Do I Need CMMC? A Quick Checklist for Subcontractors and Suppliers

If you sell to the U.S. Department of Defense, even a few tiers down the supply chain, you may need to meet the Cybersecurity Maturity Model Certification (CMMC). The short answer is this: if you handle any government contract information on your own systems, CMMC almost certainly applies to you. The level you need depends on the type of data you handle.

This post is for subcontractors and suppliers who suspect they might be in the defense supply chain but are not sure whether CMMC is their problem to solve. Maybe a prime contractor sent you a questionnaire. Maybe you saw a new clause in a contract and want to know what it means. Maybe nobody has said anything and you just want to check.

APT Security Management is a managed security services provider based in North Charleston, South Carolina, and we help defense contractors work through exactly this question. Below is a quick checklist you can run through in a few minutes, followed by guidance on what your answers point to.

How to Use This Checklist

Answer each question with a plain yes or no. Keep a count of your yes answers as you go. None of the questions on their own give you a final answer, but together they show whether CMMC is in scope for your business and roughly which level you are looking at.

Two terms come up throughout. Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not meant for public release. Controlled Unclassified Information (CUI) is more sensitive government information that has specific handling rules, such as technical drawings or specifications. The difference between the two decides your CMMC level, so it is worth reading our post on FCI vs CUI if those terms are new to you.

The Checklist

1. Do you have a DoD prime contractor or another defense contractor as a customer?

A yes means you are part of the defense supply chain, even if you never deal with the government directly. CMMC requirements flow down from primes to the subcontractors and suppliers below them.

2. Does any contract or purchase order you hold reference FAR 52.204-21?

This clause sets the basic safeguarding rules for Federal Contract Information. If it appears in your paperwork, you are handling FCI and Level 1 is in play.

3. Does any contract reference DFARS 252.204-7012?

This clause covers the handling of Controlled Unclassified Information and points to the NIST 800-171 standard. If it appears in your paperwork, you are likely looking at Level 2.

4. Do you receive technical data from a prime, such as drawings, specifications, or engineering files?

Technical data of this kind is usually CUI. A yes here is a strong signal that you need Level 2, not Level 1.

5. Do you store, process, or transmit any government contract information on your own systems?

Email, laptops, shared drives, and cloud storage all count. If contract information touches your systems at all, CMMC applies. If a prime handles everything and you only ship a finished product with no contract data, your scope may be smaller.

6. Has a prime sent you a flow-down clause, a CMMC questionnaire, or a request about your security posture?

Primes are responsible for the security of their supply chain, so they ask. A request like this is often the first clear sign that CMMC is now your requirement to meet.

7. Do you do work that involves CUI in any form?

Software development for the DoD, machined parts built from controlled drawings, and professional services that touch sensitive program information all involve CUI. A yes points to Level 2.

8. Are you supplying only commercial off-the-shelf products with no access to any contract information?

A yes here points the other way. Commercial off-the-shelf suppliers who never receive or generate contract data are often out of scope. This is one of the few clean ways to land outside CMMC.

9. Do you handle FCI but have kept CUI out of your environment entirely?

If you can answer yes with confidence, Level 1 is likely your ceiling. Our post on when you can stop at Level 1 covers how to keep it that way.

Reading Your Results

Use your answers to place yourself.

If you answered yes to question 1 and yes to question 5, CMMC applies to your business. The only remaining question is which level.

If you answered yes to questions 2 or 6 and your contract data is limited to FCI, you are most likely a Level 1 company. Level 1 covers 15 basic safeguarding requirements and is met through annual self-attestation. It is the lighter of the two paths and the common entry point for small subcontractors.

If you answered yes to question 3, 4, or 7, you are most likely a Level 2 company. Level 2 aligns with the 110 practices in NIST SP 800-171, applies to businesses handling CUI, and depending on the contract may require either annual self-attestation or a third-party assessment by a certified C3PAO. The contracting officer's CMMC level determination specifies which track applies, so check your solicitation language. It is a heavier lift and takes longer to prepare for. Our post on Level 1 or Level 2 goes deeper on telling the two apart.

If you answered yes only to question 8 and no to almost everything else, CMMC may not apply to you. Confirm it rather than assuming, because the cost of guessing wrong is a lost contract.

If you genuinely cannot tell, that is a normal place to be. Contracts are not always clear about what data you will receive, and a contract can be silent today and send you CUI next month. The reliable way to settle it is to map what data actually moves through your environment and check it against your contract clauses. A CMMC gap assessment does exactly that. If you need to estimate your SPRS score before you begin, our free SPRS Score Calculator walks you through it.

Where Companies Guess Wrong

Two mistakes are common, and they run in opposite directions.

The first is the false positive. A company sees the word "defense" near a contract and assumes it needs full Level 2 certification, then spends money preparing for a level it does not need. A janitorial subcontractor or a basic supplies vendor that never touches contract data may need very little, or nothing at all.

The second is the false negative, and it is the more dangerous one. A company assumes CMMC is the prime's problem, or that being three tiers down the supply chain keeps it out of scope. It does not. Requirements flow all the way down, and a single emailed engineering drawing can pull CUI into an environment that thought it only handled FCI. If you are not sure which side of this line you are on, treat that uncertainty as a reason to check, not a reason to wait.

If your work spans the defense industrial base more broadly, our Defense Industrial Base page covers how CMMC fits alongside other requirements primes pass down.

What to Do Next

Start by confirming your level. Pull your active contracts, look for FAR 52.204-21 and DFARS 252.204-7012, and note what data each customer actually sends you. That alone resolves most cases.

If the contracts are unclear, or you want a documented answer before you commit time and budget, the next step is a gap assessment. It maps your data and your environment against the level you need and gives you a written picture of where you stand. You can read more on our CMMC compliance prep page.

Get a Quote for Your Environment

Tell us about your contracts and your setup, and we will scope CMMC prep to what you actually need, priced with prepaid tokens so you only pay for the work in front of you.

Get a Custom Quote