matter of regulation. The second is sometimes correct but often overshoots the actual requirement. The third is the one the regulation expects. The cost difference between the interpretations is material. A subcontractor that handles only Federal Contract Information requires a Level 1 self-assessment, which is something the company itself performs and affirms. A subcontractor that handles Controlled Unclassified Information requires a Level 2 status, which is at minimum a self-assessment but may, depending on the prime contract, require a Certified Third Party Assessor Organization to conduct the assessment. The gap between a Level 1 self-assessment and a Level 2 C3PAO assessment, in terms of cost, time, and operational disruption, is substantial.

The Trigger Is Operational, Not Contractual

The most important sentence in section 170.23 is the operational trigger in paragraph (a). The trigger is whether the subcontractor will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract. The relevant question is not what the subcontract says about cybersecurity. The relevant question is what the subcontractor will actually do with FCI or CUI in performing the work.

If the subcontract does not require the supplier to receive, generate, store, or transmit FCI or CUI in any form, the supplier is outside the scope of section 170.23 for that subcontract. This is a meaningful exemption and it is the one that most often gets missed. A subcontractor that performs work entirely on the basis of unclassified, publicly releasable specifications, that does not store any defense customer data, and that does not transmit any defense customer data, has nothing to demonstrate under section 170.23 for that subcontract. The cascade applies to all tiers without exemption for small suppliers, but the cascade applies only when the operational trigger is met.

FCI Only Is Not the Same as CUI

Federal Contract Information is the broader category. It covers information provided by or generated for the Government under a contract that is not intended for public release. Most purchase orders, most delivery schedules, most non-public administrative correspondence with a Federal customer, and many engineering specifications fall within the scope of FCI. Controlled Unclassified Information is the narrower category. It covers information that is designated by a Federal authority as requiring safeguarding or dissemination control under a specific statute, regulation, or government-wide policy.

A drawing is not CUI merely because it relates to defense work. The controlling question is whether the information falls within a CUI category and has been designated, marked, or otherwise identified by the Government or an authorized holder as requiring CUI safeguarding or dissemination control. If the markings or instructions are absent or inconsistent, the supplier should ask the prime or contracting authority for clarification rather than guessing. The practical implication for the Tier 2 or Tier 3 supplier is that many subcontracts involve FCI but no CUI, and in that case the required CMMC Status is Level 1 (Self), a self-assessment against the 15 requirements of FAR 52.204-21 and an affirmation submitted by the supplier.

The Cascade Has Four Cases

The cascade in 32 CFR 170.23(a) maps four cases. A subcontractor handling FCI only requires Level 1 (Self). A subcontractor handling CUI requires Level 2 (Self) at minimum. A subcontractor handling CUI on a prime contract that requires Level 2 (C3PAO) requires Level 2 (C3PAO) itself. A subcontractor handling CUI on a prime contract that requires Level 3 (DIBCAC) requires Level 2 (C3PAO), not Level 3, under the default cascade. Paragraph (b) preserves the DoD's ability to provide specific guidance pertaining to flowdown for a particular procurement, which means the default cascade is the starting point rather than the absolute ceiling.

Level 3 Does Not Flow Down

Paragraph (a)(4) is the provision most often misread. It addresses the case where the subcontractor will process, store, or transmit CUI and the prime contract has a requirement for Level 3 (DIBCAC). In that case, the minimum CMMC Status for the subcontractor is Level 2 (C3PAO), not Level 3 (DIBCAC). Section 170.23 does not require Level 3 (DIBCAC) to flow down to subcontractors through the default cascade. Separate contractual, program-specific, or DoD-directed requirements must be analyzed on their own terms. In this scenario, the DIBCAC assessment is reserved for the prime contractor itself rather than being imposed across the supply base by the regulation.

The design choice is practical. Level 3 implements requirements drawn from NIST SP 800-172, the enhanced security requirements for protecting CUI in environments associated with high-value assets or critical defense programs. The implementation cost of those enhanced requirements is high. Imposing Level 3 on every CUI-handling supplier in a Level 3 program supply chain would render the program economically infeasible for most suppliers. The regulation caps the supplier requirement at Level 2 (C3PAO) regardless of how high the prime contract reaches.

Three Questions That Settle It

The analysis reduces to three sequential questions a subcontractor owner can ask. The first is whether performance of the subcontract will require the company to process, store, or transmit any FCI or CUI on company information systems. If the honest answer is no, the subcontract is outside the scope of section 170.23 and the inquiry ends. The second is whether the work involves CUI specifically, or only FCI. If only FCI, the required Status is Level 1 (Self). If CUI, the inquiry proceeds. The third is what assessment type the prime contract requires: Level 2 (Self) cascades to Level 2 (Self), Level 2 (C3PAO) cascades to Level 2 (C3PAO), and Level 3 (DIBCAC) cascades to Level 2 (C3PAO).

Many flowdown notices arrive without specifying which assessment type the prime contract carries or whether the subcontractor will receive CUI. The correct response is to ask the prime directly, in writing, for two specific pieces of information: whether the prime contract requires Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC), and whether performance of the subcontract by the supplier will involve CUI or only FCI. A prime that is paying attention to its own flowdown obligation will be able to answer both questions.

The Contractual Mechanism Is the Clause

The regulation establishes the operational test for what is required, but the contractual mechanism for enforcing the requirement is the inclusion of DFARS 252.204-7021 in the subcontract. If that clause appears in a subcontract that the subcontractor's operational analysis places outside the cascade, the resolution is to ask the prime in writing whether the clause was inserted intentionally and, if not, to seek a modification through the contracting authority. The subcontractor cannot unilaterally read itself out of a clause included in a signed subcontract, even if the regulatory cascade does not require it.

A related point belongs alongside the analysis. Some primes proactively flow down requirements stricter than the regulatory cascade requires, including supplier questionnaires, attestation programs, or contractual minimums above the Level 1 (Self) or Level 2 (Self) floors. The regulation does not prohibit a prime from imposing requirements above the cascade as a matter of supplier program policy. Where this occurs, the supplier's obligation is to read the specific contract and supplier program terms rather than to rely on the regulatory cascade alone. The cascade tells the supplier what the regulation requires. The contract and the supplier program specify what the prime requires.

The Reading That Closes the Question

Section 170.23 is shorter than most discussions of it. The regulation establishes an operational test, not a contractual one. It cascades through four cases that map cleanly to the supplier's actual circumstances. Under the default cascade, it caps the supplier requirement at Level 2 (C3PAO) regardless of how high the prime contract reaches, unless specific DoD flowdown guidance or contract terms require a different analysis. A supplier that reads the regulation and answers three questions honestly can determine what is required of it without depending on the prime's clarity, the public discussion, or the marketing language used by vendors selling compliance products.