A defense contractor can secure every system inside its own walls and still be exposed the moment it shares Controlled Unclassified Information (CUI) with a subcontractor that is not ready to protect it. CMMC was never only about your own compliance. It is about every company that handles the same sensitive data.

That makes securing CUI a supply chain effort. Primes have to manage the risk they pass downstream. Subcontractors have to protect that data and find a realistic path to certification. When either side gets it wrong, the result is the same: spillage, failed assessments, and lost contracts.

CMMC Has Moved to Contract Requirements

CMMC is showing up in real contracts now. Some primes have already written it into their solicitations, and starting November 10, 2026, a growing share of DoD solicitations will require Level 2 certification from a C3PAO.

Travis Goldbach leads go-to-market efforts at Coalfire Federal, a CMMC Third-Party Assessment Organization (C3PAO) authorized to conduct official CMMC assessments, and has worked on the program since it began in 2020. He framed the change this way:

The conversation has shifted from ‘what is CMMC’ to ‘how do we prove we’re ready.’

— Travis Goldbach, Coalfire Federal

Some primes are moving faster than the deadline. L3Harris, for example, has told subcontractors they must be certified well ahead of November 2026. The lesson is the same in either case: readiness takes time, and waiting until a solicitation forces the issue puts an organization at a disadvantage.

The Prime Owns the Risk, But So Do You

A prime stays responsible for the CUI it shares, and a subcontractor’s failure becomes the prime’s problem. But the responsibility does not stop there. The moment a subcontractor receives CUI, protecting it becomes its job too, and waiting for the prime to manage that risk is a mistake. The subcontractors who stay ahead treat compliance as their own problem to solve, not the prime’s.

That starts with getting straight answers from the prime before accepting any data. A subcontractor should press for three things:

  • What information is CUI, and why it matters to you
  • Which contractual and security requirements apply
  • What you are expected to do before receiving and handling it

Too often, subcontractors receive CUI without a clear understanding of the obligations that come with it, and they wait for someone upstream to spell it out. The ones who ask these questions early, prepare, and get ahead of the requirement end up in a far stronger position. Which raises the practical question: once you know you are responsible for protecting CUI, how do you actually do it?

Subcontractors: 

1. Protect Your CUI and Know Your Options

When a prime says “get CMMC ready,” it helps to separate two efforts: protecting the CUI you already hold, and working toward full certification. The first one can start immediately.

At a minimum, move that CUI into a DFARS 252.204-7012 compliant environment that meets the encryption, media protection, and incident reporting requirements. Commercial tools like Microsoft 365 commercial, Outlook, and Gmail do not meet these requirements, and sending CUI through them is one of the most common sources of spillage. You may not have implemented all 110 CMMC Level 2 controls yet, but a compliant environment keeps the data protected while you work through the rest. As Vince Petrecca noted, that is the floor every contractor should reach first.

It also helps to know you have choices. GCC High is not the only path, and a subcontractor should not be shoehorned into the largest, most expensive option simply because another company in its supply chain uses it. Victor Cish, a CMMC Certified Assessor with Radicl, encouraged subcontractors to first understand what data they actually hold, then choose the solution that fits.

With that protection in place, build toward certification:

  • Develop your System Security Plan (SSP)
  • Run a gap assessment against the 110 NIST 800-171 controls
  • Document remaining gaps in a Plan of Action and Milestones (POA&M)

Knowing what you hold and where it lives lets you select a technology and a partner that match your team and budget, rather than defaulting to the most complex option available.

2. Reduce Scope With a CUI Enclave

An organization does not need to place its entire environment in scope. A 30-person company can protect CUI within a smaller CUI enclave and reduce cost significantly, not only during initial certification but across the multi-year life of the program. Even AWS used an enclave approach for its CUI environment, scoping roughly 1,500 users rather than its entire corporate infrastructure.

This principle is central to PreVeil’s model. A lightweight secure enclave that runs alongside commercial Microsoft 365 lets organizations meet DFARS 252.204-7012 and CMMC Level 2 requirements without replacing their existing IT.

3. Documentation Has to Match Reality

One of the most common reasons organizations fail an assessment is aspirational documentation: policies pulled from a template that describe what a company should be doing rather than what it actually does. Assessors compare the live demonstration against the documentation, and a lockout threshold set to five when the policy specifies three is a failure.

Compliance also reaches well beyond the IT team. Cish described arriving on site for an assessment, being issued a visitor badge marked “escort required,” and walking the entire facility without a single employee stopping him. The point landed clearly:

“This is not an executive-level requirement or an IT compliance issue. It is an entire company issue, and often a major cultural shift for companies.” — Victor Cish, RADICL

CMMC is also a continuous program. Companies that pass an early validation and then stop following their own procedures are likely to fail at recertification.

4. External Sharing Requires Traceability

Protecting CUI does not stop at your compliance boundary. It has to follow the data every time you share it externally, and standard email gives you no control once a message is sent. Victor Cish noted that he hears about spillage events, where someone sends CUI over non-compliant email, on a near-weekly basis.

PreVeil is built for exactly this. Every file and message is protected with end-to-end encryption, so CUI stays secure whether it moves up to a prime or down to a subcontractor:

  • Trusted communities let you define which external domains and addresses can receive sensitive content, so your vetted supplier list is enforced by the system instead of an acceptable use policy.
  • PreVeil Drive gives you control over every shared file: view-only access that blocks downloads, expiration dates, the ability to rescind access, and a log of every time content is opened or downloaded.
  • PreVeil Express gives third parties free, browser-based access to shared content in minutes, with no guest account, license, or setup fee.
  • Secure email with GCC High lets you exchange CUI and attachments with primes on GCC High without forcing either side onto the other’s platform.

That gives both you and your assessor what they need: external sharing that is controlled, documented, and repeatable, with a clear record of who received CUI and how it was protected.

Compliance Is a Full Ecosystem Effort

The defining theme of the session was that no organization does this alone. The right contractor, the right technology, and the right partners working together is what gets companies to certification and keeps them there. That is the principle behind Coalfire Federal’s CMMC Partner Assurance Network, of which both PreVeil and Radicl are members.

This is an ecosystem play. No one does this alone. It truly takes a village.

— Vince Petrecca, PreVeil

How PreVeil Helps With CMMC Compliance

PreVeil is trusted by more than 3,000 small and midsize defense contractors. Three things make our track record possible:

1. Technology that covers the controls. PreVeil’s end-to-end encrypted Email and Drive platform supports the majority of NIST 800-171 controls through inherited and shared controls, validated by C3PAOs.

2. Assessor-validated documentation. Our Compliance Accelerator includes a pre-filled SSP, policy documents, and POA&M templates used in over 100 assessments, with direct support from our compliance team.

3. Partners who know the process. Our Preferred Partner Network includes C3PAOs, Registered Practitioners, and MSPs with deep knowledge of the PreVeil platform.

If your organization needs to get compliant and you are not sure where to start, schedule a free compliance call with our team.