Skip to content
LexBuild

32 CFR § 170.23 - Application to subcontractors. 

---
identifier: "/us/cfr/t32/s170.23"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "32 CFR § 170.23 - Application to subcontractors."
title_number: 32
title_name: "National Defense"
section_number: "170.23"
section_name: "Application to subcontractors."
chapter_name: "OFFICE OF THE SECRETARY OF DEFENSE"
subchapter_number: "G"
subchapter_name: "DEFENSE CONTRACTING"
part_number: "170"
part_name: "CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM"
positive_law: false
currency: "2026-04-05"
last_updated: "2026-04-05"
format_version: "1.1.0"
generator: "[email protected]"
authority: "5 U.S.C. 301; Sec. 1648, Pub. L. 116-92, 133 Stat. 1198."
regulatory_source: "89 FR 83214, Oct. 15, 2024, unless otherwise noted."
cfr_part: "170"
---

# 170.23 Application to subcontractors.

(a) CMMC requirements apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract. Prime contractors shall comply and shall require subcontractors to comply with and to flow down CMMC requirements, such that compliance will be required throughout the supply chain at all tiers with the applicable CMMC level and assessment type for each subcontract as follows:

(1) If a subcontractor will only process, store, or transmit FCI (and not CUI) in performance of the subcontract, then a CMMC Status of Level 1 (Self) is required for the subcontractor.

(2) If a subcontractor will process, store, or transmit CUI in performance of the subcontract, then a CMMC Status of Level 2 (Self) is the minimum requirement for the subcontractor.

(3) If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for a CMMC Status of Level 2 (C3PAO), then the CMMC Status of Level 2 (C3PAO) is the minimum requirement for the subcontractor.

(4) If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for the CMMC Status of Level 3 (DIBCAC), then the CMMC Status of Level 2 (C3PAO) is the minimum requirement for the subcontractor.

(b) As with any solicitation or contract, the DoD may provide specific guidance pertaining to flow-down.