Request Demo

CMMC: What Commercial Companies and Sub-Contractors Should Know

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC 2.0) is a U.S. Department of Defense (DoD) initiative that ensures companies in the defense supply chain protect federal data. Phase 1 of the rule takes effect on November 10, 2025. While CMMC applies specifically to prime DoD contractors, the reality is that sub-contractors and commercial firms—from software developers to cloud service providers—are just as responsible for meeting CMMC requirements if they handle sensitive Federal information.

What Data Triggers CMMC?

Federal Contract Information (FCI)

  • Information provided by the government that is not intended for public release.
  • Examples include contract details, design specifications, schedules, and internal government communications.
  • Think of FCI as the basic business information you receive when doing work for the federal government.

Controlled Unclassified Information (CUI)

  • Sensitive information that requires safeguarding under laws and regulations but is not classified. Contracts and shared data that fall in this category should be clearly labeled as CUI
  • Examples include export-controlled data, defense system schematics, health records tied to a federal program, and critical infrastructure details.
  • CUI is higher risk than FCI and demands stronger protections.

If your company touches either FCI or CUI—even indirectly as a sub-contractor—CMMC applies.

The Levels of CMMC

  • Level 1 (Foundational): Protects FCI with 15 basic practices such as password policies, patching, and access control. Requires annual self-assessments. Basic Safeguards: https://www.acquisition.gov/far/part-52#FAR_52_204_21. Note that CMMC Level 1 (NIST 800-171) requires 17 controls.
  • Level 2 (Advanced): Protects CUI with 110 practices aligned to NIST SP 800-171. Some contracts allow self-assessments, others require a third-party certification every three years.

  • Level 3 (Expert): Reserved for the most sensitive defense work, requiring government-led assessments.

Why This Matters for Sub-Contractors and Commercial Companies

  • You may not contract directly with the DoD, but your prime contractor or agency will flow down requirements to you if you handle their federal data.
  • Companies, such as software and cloud service providers, IT service providers, and manufacturers, can be disqualified from subcontracts if they cannot demonstrate compliance.
  • Beyond defense, similar requirements for safeguarding CUI are spreading across the civilian federal space, meaning commercial firms that support federal programs should prepare now.

Key Dates

How Ekko Security Helps

At Ekko Security, we specialize in preparing subcontractors and commercial companies for CMMC:

  • Data Scoping: Identify whether you handle FCI, CUI, or both.
  • System scoping: Understand FCI & CUI dataflows and impacted systems 
  • Gap Analysis: Assess your current environment against Level 1 or Level 2 requirements.
  • Policy & Technical Controls: Implement the right mix of processes, documentation, and security controls.
  • Audit Readiness: Support self-assessments and prepare evidence for third-party reviews.
  • Continuous Support: Ensure ongoing compliance as requirements and contracts evolve.

Don’t Get Left Out of the Supply Chain

CMMC is not just a “prime contractor” issue. If your company’s services are in the DoD supply chain, the chances are your company’s eligibility depends on it too. By acting now, your business can stay competitive, compliant, and ready for federal opportunities.

Stay competitive in the federal supply chain. Contact Ekko Security at https://ekkosecurity.com/contact to get started.