CMMC Level 1 & 2: Why Defense Subcontractors Need to Act Now or Risk Losing Everything
By Peter Gailey
Let’s not sugarcoat it: If you’re a defense subcontractor and you’re still “waiting to see what happens” with CMMC Level 1 & 2, you’re already falling behind. The primes aren’t waiting. The Department of Defense isn’t waiting. And if you’re not actively working toward compliance, you may be on the verge of getting left behind—for good.
I’ve been talking to folks all over the Southern U.S.—from Louisiana machine shops to Oklahoma-based aerospace suppliers—and one message keeps coming through loud and clear: “No CMMC, no contract.”
Here’s what every supplier, subcontractor, and mid-tier manufacturer needs to hear loud and clear before it’s too late.
1. CMMC Levels 1 or  2 are No Longer Optional
If your business handles Controlled Unclassified Information (CUI)—and chances are you do—then you will need to meet CMMC Level 2. No more hand-waving, no more self-attesting, no more “we’ll deal with it later.”
Third-party certification is coming fast. And primes are already pressuring suppliers for hard proof:
  • Do you have a scheduled assessment?
  • Have you talked to a C3PAO?
  • Is your SPRS score up to date—and accurate?
You don’t want to be the subcontractor who gets dropped from the list because you didn’t take these steps seriously. Nor do you want to be the supplier within a Prime's supply chain that disqualifies them from a contract.
2. Self-Attestation Is Fading Fast
Even if your prime hasn’t come knocking yet, trust me—they’re looking closely. The time of trusting without verifying is winding down. Primes are rewriting contracts to demand:
  • Real proof of compliance
  • Certified assessments, not promises
If you’re not ready to back up your claims with documented evidence, you could be out of the running—fast.
3. Readiness = Relevance
Some primes are quietly trimming their supplier lists. One large contractor I heard about recently surveyed over 300 suppliers. Fewer than 15% had fully implemented all NIST 800-171 controls. Note: NIST 800-171 controls are the precursor to CMMC.
You may think, “We’ve worked with them for years—they’d never drop us.” But in many cases, they don’t have a choice. If you can’t handle CUI safely, they’re forced to:
  • Reassign the work to someone who can
  • Spin up their own in-house capability
  • Or worse—cut you out of the project entirely
4. Primes Want Answers—Not Excuses
When primes ask about your CMMC plans, you need more than a shrug or a vague plan. They want details:
  • What date is your assessment scheduled?
  • Who is your chosen C3PAO?
  • What certification level are you pursuing?
  • How and where will CUI be managed?
And they want those answers fast. Silence or delay signals unreadiness—and unreadiness means risk. And risk gets cut.
5. Compliance Isn’t Just a Checkbox—It’s Capability Protection
This isn’t about red tape. This is about staying in business and protecting your livelihood. If you drop out because of compliance gaps, your prime loses a trusted partner—and you lose a key customer.
Some primes are even investing in tools to help you, like:
  • Sanitizing drawings to limit CUI
  • Setting up secure environments for their suppliers
  • Restricting data access by job role and device
But they’re only doing that for suppliers they know are trying. If you’re not engaged, they won’t waste their time.
6. Compliance Will Help You Win Work
The primes that are ahead of the game are already using CMMC readiness to win contracts. If they can say, “Our whole team is certified and secure,” that makes a powerful case to the DoD.
And here’s the kicker: You can use that same edge. If you’re ready, you rise to the top of the pile. If you’re not, you might not even make it to the short list.
Expect CMMC compliance to become a tiebreaker, a filter, or even a hard requirement in:
  • Bid evaluations
  • Teaming agreements
  • Sole-source discussions
7. Your Responsibility Doesn’t Stop at Your Door
Even if you’re solid on compliance, your suppliers might not be. That’s now your problem. The DoD expects flowdown. That means you’re on the hook to:
  • Include CMMC language in your contracts
  • Require proof of compliance from your subs
  • Report upstream if someone down the chain is noncompliant
If you’ve got a guy two steps down who doesn’t have their act together, that’s a risk you own.
Bottom Line: Get Moving or Get Cut
If your company is anywhere in the DoD supply chain—from the Tier 1 big dogs down to Tier 5 shops and specialists—you need to be CMMC-ready.
Not planning to get certified? That’s planning to lose the work.
So what do you do?
Quick Start Action Plan
  5. Map your CUI exposure. Know who touches it and where it flows.
  7. Start documenting. If it’s not written down, it doesn’t exist.
Look—nobody said this would be easy. But it’s not impossible. The sooner you start, the better your odds of keeping your contracts, protecting your people, and growing your business.
And you don’t have to do it alone. My team and I are here to help guide you through it, every step of the way.
Let’s get this done—together.
Peter
--
Peter Gailey
CEO – Gailey Solutions
214.336.1286
Peter@GaileySolutions.com​​