At this point, you probably know that defense contractors will be required to achieve CMMC compliance. But what about subcontractors? In today’s post, we explore this important topic, including what CMMC and other rules say specifically about subcontractors.
CMMC and Defense Contractors
CMMC is short for Cybersecurity Maturity Model Certification, a cybersecurity framework designed by the Department of Defense to be applied across the Defense Industrial Base, or DIB.
CMMC is divided into three levels that mandate an increasing number of cybersecurity practices.
According to Clause 252.204-7021 of the Defense Federal Acquisition Regulation Supplement (DFARS), contractors bidding for a defense contract are required to have a current (not older than 3 years) CMMC certificate at the CMMC level required by the contract in question and maintain their CMMC certification at the required level for the duration of the contract.
The bottom line is: if you want to be awarded a defense contract, you need to be certified to the CMMC level stipulated in the contract and maintain your certification while the contract is in effect.
CMMC Requirements for Subcontractors
Just like the DoD needs contractors, contractors rely on the work of subcontractors, so it makes sense that they must observe CMMC requirements too.
DFARS Clause 252.204-7021 requires defense contractors to insert the substance of the Clause (that is, a CMMC requirement) in all subcontracts, including subcontracts for the acquisition of commercial products or commercial services (however, commercially available off-the-shelf items are excluded).
Additionally, DFARS Clause 252.204-7021 requires contractors to ensure that any subcontractor they work with has a current (again, not older than 3 years) CMMC certificate at a CMMC level appropriate for the information that will be flowed down to the subcontractor.
What You Need To Know
So, what does this all mean if you are a defense subcontractor?
The first conclusion is that you need to achieve CMMC compliance if you want to keep working within the DIB.
DFARS governs all DoD purchases of products and services, and CMMC is in the process of being codified into it. If you’re not CMMC compliant yet, you need to take action immediately.
The second implication is that you need to make it a point to check the clauses of your contracts for CMMC requirements and make sure that you are certified to the appropriate CMMC level.
Note, however, that DFARS talks about a CMMC certification level that is appropriate in relation to the information being flowed down by the prime contractor.
This means that, even if the prime contractor has a CMMC Level 3 requirement, if the information being flowed down to the subcontractor is Federal Contract Information (FCI) only, then at least in theory it will be enough for the subcontractor to have a CMMC Level 1 certification.
As you can see, while the rules are seemingly straightforward, there are many potential scenarios.
If you are a contractor or subcontractor looking to understand more about CMMC compliance or CMMC requirements, contact us today. We will be glad to answer all your questions and offer the expert guidance you are looking for.
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
