CMMC for Subcontractors: Why Being Small Doesn't Exempt You From Level 2

The prime contractor sends a one-line email: “Confirm your CMMC Level 2 status before our August award.” You have 35 employees at a small defense company, three CNC machines, and a SharePoint folder with drawings your prime calls “sensitive.” That email is how most small defense subcontractors discover that CMMC for subcontractors is not optional — and that “we’re small” is not a recognized exemption. This post walks the actual rules, the flow-down mechanism, and the three decisions a small sub has to make in the next 90 days.

Why “Small Subcontractor” Is Not an Exemption

The DoD’s flow-down mechanism is contractual, not statutory. Two clauses do the work:

• DFARS 252.204-7012: requires NIST SP 800-171 implementation and 72-hour incident reporting whenever a contract involves Covered Defense Information (which includes CUI). It flows down to every tier of the supply chain that receives or generates that data — not just the prime.
• DFARS 252.204-7021: the CMMC clause itself. As of Phase 2 (November 2026), it requires the appropriate CMMC level at time of contract award. Primes are responsible for verifying subcontractor compliance before flowing CUI down to them.

The practical consequence: if your prime hands you a drawing marked “CUI” or a technical data package containing controlled technical information, you inherit the same Level 2 obligations as the prime — DFARS 252.204-7012 doesn’t scale obligations by company size. A 25-person machine shop with one DoD subcontract handling export-controlled drawings has the same 110 controls to implement as a 5,000-person prime.

The myth that survives longest in the small-sub world is “we’re too small to be in scope.’’ The real test is what data you hold, not how many employees you have. If you’re unsure whether what you handle is CUI or FCI, that decision deserves its own structured walkthrough — the difference between CUI and FCI drives whether 17 controls or 110 apply.

Step 1: Confirm Your Actual Data Type With Your Prime

Before spending a dollar on remediation, get a written answer from your prime contractor about three questions:

1. What data are we receiving or generating that is marked or treated as CUI? If the prime can’t name specific data categories (e.g., Controlled Technical Information, Export Controlled, Critical Infrastructure Security Information), they may not have classified it correctly themselves.
2. Does our subcontract include DFARS 252.204-7012, 7021, or both? The clauses should appear in your subcontract by reference. If they don’t, but the prime expects CMMC compliance, you need that resolved in writing — the contractual obligation must exist before assessment scoping makes sense.
3. What CMMC level is required, and by what date? Level 1 self-assessment, Level 2 self-assessment, or Level 2 with C3PAO certification are three different timelines and three different cost structures.

Get these answers in writing. Primes occasionally over-classify data to push their compliance burden downstream — this is a known failure mode in the supply chain. A written confirmation protects you both from over-spending on unnecessary controls and from under-spending on a real CUI obligation.

Step 2: Choose Your Scope Strategy — Enterprise vs. Enclave

Of every decision a small subcontractor makes during CMMC preparation, scope strategy has the largest cost impact. There are two paths:

• Enterprise scope: apply the 110 controls across your entire IT environment. Simpler conceptually, but every workstation, every server, every cloud service is in scope. For a 35-person shop with mixed work, this is usually the most expensive path.
• Enclave scope: isolate CUI to a defined boundary — a separate network segment, a dedicated workstation set, or a cloud enclave such as Microsoft GCC High. Only the enclave is assessed. The rest of your environment doesn’t need to meet all 110 controls.

For most small subs handling a single DoD program, the enclave strategy is the cost-rational choice. NIST and the DoD CIO recognize enclaves explicitly — the CMMC Scoping Guide Level 2 defines five asset categories (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, Out-of-Scope Assets) and an enclave keeps most of your environment in the “Out-of-Scope” category.

The trade-off: an enclave is only valid if the boundary is actually enforced. A shared printer that bridges the enclave and the main network breaks the scope. A VPN connection that allows enclave users to access outside resources breaks the scope. Assessors test boundaries during the assessment week, not just on the network diagram.

Step 3: Plan for Documentation Before You Buy Technology

The most common pattern in small-sub CMMC failures: the IT team buys security tools, configures them, and discovers six months later that they need 30+ policy documents to support the controls those tools enforce. NIST SP 800-171 Rev 2 doesn’t just require technical controls — it requires documented policies and procedures that describe how each control operates, who’s responsible, and how it’s verified.

Document categories you’ll need before the assessment:

• System Security Plan (SSP) — the master document, typically 60–150 pages for a small sub
• One policy per control family at minimum (14 families = 14 baseline policies)
• Configuration baselines for each system in scope
• Incident response plan, with documented test results
• Network diagram and CUI data flow diagram, current and accurate
• Asset inventory covering hardware, software, and cloud services
• Training records for security-awareness and role-based training

Documentation gaps are nearly universal in pre-assessment work — even at organizations with strong technical implementations. Planning the documentation effort alongside the technical work avoids the late-stage scramble that derails small-sub timelines.

The Cost Reality for a 25–125 Person Defense Sub

Published cost figures for CMMC compliance range $138,000–$285,000 for the first cycle, with C3PAO assessment fees of $30,000–$55,000 on top. For a small sub, the per-employee cost is much higher than for large enterprises: industry data points to roughly $4,600/employee for small businesses vs. $850/employee for large enterprises — small subs absorb more fixed costs across fewer headcount. Detailed cost ranges by scope and starting maturity are covered in our breakdown of CMMC compliance costs for small businesses.

The cost-reduction levers that actually work for a small sub:

1. Enclave scope: typically halves total cost compared to enterprise scope
2. Leveraging an existing framework: organizations with SOC 2 or ISO 27001 can shorten preparation by 4–6 months due to control overlap
3. Cloud enclave (GCC High or equivalent): shifts some control implementation to the platform, reducing what your IT team has to build internally
4. Self-assessment vs. C3PAO: if your subcontract permits self-assessment (currently allowed for non-prioritized acquisitions in Phase 1), the $30K–$55K assessment fee is avoided — but the affirmation is still personally accountable, with False Claims Act consequences for misstatement

CMMC for Subcontractors: What a Small Defense Company Should Do This Quarter

Three actions that compress the small-sub CMMC timeline:

1. Confirm data classification with your prime in writing. Get specific CUI categories named. This is the cheapest gate — an hour-long meeting can save six months of unnecessary preparation if it turns out you’re Level 1 only.
2. Run a self-assessment against the 110 NIST 800-171 controls. A structured readiness assessment maps your current state to the SPRS scoring model and identifies which gaps cost you the most points. Our CMMC readiness quiz walks the 14 control domains and produces an estimated SPRS score in about 15 minutes.
3. Decide on scope strategy before buying tools. Enclave vs. enterprise drives every subsequent decision. Most small subs default to enterprise scope because it’s simpler to explain — and then pay 2× the necessary cost.

Phase 2 (November 2026) is the inflection point: third-party C3PAO certification becomes mandatory for most Level 2 contracts. Subs who haven’t started by mid-2026 will miss award windows for contracts that re-compete in late 2026 or 2027. Twelve to eighteen months is the realistic preparation window for a small sub starting from baseline IT practices — not from zero.