There’s a conversation happening too late in too many small businesses: “Wait — we need CMMC?”
It usually starts when a prime contractor sends a flowdown clause or a new solicitation lands with DFARS 252.204-7012 attached. The company makes a component, provides IT services, or handles logistics for someone who handles something for the DoD. They’ve never thought of themselves as a defense contractor. But if CUI touches their systems — or even if only FCI does — the DoD considers them part of the Defense Industrial Base.
And CMMC requirements flow down accordingly.
The Supply Chain Reality
CMMC isn’t scoped to the companies that think of themselves as defense contractors. It’s scoped to the companies that are defense contractors by virtue of what they handle and who they work for. Per the CMMC FAQ, when CMMC requirements appear in a solicitation, they apply to all companies performing under the resulting contract — including subcontractors, and regardless of nationality or country of origin.
That means a 15-person machine shop making brackets for a Tier 2 sub is in the same regulatory framework as the prime. The required CMMC level will be specified in the solicitation and applies down the chain.
What This Means Right Now
The DoD began incorporating CMMC assessment requirements into applicable procurements on November 10, 2025. The first 12 months of the implementation rollout (Phase 1 of the DoD’s phased implementation plan, per 32 CFR Part 170) focus primarily on Level 1 and Level 2 self-assessments. That means the enforcement mechanism is already live — and the window for “we didn’t know” is closing.
If your company processes, stores, or transmits CUI on contractor-owned information systems, the DoD’s current implementation intent is that solicitations include a CMMC Level 2 (Self) requirement. If you only handle FCI, Level 1 applies. Either way, you need to know where you stand.
What You Should Do
1. Determine whether you handle CUI or FCI. Review your contracts and subcontracts for DFARS 252.204-7012 (CUI) or FAR 52.204-21 (FCI). If either clause is present, CMMC applies to you.
2. Conduct an honest self-assessment. The CMMC FAQ is direct on this point: the best way to prepare is by carefully conducting a self-assessment of your contractor-owned information systems against the applicable requirements — all 110 practices of NIST SP 800-171 for Level 2, or the 17 practices derived from FAR 52.204-21 for Level 1.
3. Understand your scope before you act on it. Self-assessment isn’t just checking boxes. It requires defining your CUI boundary and categorizing assets according to the CMMC Level 2 Scoping Guide — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. Getting the boundary wrong means your SSP describes the wrong environment, and every remediation dollar that follows is misallocated.
4. Address gaps before initiating any formal assessment. If your self-assessment identifies unmet requirements, take corrective action first. A POA&M may allow contract award with some requirements still in progress, but the DoD intends to specify a baseline that must be met before award — and a subset of requirements that cannot appear on a POA&M at all.
The Worst Time to Learn This
The worst time to discover you’re subject to CMMC is when a prime sends you a compliance questionnaire with a deadline, or when a solicitation you need requires a certification you haven’t started. The regulatory framework is already in effect. The phased rollout is designed to ease the transition — not to delay the expectation.
If you’re not sure whether your contracts put you in scope, or you haven’t mapped your CUI boundary yet, that’s the first thing to resolve — before scoping, before remediation, before anything else. A scoping conversation is where that clarity starts.
—