Updated May 2026

CMMC Cost for Sub-Contractors: Flow-Down Math

DFARS 252.204-7012(m) requires primes to flow the same CUI security obligations down to every sub-contract that touches covered defense information. The CMMC clause does the same. For tier-2 and tier-3 sub-contractors, this means the same $50K-$150K first-year compliance bill the primes pay, on a much smaller revenue base.

The flow-down mechanic

DFARS 252.204-7012(m) reads, in substance, that the prime must include the requirements of the clause in all sub-contracts where covered defense information will be processed by the sub-contractor. The same flow-down applies to DFARS 252.204-7019 (SPRS posting), 7020 (DoD assessment rights), and 7021 (the CMMC certification requirement). Practically this means a tier-2 sub-contractor with a CUI-touching task order inherits the full obligation stack: implement NIST SP 800-171, post a SPRS score, cooperate with DoD audits, and obtain CMMC certification at the level the prime contract specifies. Tier-3 sub-contractors inherit the obligations from tier-2 via the same mechanism.

What flow-down does not do, by default, is fund the sub-contractor's compliance cost. The prime is contractually obligated to insert the clause; it is not contractually obligated to pay for the sub-contractor to comply. Cost-reimbursement contracts give sub-contractors a path to bill compliance work as a direct cost; firm-fixed-price contracts (the most common shape for sub-contracts) do not. This is the structural reason sub-contractor compliance economics are so much harder than prime economics: same fixed cost, smaller revenue base, less ability to recoup.

The DFARS clause text is published at acquisition.gov. Read paragraph (m) carefully if you are negotiating a sub-contract.

Cost as a share of revenue

Sub-contractor profile	Typical revenue	Year-1 CMMC L2 cost	% of revenue
Single-person consultancy	$0.2M - $0.5M	$45K - $80K	15% - 35%
5-10 person firm	$0.8M - $2M	$50K - $100K	3% - 12%
10-25 person firm	$2M - $5M	$60K - $120K	1.5% - 6%
25-50 person firm	$5M - $10M	$80K - $150K	1% - 3%
50-100 person firm	$10M - $20M	$120K - $200K	0.6% - 2%
100+ person firm	$20M+	$200K - $400K	under 2%

The economic problem is concentrated in the single-person and 5-10 person bands, where compliance cost as a share of revenue makes participation in the CUI-touching DoD market uneconomic without external funding or aggressive shared-cost strategies.

The four sub-contractor exit positions

Sub-contractors in the affected revenue bands are converging on four exit positions. Each has trade-offs.

Position 1: Full in-house compliance

Stand up a dedicated GCC High tenant, hire or contract a fractional security officer, run your own SIEM, retain a C3PAO. Highest cost, highest control. Typical year-1 spend $100K-$200K for sub-50-employee firms. Makes sense if DoD work is more than 40 percent of revenue and is growing.

Position 2: Shared MSP / MSSP enclave

Move CUI processing into a managed-service provider's shared GCC High enclave or AWS GovCloud landing zone. The MSP carries the assessment-ready tenant; you carry a smaller per-user fee plus your own user-level evidence. Year-1 cost $40K-$90K for sub-25-employee firms. Caveats: the MSP must hold its own CMMC certification, and the shared-tenancy boundaries must be clean.

Position 3: Inherit prime's enclave

Some primes will allow trusted sub-contractors to operate inside the prime's CMMC-assessed enclave (the prime provides identity, devices, network, monitoring; the sub-contractor's people log in as guest users). This dramatically reduces sub-contractor cost (often under $20K year-1) but creates dependency on the prime and limits the sub-contractor's ability to serve other primes. Common for long-term sub-contracts; rare for one-off task orders.

Position 4: Exit CUI-touching DoD work

Restructure your work portfolio to take only non-CUI DoD work (Level 1 obligations only, $5K-$15K compliance budget) or exit DoD entirely for commercial markets. Hardest decision but mathematically correct for firms where DoD CUI work is less than 20 percent of revenue and the firm has viable commercial alternatives. Several thousand small sub-contractors are believed to be taking this path.

Negotiating with the prime

Compliance funding is increasingly on the table in sub-contract negotiations. Standard language patterns that work include a separately-priced compliance funding line in the bid (commonly $15K-$50K spread over contract performance period), a per-month assessment-readiness fee, an escalator on the labour rate to fund ongoing maintenance, and a multi-year contract commitment that amortises the certification cost over enough revenue to make the math work.

What does not work well: trying to bury compliance cost in overhead rates, hoping the prime will not notice. Primes are increasingly sophisticated about scrutinising sub-contractor cost structures and will challenge overhead loading. Better to surface the compliance cost transparently and negotiate it explicitly as a separable line.

For longer-term sub-contracting relationships, some primes are establishing structured Supplier Cybersecurity Assistance programmes that fund part of sub-contractor compliance through grants, shared-tooling licences, or assessor-cost reimbursement. Ask your prime whether such a programme exists; it is not always publicly advertised. The DoD has been encouraging primes to adopt these patterns through the Defense Industrial Base Cybersecurity Programme.

Sub-contractor's flow-down to tier-3

If you are a tier-2 sub-contractor and you in turn sub-contract part of the work to a tier-3 supplier, you carry the same flow-down obligation under DFARS 7012(m). You must include the substance of the clause in your tier-3 sub-contracts where CDI will be touched. This creates an administrative burden on tier-2 sub-contractors (questionnaires, evidence collection, sub-tier compliance management) that typically costs $5K-$25K per year depending on the number of tier-3 suppliers. For small tier-2 sub-contractors, the tier-3 management burden often pushes them toward strategies that avoid sub-contracting CUI-touching work in the first place (do it in-house, even if more expensive). See the DFARS 7012 cost page for the full obligation picture.

Related cost pages

Frequently asked questions

If I am a tier-2 sub-contractor, do I really need CMMC?

If your contract with the prime contains the substance of DFARS 252.204-7012 and you will receive or generate covered defense information, yes. Paragraph (m) of 7012 requires the prime to flow the clause down to all sub-contracts where CDI is involved. The DFARS 252.204-7021 CMMC clause similarly flows down to sub-contractors at the level the contract specifies. The only way out is to negotiate the work in a way that does not actually require you to receive CUI, which is sometimes possible but increasingly hard as primes consolidate compliance evidence.

How much does CMMC actually cost a small sub-contractor?

For a sub-contractor with under 25 employees taking on a single CUI-touching task order, expect $50,000 to $120,000 in first-year compliance effort plus $30,000 to $60,000 per year in maintenance. That can be 1-5 percent of revenue for a typical sub-contractor in the $2M-$10M revenue range. For sub-contractors where DoD work is a minority of revenue, this is the moment to decide whether to invest in compliance or exit the DoD market entirely.

Can I share CMMC infrastructure across multiple primes?

Yes, and this is one of the strongest cost-reduction levers for sub-contractors. The same CUI enclave (M365 GCC High tenant, AWS GovCloud account, or hybrid) can serve multiple prime customers as long as the access controls cleanly separate one prime's CUI from another. Most C3PAOs will assess the enclave once and accept it across multiple prime engagements. This converts a per-prime fixed cost into a shared overhead, which is the key to making sub-contractor CMMC math work.

Should I negotiate a cost recovery clause with the prime?

Yes. CMMC compliance for sub-contractors is treated by some primes as just-do-it overhead and by others as a separable cost line that the prime will partially fund. The negotiation position depends on the prime, the size of the task order, and whether the work is unique or commoditised. For unique work where the prime needs your specific capability, you have more leverage. Standard language to push for: a one-time compliance funding line in the contract (typically $10K-$50K), a per-month assessment-cost recovery (typically $500-$2K), and a price escalator on the labour rate to fund ongoing maintenance.

What if I cannot get a CMMC certification in time?

The 32 CFR Part 170 final rule allows for Plan of Action and Milestones (POA&M) treatment for certain controls (not all). For sub-contractors that have substantively implemented NIST 800-171 but have minor gaps, a POA&M issued under a conditional certification provides 180 days to close out gaps. If you cannot meet the certification timeline at all, you are not eligible for the contract; the prime will go to another sub-contractor. This is one of the largest sources of consolidation pressure in the lower-tier DIB.

Are there government grants or subsidies for sub-contractor CMMC compliance?

Limited. The DoD has piloted a Cybersecurity-as-a-Service programme for small businesses through specific MEP (Manufacturing Extension Partnership) Centres but coverage is patchy and not all sub-contractors qualify. The Small Business Innovation Research (SBIR) programme does not directly fund CMMC compliance but does fund security R&D that can offset some tooling spend. Check with your state's Procurement Technical Assistance Centre (PTAC) for current programmes; they vary by state and year.