Why are your primes asking you about CMMC compliance?

Does your organization create or supply products for the Department of Defense (DOD) or its prime contractors? If so, you may have noticed an uptick in contracting officers from those contractors asking about your organization’s Cybersecurity Maturity Model Certification (CMMC) progress. What’s behind those questions?

The short answer is in the 32 CFR part 170.23 Application to Subcontractors, which requires all Controlled Unclassified Information (CUI) requirements to be flowed down to all subcontractors.

What does flow-down mean?

CMMC specifies CUI protection requirements apply to all prime contractors and subcontractors at all tiers that will process, store or transmit CUI or Federal Contract Information (FCI). This requirement must be flowed down in each subsequent subcontractor/supplier contract.

What is a minimum requirement?

The minimum requirement is linked to the original prime contract with the DOD. If the prime accepted the contract to process, store, or transmit CUI, they are required to have at least level 2 CMMC 3rd party certification. If the prime flows the contract and CUI to a subcontractor, the subcontractor’s “minimum” requirement is for a CMMC assessment at the same level as the prime, in this case a level 2 3rd party certification. If the prime removes the CUI and only flows the federal contract information to their subcontract, then the subcontractor would only have a requirement for a level 1 self-assessment. The short version is if your customer provides CUI in a contract to your organization, you must have the same level of CMMC assessment as they do.

For reference regarding CUI, you can refer to the November/December 2023 article in this cybersecurity series that defines how you can tell if you handle CUI.

When do I need to be compliant?

Where contracts flow down, compliance flows up. The prime contractor needs their entire supply chain handling CUI to be compliant and assessed (self or 3rd party) before they can declare they are compliant. The final dates for 3rd party assessments to be mandatory is pending the release of the 48 CFR (DFARS update). Once the DFARS is updated to align with the 32 CFR CMMC rules, the majority of primes and subcontractors will have less than three years for all to be compliant with CMMC or face losing DOD contracts. You can expect your prime/customer contracting officers will likely start asking when your organization will be CMMC level 2 certified once the DFARS rule is published (expected Q2 2025). Many primes started this process last year when the CMMC rule was officially released in December 2024. They realize CMMC is here and the compliance deadline is closer than many had thought. If your organization is not actively working on gaining compliance, now is the time to start.

How can we help?

If you’re having trouble navigating these conversations with your customers, or if you have questions about your requirements, please feel free to contact me. I’m always happy to help companies in the defense industrial base.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.

Smithers
https://www.smithers.com