If your company does business with the Department of Defense — or works for a company that does — CMMC compliance is no longer optional. It is a contract requirement. If you are not compliant, you cannot bid, you cannot win, and you cannot keep the contracts you already have.
This guide breaks down everything DoD subcontractors need to know about CMMC: what it is, who needs it, what the levels mean, how to get certified, and how to stay compliant — without the government jargon.
| Quick note: CMMC stands for Cybersecurity Maturity Model Certification — the DoD framework ensuring companies handling sensitive defense information have real cybersecurity protections in place. Official program: acq.osd.mil/cmmc. |
1. What Is CMMC — And Why Does It Exist?
For years, the DoD relied on contractors to self-report cybersecurity compliance. Companies checked boxes saying they met required standards — and no one verified it. This created serious gaps that adversaries exploited across the defense supply chain.
CMMC was created to fix that. Instead of self-certification, contractors at higher risk levels must be assessed by an independent third party. The goal is to protect two types of sensitive information flowing through defense contracts. Full program details at the official CMMC website.
| Information Type | What It Means |
| FCI | Federal Contract Information — data provided by or generated for the government under a contract not intended for public release. Defined under FAR 52.204-21. |
| CUI | Controlled Unclassified Information — sensitive data requiring protection under law or policy: technical drawings, export-controlled data, engineering specs. Registry maintained by the National Archives. |
Most DoD subcontractors handle CUI. If you receive technical specs, engineering drawings, or any document marked sensitive from a prime contractor, CMMC applies to you. Check the CUI Registry for the full list of categories.
2. The Three Levels of CMMC — Which One Do You Need?
CMMC 2.0 organizes requirements into three levels. See our full CMMC compliance levels breakdown for more detail.
Level 1 — Foundational
| Who needs it: Companies that handle FCI but NOT CUI — administrative subcontractors, facilities services, or non-technical suppliers. |
Level 1 requires 17 basic practices from FAR 52.204-21. These include antivirus software, access controls, and physical security. Level 1 allows annual self-assessment — no third-party auditor needed.
Level 2 — Advanced
| Who needs it: Companies that handle CUI — the most common situation for DoD subcontractors in manufacturing, engineering, IT, and technical services. |
Level 2 is where most subcontractors land. It requires 110 practices aligned to NIST SP 800-171. See how Intelecis handles Level 2 CMMC assessment services.
| Level 1 | Level 2 | |
| Controls Required | 17 | 110 |
| Assessment Type | Self-assessment | C3PAO (third-party) |
| Frequency | Annual | Every 3 years + annual affirmation |
| Framework | FAR 52.204-21 | NIST SP 800-171 |
| Handles CUI? | No | Yes |
Level 3 — Expert
| Who needs it: Companies on the DoD’s most sensitive programs — advanced weapons systems, classified research. Relatively rare among typical subcontractors. |
Level 3 adds controls from NIST SP 800-172 to defend against Advanced Persistent Threats. Assessments are conducted by the Defense Contract Management Agency (DCMA) directly — not a third-party assessor.
3. Does CMMC Apply to Subcontractors?
Yes — and this is where many companies get caught off guard. CMMC requirements flow down via DFARS 252.204-7012. Read our full CMMC requirements for subcontractors guide.
When a prime wins a DoD contract with CMMC requirements, those requirements pass to every subcontractor handling FCI or CUI. Prime contractors cannot vouch for their subs — they need verified compliance. If you cannot demonstrate compliance, the prime may replace you.
| Real-world impact: Even if you never contract directly with the DoD, if you supply parts, services, software, or data to a prime working on a DoD program, you are part of the Defense Industrial Base and CMMC applies to you. |
Not sure if CMMC applies to your contracts? Our free CMMC gap analysis will tell you exactly where you stand in under 48 hours.
4. What Happens If You Are Not CMMC Compliant?
Non-compliance is not just a paperwork problem. The consequences are real and immediate:
- You cannot be awarded new DoD contracts or subcontracts that require CMMC.
- You may be disqualified from renewing existing contracts at option periods.
- Prime contractors may terminate your subcontract to protect their own compliance standing.
- Falsely claiming compliance exposes your company to the False Claims Act — with penalties up to three times the contract value.
- Your SPRS score is visible to contracting officers and primes, making poor scores a competitive disadvantage.
The False Claims Act risk is critical. If an executive certifies CMMC compliance and your company is not actually compliant, that individual can face personal legal liability. Review the DOJ False Claims Act overview for more context.
5. How to Get CMMC Compliant: The Step-by-Step Path
Here is the realistic path most Level 2 subcontractors follow. Start with a CMMC readiness assessment to understand exactly where you are today.
Step 1: Determine Your CMMC Level
Review your contracts for language referencing CUI, DFARS 252.204-7012, or CMMC. If you handle CUI, you need Level 2. See our CMMC compliance requirements overview.
Step 2: Conduct a Gap Analysis
A CMMC gap analysis compares your current practices against all 110 controls in NIST SP 800-171. It identifies exactly what needs to be fixed before your assessment.
Most subcontractors find they are partially compliant but have meaningful gaps — especially in incident response, media protection, and audit logging.
Step 3: Build Your System Security Plan (SSP)
The System Security Plan documents how your organization meets each of the 110 NIST 800-171 controls. It is the foundation of your CMMC assessment — every control must be described: what you do, how you do it, who is responsible, and how it is monitored.
Controls not yet implemented go into a Plan of Action and Milestones (POA&M). Use our CMMC 2.0 compliance checklist to map what needs to be documented.
Step 4: Remediate Your Gaps
Based on your gap analysis and SSP, you implement missing controls — multi-factor authentication, data encryption, log monitoring, incident response procedures. Our managed IT for CMMC compliance handles the technical heavy lifting.
Step 5: Calculate and Submit Your SPRS Score
Calculate your NIST 800-171 score and submit it to the Supplier Performance Risk System (SPRS). Scores range from -203 to 110. Read our SPRS score guide for step-by-step instructions.
Step 6: Engage a C3PAO for Your Level 2 Assessment
Engage a C3PAO accredited by the CMMC Accreditation Body (CyberAB) to conduct your formal assessment. If you pass, your CMMC certification is valid for three years, with annual affirmations required in between.
Step 7: Maintain Continuous Compliance
Getting certified is the beginning. You must maintain controls, update your SSP when systems change, and affirm compliance annually. Our managed CMMC compliance services keep you continuously audit-ready.
6. How Long Does CMMC Compliance Take?
Here are realistic timelines. For a deeper look, read our post on how long CMMC certification takes.
| Starting Point | Estimated Timeline | Key Driver |
| Strong IT foundation, minor gaps | 3 to 6 months | Documentation and process formalization |
| Partial compliance, moderate gaps | 6 to 12 months | Technical remediation and documentation |
| Starting from scratch | 12 to 18 months | Infrastructure build-out and full SSP creation |
| With an experienced MSP partner | Typically 30-50% faster | Expert guidance eliminates trial and error |
Starting early is critical. Contact Intelecis for a free readiness assessment — we will tell you exactly where you stand and give you a realistic timeline.
7. How Much Does CMMC Certification Cost?
Costs vary based on your current posture and company size. See our full breakdown in our post on how much CMMC certification costs.
| Cost Component | Typical Range |
| Gap Analysis | $5,000 to $25,000 |
| Remediation (technical and process) | $20,000 to $150,000+ |
| SSP and documentation development | $5,000 to $20,000 |
| C3PAO Assessment | $30,000 to $100,000+ |
| Ongoing managed compliance (annual) | $15,000 to $60,000/year |
| The right framing: CMMC is the cost of staying in the market. Get a no-obligation cost estimate by scheduling a free consultation with Intelecis. |
8. The Most Common CMMC Compliance Failures
These issues most often derail subcontractors. Read our full post on common CMMC compliance failures for detailed fixes.
- No System Security Plan: Having security controls in place but nothing documented. Assessors cannot verify what is not written down.
- Underestimating CUI scope: Many companies underestimate how much of their data qualifies as CUI — engineering drawings, contract specs, and technical reports can all qualify.
- Treating CMMC as a one-time project: Companies that achieve certification and stop maintaining controls quickly fall out of compliance.
- Ignoring prime flow-down requirements: Per DFARS 252.204-7012, if your prime has CMMC requirements and you touch CUI from that contract, it flows to you.
- Waiting too long to start: CMMC assessments take time to schedule and C3PAOs have limited capacity. Starting six months before a deadline is almost always too late.
- Inflated SPRS score: Per the False Claims Act, submitting a score that does not reflect your actual posture creates personal legal liability for company officers.
9. CMMC Compliance in Southern California
Southern California is home to one of the largest concentrations of DoD subcontractors in the country — aerospace manufacturers in El Segundo and Torrance, defense electronics firms across Orange County, and naval supply chain companies in San Diego.
| City / Region | Defense Industry Presence | Intelecis Service Page |
| Los Angeles | Aerospace, defense tech, logistics | intelecis.com/cmmc-compliance-los-angeles |
| San Diego | Naval, marine systems, cybersecurity | intelecis.com/cmmc-compliance-san-diego |
| Orange County | Defense electronics, manufacturing | intelecis.com/cmmc-compliance-orange-county |
| El Segundo | Aerospace corridor: Raytheon, Boeing, L3 | intelecis.com/cmmc-compliance-el-segundo |
| Torrance | Aerospace components, precision manufacturing | intelecis.com/cmmc-compliance-torrance |
| Riverside / San Bernardino | March ARB supply chain, logistics | intelecis.com/cmmc-compliance-riverside |
| Long Beach | Naval shipbuilding, Boeing legacy programs | intelecis.com/cmmc-compliance-long-beach |
Intelecis serves subcontractors across all of Southern California. Visit our Los Angeles, San Diego, or Orange County pages for local resources, or contact us directly for a free consultation.
10. In-House vs. Outsourced CMMC Compliance
For most subcontractors under 200 employees, our managed CMMC compliance services deliver faster results at lower total cost. Here is an honest comparison:
| In-House | Outsourced (MSP / CMMC Consultant) |
| Full control over the process | Faster path — experienced teams eliminate trial and error |
| Lower cost with strong internal IT staff | No need to hire and train dedicated CMMC personnel |
| Requires deep NIST 800-171 expertise on staff | Ongoing managed compliance keeps you continuously audit-ready |
| Risk of blind spots — teams may not know what they do not know | Assessors trust providers with a track record, reducing C3PAO friction |
| Best for larger companies with mature IT departments | Best option for most subcontractors under 200 employees |
11. Key CMMC Terms Reference
A plain-English glossary of the acronyms you will encounter throughout your compliance journey:
| Term | Plain-English Meaning |
| CMMC | Cybersecurity Maturity Model Certification — the DoD’s cybersecurity framework. Official site: acq.osd.mil/cmmc |
| CUI | Controlled Unclassified Information — sensitive but unclassified data. Registry: archives.gov/cui |
| FCI | Federal Contract Information — data generated for the government under a contract. Defined in FAR 52.204-21. |
| NIST 800-171 | The 110-control standard Level 2 CMMC is built on. Published by NIST at csrc.nist.gov. |
| NIST 800-172 | Enhanced controls for Level 3 defending against nation-state threats. Published by NIST. |
| C3PAO | Certified Third-Party Assessment Organization — the Level 2 auditor. Accredited by CyberAB. |
| SSP | System Security Plan — how you implement each required security control. |
| POA&M | Plan of Action and Milestones — your roadmap for closing compliance gaps. |
| SPRS | Supplier Performance Risk System — where you submit your compliance score. sprs.csd.disa.mil |
| DIB | Defense Industrial Base — the full ecosystem of companies that supply the DoD. |
| CyberAB | CMMC Accreditation Body — accredits C3PAOs and individual assessors. cyberab.org |
| DFARS | Defense Federal Acquisition Regulation Supplement — governs DoD contracting. Key clause: 252.204-7012. |
Ready to Get CMMC Compliant?
Intelecis helps DoD subcontractors across Southern California achieve and maintain CMMC compliance
from gap analysis through C3PAO assessment — so you never lose a contract over cybersecurity.
