The pattern is familiar. A supplier ships parts, perhaps specialty coatings, precision-machined components, a firmware module, or an accounting package, to a company that ships the finished product to a prime defense contractor. The supplier has never bid on a federal contract. Then the prime two steps up the chain emails asking for a current SPRS score by end of month.
The reaction we usually hear is we don’t do defense work, so this can’t apply to us.
The reaction we’d rather see is why is this being asked of us now?
The short answer
CMMC doesn’t apply because you sit near the defense supply chain. It applies to government contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under a covered DoD contract, and who have been formally brought into scope through contract flow-down (or are handling that information in support of a covered contract).
Selling commercial parts or services to a company that builds for the Pentagon doesn’t automatically pull you in. Even if your product ends up in a Navy ship or an Air Force jet, your business isn’t subject to CMMC by association alone. What changes the picture is information, and whether your contract reflects it.
What actually triggers CMMC scope
Three things need to be true:
- You have a DoD contract or subcontract that includes the relevant DFARS clauses, primarily 252.204-7012, and increasingly 7019, 7020, and 7021.
- That contract requires you to handle FCI or CUI as part of performing the work.
- The flow-down has been formally communicated to you in writing, by the prime or higher-tier subcontractor responsible for passing requirements down the chain.
If all three are in place, your systems are in scope for the corresponding CMMC level. If any of them is missing, especially the contract clause or defined data scope, you may not be formally in scope, or the requirements may have been applied incorrectly or incompletely.
The Flow Down Rule
DFARS 252.204-7012 places obligations on the prime contractor that include flowing down its safeguarding requirements when a subcontract involves covered defense information. The Federal Register final rule on CMMC makes the point: certification requirements pass to subcontractors at every tier when those subcontractors handle FCI or CUI.
That means whoever is sending you the work is responsible for telling you, in writing, what kind of information you’ll be handling, including the appropriate DFARS clauses in your subcontract or PO, and doing this before the work starts.
If a prime is contacting you now, asking for a SPRS score, but never communicated any of this when the contract was signed, the primary responsibility for that gap sits with them.
What an out-of-the-blue request usually means
When a supplier who’s never been treated as a defense contractor suddenly gets asked for a SPRS score, one of two things is generally happening:
- Information was passed down without proper scoping. Drawings, specs, or contract documents ended up on your systems through routine day-to-day work, but the prime never communicated that the material was FCI or CUI. You may have been handling information that should have been treated as FCI or CUI, even if the contract never clearly defined it.
- The upstream party is pushing compliance retroactively to cover its own risk. They may be facing scrutiny from the DoD or DIBCAC and are trying to demonstrate that subcontractors are compliant, even when the contractual basis was never properly established.
Either way, your first move is to ask, in writing, where in your existing contracts these requirements are stated, and when the scope was supposed to have been communicated.
In some cases, the supplier doesn’t even hold the federal registrations needed to submit a SPRS score in the first place. That itself is a signal the request hasn’t been thought through upstream.
What to do
Start with the contract files. Search active contracts and recent solicitations for the four DFARS clauses that govern this space:
- 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
- 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
- 252.204-7020: NIST SP 800-171 DoD Assessment Requirements
- 252.204-7021: Cybersecurity Maturity Model Certification Requirements
If any of these appear in what you’ve signed, you’re contractually subject to the corresponding NIST 800-171 or CMMC compliance obligations and should be acting on them. Clause 7019 requires a current NIST 800-171 assessment score to be submitted to SPRS, which is a prerequisite tied to contract award and eligibility.
If none of them appear, ask the prime to point to where the obligation lives. If they can’t, you’re being asked to do something for which there’s no contractual basis. Push back through the proper channels rather than absorbing the pressure internally.
Find out where you stand
The hardest part of all this isn’t usually the technical work. It’s figuring out which conversation you’re in.
If you’ve read this far and aren’t sure where your business sits (whether you’re genuinely subject to CMMC, whether something’s been mis-scoped upstream, or whether you don’t have the contractual exposure people are assuming), that’s what the survey is for. The questions are short and grounded in your actual contracts. You walk away with something defensible to take to leadership.
If the picture is mixed, or you’re being asked to respond to compliance pressure that doesn’t quite add up, the next step is a short call with our CMMC Registered Practitioner. Fifteen minutes, no pressure, a working conversation about where you sit and what you’re being asked to prove. From there, we can talk through whether a structured gap analysis makes sense as the next move.
The suppliers who end up in the worst position aren’t the ones who don’t know the rules. They’re the ones who took compliance pressure at face value and never asked where it was coming from.
