CMMC Level 2 Subcontractor Requirements: 6 Gaps That Lose Awards
Key takeaways
CMMC Level 2 applies to subcontractors that receive Controlled Unclassified Information on DoD contracts.
Level 2 maps to the 110 security controls in NIST SP 800-171.
Subcontractors must post a self-assessment score to SPRS before contract award.
A System Security Plan is the first document an assessor reviews.
Most flow-down failures trace to scoping, encryption, and incident reporting gaps.
A prime just sent you a subcontract with a CMMC clause, and the clock started the moment you signed. Your team builds a real product, but no one on it has mapped your environment to a federal security standard. The gap between where you are and what the flow-down expects is usually smaller than it looks, once you know which pieces the assessment actually checks.
What CMMC Level 2 subcontractor requirements actually cover
CMMC Level 2 subcontractor requirements come from a single source: NIST Special Publication 800-171, the 110-control standard for protecting Controlled Unclassified Information (CUI) on nonfederal systems. When a prime holds a DoD contract that involves CUI, it must flow the same protection expectations down to any subcontractor that stores, processes, or transmits that information. Level 2 is the tier that maps to those 110 controls and their 320 assessment objectives. Subcontractors that only handle Federal Contract Information (FCI), not CUI, fall under Level 1, a much shorter set of 15 practices. Knowing which tier applies is the first requirement, and the first place awards are lost.
Gap 1: Treating a CUI contract like an FCI contract
The fastest way to miss a flow-down deadline is to assume Level 1 when the contract calls for Level 2. FCI is information that is not intended for public release but is not otherwise sensitive. CUI is a defined category with government marking rules, and any contract that touches technical drawings, controlled research, or export-controlled data almost certainly involves it. Read the contract for the DFARS 252.204-7012 clause and any CUI marking guidance, and ask the prime directly what data you will receive. If CUI is in scope, Level 1 will not satisfy the requirement, no matter how clean your Level 1 posture looks.
Gap 2: No System Security Plan on file
The System Security Plan (SSP) describes your environment, your system boundary, and how you meet each of the 110 controls. It is the document an assessor opens first, because it defines what will be assessed. Many subcontractors have strong security habits but have never written them down in this format, which reads to an assessor as an unmet requirement. Start the SSP early, describe the actual environment rather than an idealized one, and keep it current as systems change. A plan that matches reality is worth more than a polished one that does not.
Gap 3: A missing or stale SPRS score
Before award, a subcontractor handling CUI is expected to complete a NIST 800-171 self-assessment and post the resulting score to the Supplier Performance Risk System (SPRS). The score runs from a maximum of 110 downward, with defined point deductions for each unmet control. A missing score is a common reason a prime cannot move a sub to award, because the prime needs evidence the sub has assessed itself. Calculate the score honestly using the DoD scoring methodology, post it, and pair it with a Plan of Action and Milestones for anything not yet met.
Gap 4: Access control and MFA holes
Identification and authentication controls are among the most frequently failed in 800-171 self-assessments. The standard expects multifactor authentication for network and local access to systems that handle CUI, unique accounts for every user, and prompt removal of access when someone leaves. Shared logins, service accounts with standing privileges, and MFA that covers email but not the CUI environment are the usual gaps. Map every path into the CUI boundary and confirm that each one enforces MFA and least privilege before an assessor does it for you.
Gap 5: CUI stored in tools without FIPS-validated encryption
NIST 800-171 requires cryptography that uses FIPS-validated modules when protecting CUI, both in transit and at rest. This is where consumer and standard commercial cloud tools create a quiet gap. A commercial Microsoft 365 or general SaaS tenant may not provide the FIPS-validated configuration that CUI handling requires, which is why many defense subcontractors move CUI workloads to a government community cloud environment. Inventory where CUI will actually live, confirm the encryption backing each location, and close the gap before you store the first controlled file.
Gap 6: No 72-hour incident reporting path
DFARS 252.204-7012 requires a contractor to report a cyber incident affecting CUI to the DoD within 72 hours of discovery. Reporting also requires a medium assurance certificate to submit through the DoD portal, which takes time to obtain. Subcontractors often have no defined process for detecting, escalating, and reporting an incident inside that window, and no certificate ready when they need it. Write the reporting procedure now, assign the roles, and request the certificate early so the 72-hour clock is a process you have rehearsed rather than one you discover mid-incident.
Frequently asked questions
Do all subcontractors need CMMC Level 2?
No. CMMC Level 2 subcontractor requirements apply only to subs that receive Controlled Unclassified Information; subcontractors handling only Federal Contract Information fall under Level 1.
How long does it take to meet CMMC Level 2 requirements?
Timelines vary with your starting point, but closing the 110 controls, writing an SSP, and posting an SPRS score commonly takes several months. Starting at the certification date and working backward keeps the plan realistic.
Can a prime pull a subcontract if the sub is not compliant?
Yes. If a sub cannot show it meets the flow-down requirements, the prime often cannot include that sub in the award, so the compliance gap becomes a business gap.
A Compliance Snapshot will surface the gap in two weeks, with a clean roadmap and no commitment beyond the assessment. Leave a comment below or reach out at hello@tailoredcompliancesolutions.com to talk through where you are.