CMMC for Subcontractors: Flowdown Requirements, Costs, and How to Get Started
Why CMMC for Subcontractors Is Increasing
CMMC for subcontractors is becoming unavoidable as prime contractors begin enforcing flowdown requirements. When a prime flows down CMMC obligations, your requirements depend on the type of data you handle (FCI or CUI) and the assessment type listed in the solicitation. It is not automatically the same level that the prime must meet. eCFR
CMMC Flowdown Matrix for Subcontractors
Use this quick map to identify your minimum requirement:
- You handle FCI only (no CUI): Level 1 (Self) is required.
- You handle CUI, and the prime requires Level 2 (Self): Level 2 (Self) minimum.
- You handle CUI, and the prime requires Level 2 (C3PAO): Level 2 (C3PAO) minimum.
- You handle CUI, and the prime requires Level 3 (DIBCAC): Level 2 (C3PAO) minimum.
Bottom line: Flowdown requirements depend on both the type of data you handle and the prime’s solicitation. Always confirm the required level and assessment type (Self vs. C3PAO) before planning timelines or budget. eCFR
What Each Level Expects
- Level 1 (FCI): Annual self-assessment with annual affirmation in SPRS. No POA&Ms allowed. SPRS records a compliance result, not a numeric score. eCFR
- Level 2 (CUI): Either a self-assessment or C3PAO certification, as specified in the solicitation, plus annual affirmation. Results are posted in SPRS/eMASS. Federal Register
- Level 3 (Expert): DIBCAC certification every three years plus annual affirmation. This applies to a smaller portion of the defense industrial base. Federal Register
POA&Ms: When They’re Allowed (the 180-day Clock)
- Level 1: No POA&Ms are allowed. All practices must be fully implemented to be eligible for the award. eCFR
- Level 2: Conditional status is possible if your assessment reaches at least 80% of the maximum score and any open items are placed on a POA&M. All POA&M items must be closed within 180 days and verified through a POA&M closeout assessment; otherwise, Conditional status expires. Certain high-risk controls cannot be included on a POA&M. Federal Register
SPRS: What Primes Look For
For Level 2, your NIST 800-171 assessment is scored on a scale with a maximum of 110 and can be negative depending on unmet requirements; keep a current score on file in SPRS (and affirm annually). For Level 1, SPRS records your compliance result and affirmation (no numeric score). Acquisition Management, eCFR
CMMC Costs for Subcontractors (DoD’s Estimates for Small Entities)
Based on the final rule’s Regulatory Impact Analysis:
- Level 1 (Self): Approximately $5,977 per year for assessment and affirmation.
- Level 2 (Self): Approximately $34,277 for the three-year cycle. This includes the initial assessment and affirmation, plus two annual affirmations
- Level 2 (C3PAO): Approximately $101,752 for the three-year cycle. This covers the certification assessment and affirmation, plus two annual affirmations
Note: The rule does not change FAR cost allowability or guarantee reimbursement. In fact, standard allowability rules still apply. Federal Register
Your Readiness Roadmap
- Confirm flowdown: Check the prime’s required level and assessment (L1 Self, L2 Self, or L2 C3PAO). eCFR
- Scope and Gap (L2 only): Map assets, users, enclaves, and ESPs/CSPs. Compare to NIST 800-171 objectives (171A) and prepare evidence. Federal Register
- Build policy + SSP evidence: Tailor policies and your System Security Plan to your environment; generic templates won’t pass. Federal Register
- Post to SPRS and affirm annually. Level 2: post a current score; Level 1: post compliance result; both: annual affirmation. eCFR
- Use POA&Ms only when allowed (L2). If you meet the 80% minimum, place only eligible items on the POA&M and close all within 180 days via closeout assessment. Federal Register
- Coordinate with your prime. Share a one-page summary of scope, controls, and timeline (not artifacts) so they can validate flowdown and keep the award moving.
How RainTech Helps Subs Pass on the First Ask
- Policy and SSP Build-Out: Aligns your policies and System Security Plan to your actual systems and evidence.
- POA&M Strategy and Execution: Helps you reach the 80 percent threshold and close all items within 180 days. Federal Register
- SPRS Management: Keeps your score and affirmation up to date. eCFR
- Prime-Ready Packaging: Provides a scope map, assessment type confirmation, and status summary to reduce flowdown friction.
- People-First Approach: Clear, practical steps with no jargon and guidance through the entire assessment cycle.
How RainTech (RPO) Gets You Award-Ready Without the Headache
- Policy and SSP build-out: NIST-aligned, environment-specific, evidence-first
- POA&M strategy and execution: Reach the 80% threshold, select eligible items, and close within the window
- SPRS uplift: Score calculation, documentation, and regular updates
- Sub flow-down program: Standardize requirements and evidence exchange with your suppliers
- Zero-pressure checkup: We’ll baseline your controls, forecast your achievable score, and map a 180-day POA&M close plan
CMMC for Subcontractors: FAQs
Do subcontractors need CMMC?
Yes, if you process, store, or transmit FCI or CUI on an information system in performance of the subcontract. Primes must flow down the applicable level and assessment type. eCFR
What level applies to subs?
It depends on the data and solicitation:
- FCI only: Level 1 (Self)
- CUI: at least Level 2, Self or C3PAO, depending on the prime’s contract
- Prime requires Level 3: subs handling CUI must have Level 2 (C3PAO) at minimum. eCFR, Defense CIO
How much does CMMC cost for subs?
DoD small-entity estimates:
- Level 1 ≈ $5,977 per year
- Level 2 (Self) ≈ $34,277 per three-year cycle
- Level 2 (C3PAO) ≈ $101,752 per three-year cycle
Actual costs vary by scope and preparation effort. Federal Register
What’s a “good” SPRS score?
- Level 1: SPRS records a compliance result, not a numeric score.
- Level 2: 110 is perfect. Scores can be reduced for unmet requirements. Keep a current, evidence-backed score. If using POA&Ms, meet the 80 percent minimum and close all items within 180 days.
Ready to get started? Click here to begin your compliance journey.
