How defense primes actually evaluate CMMC-certified subcontractors — beyond the SPRS score

A defense subcontractor’s view of CMMC usually ends at the C3PAO certificate. Certification in hand, the thinking goes, prime contracts should follow. What actually happens on a prime-contract award — the evaluation machinery sitting between you and that purchase order — is a set of due-diligence steps that begins with CMMC and extends well beyond it. This article is about what Tier-1 prime procurement, supply-chain risk (SCRM), and cybersecurity teams actually check when they evaluate a CMMC-certified sub, in the order they check it.

The context: if you’re targeting work with Lockheed Martin, Raytheon, General Dynamics, Northrop Grumman, BAE Systems, Boeing Defense, L3Harris, or the other top-twenty-by-DoD-revenue primes, you are being evaluated through a formal SCRM pipeline. If you’re targeting mid-tier primes or non-traditional defense buyers, the process is less formalized but the questions are similar. Either way, a CMMC certificate is necessary and not sufficient.

The evaluation sequence

Most prime evaluations follow a predictable sequence. Each step can disqualify; passing one doesn’t guarantee passing the next.

Step 1: SPRS score pull and interpretation

Every evaluation starts with a SPRS (Supplier Performance Risk System) pull. The score — a self-assessed or third-party-assessed number from –203 to 110 against NIST 800-171 Rev 2 — is the fastest signal of cyber maturity. Primes have thresholds.

Typical Tier-1 thresholds in 2026:

• 95+ — Strong position. Often required for programs touching ITAR-controlled technical data or flagged critical technology areas.
• 88–94 — Acceptable for most CUI-handling subcontracts, with some additional due diligence.
• 70–87 — Triggers deeper review. May require accelerated POA&M closure commitments.
• Below 70 — Usually disqualifying absent a specific exception path.

The score is not read in isolation. Evaluators also look at:

• How the score was calculated. Third-party C3PAO-verified scores carry more weight than self-assessed. A Level 2 CMMC certification with 110/110 from a C3PAO is the highest signal.
• Score stability over time. A score that jumped from 70 to 110 over six months without a corresponding certification event looks suspicious.
• POA&M content. A 110 score with no POA&M invites the question “are they actually fully mature, or have they just reported all items closed?” A mature program usually has 2–6 minor items in active management.

Step 2: CMMC certification validation

If the subcontract requires CMMC Level 2 certification, the prime validates it against the Cyber AB marketplace (CMMC Accreditation Body). They check:

• C3PAO firm identity and accreditation status. Not all C3PAOs are equal; prime evaluators notice which firm issued the assessment.
• Certification date and remaining validity. CMMC Level 2 certificates are valid for three years. Certifications within six months of expiration without visible re-assessment planning are a flag.
• Scope of certification. The certified system boundary should match the one that will handle the prime’s data. A sub certified for a narrow enclave that doesn’t cover the prime’s anticipated data flow requires scope expansion before contract award.
• Conditional certifications and POA&Ms. Some CMMC Level 2 certifications are conditional on POA&M closure within 180 days. Primes read these carefully.

Step 3: System boundary and SSP review (scoped)

Primes don’t usually read a 400-page System Security Plan. They ask for a scoped excerpt covering the environment that will handle their specific data:

• System description and boundary diagram showing where their data lives, who can access it, what flows in and out
• Control implementation narratives for a curated subset of the 110 NIST 800-171 practices (typically 15–30 that matter most to the prime’s data sensitivity)
• Network architecture overview — at the right level of abstraction to understand data handling without exposing too much implementation detail

Primes with mature SCRM functions have template SSP summary forms they hand to subs. The form is typically 20–60 pages and maps to their internal evaluation criteria. Subcontractors who have a scoped SSP excerpt ready (rather than trying to extract from the full SSP on deadline) pass this step materially faster.

Step 4: POA&M scrutiny

POA&Ms are where the actual-vs-claimed gap surfaces. Primes read the POA&M for:

• Realistic milestone dates. A POA&M with “target closure: 2026” for an item opened in 2023 is not credible.
• Realistic milestone content. “Implement SIEM” is not a milestone; “complete Splunk Enterprise deployment covering X, Y, Z assets and go-live with log ingestion by [specific date]” is.
• Concentration of open items. Open items concentrated in CUI-handling controls (3.1, 3.4, 3.13) are higher-risk than open items in physical security or personnel security.
• Items that have been open for more than 180 days. Expected for complex architectural work; concerning if they’ve been open for two-plus years.
• Recent POA&M activity. A POA&M that hasn’t been updated in nine months signals the program has drifted.

Step 5: Supply chain risk assessment (beyond CMMC)

Tier-1 primes run SCRM programs that extend well past CMMC. These programs typically include:

Ownership and control review. Is the subcontractor owned by entities that trigger Foreign Ownership, Control, or Influence (FOCI) concerns? Recent changes in ownership? Primary investors?

Financial stability review. Are you financially healthy enough to sustain cyber investments? D&B PAYDEX score, credit report, revenue concentration risk.

Software supply chain. What components are in your software (if you deliver software)? SBOM requested increasingly often, especially for products that will be integrated into prime-delivered systems.

Personnel screening and insider threat posture. Background check policies, especially for personnel with access to the prime’s data. Foreign national access controls.

Critical technology exposure. If the work involves critical technology areas (hypersonics, quantum, AI/ML, microelectronics, etc.), additional export-control and technology-protection requirements apply.

Subcontractors often don’t realize that “CMMC Level 2 certified” answers maybe 40% of the questions a mature SCRM program asks. The other 60% is a separate evaluation.

Step 6: Insurance and financial protection

Primes require evidence of cyber insurance for subs handling their CUI. Typical minimum coverage:

• Cyber liability: $5M–$25M depending on contract value and data sensitivity
• Technology errors and omissions (E&O): $5M–$15M for software and technology deliverables
• General liability: $1M–$5M

Critically, the prime is sometimes named as additional insured on the policy. Some primes require the insurance carrier to be rated A- or higher by AM Best. Insurance declined or limited is a material red flag — it suggests the insurer has assessed the subcontractor’s cyber posture and found it lacking.

Step 7: Audit rights and ongoing monitoring

Most Tier-1 prime subcontracts include cyber audit rights. These typically grant the prime:

• Right to review security documentation annually
• Right to conduct a technical assessment of the CUI enclave (usually remote, occasionally on-site)
• Right to observe or participate in incident response exercises
• Right to request evidence of specific control operations
• Right to pull SPRS scores at any time and require remediation if they drop

How these audit rights are exercised varies. Some primes exercise them annually as routine; some exercise them only when triggered by an incident or a significant change. The contract should be read before signing — these are non-trivial obligations.

Questions subcontractors don’t expect

Beyond the formal evaluation sequence, prime cybersecurity teams ask questions that catch unprepared subs off-guard. The patterns we see:

“What happens to our data when the subcontract ends?” Many subs can’t answer this cleanly. The expected answer: a documented data-destruction procedure, with certification of destruction, timed to contract close-out.

“Can you segregate our data from other primes’ data?” Especially relevant if you serve multiple competing primes. The prime wants to know their CUI isn’t commingled with a competitor’s in the same enclave, SharePoint site, or database.

“Who specifically is cleared/authorized to access our data, and from what locations?” Role-based is the right answer; name-based is better when the prime is nervous. Geographic constraints (US-citizen only, CONUS-only access) matter for ITAR-adjacent programs.

“What’s your incident response timeline specifically for our data?” A generic incident response plan is necessary; a plan with specific timelines for notifying the prime is better. Many primes want notification within 24 hours of discovery, faster than the DFARS 72-hour cyber incident reporting baseline.

“If our data leaks, how will we know?” Detection capabilities for exfiltration, DLP configuration, and insider-threat monitoring — all questions that a standard CMMC assessment might not probe deeply but primes often do.

“Do you have a data-flow diagram showing exactly where our data goes?” More granular than a standard system boundary diagram — showing actual data flow paths for the prime’s specific data.

“What tooling do you use, and when was it last audited?” Specific software versions, patch levels, vendor audit reports. More detail than CMMC typically requires.

“How does your architecture handle an advanced persistent threat scenario specifically targeting our program’s data?” Threat-informed defense questions — not typical for CMMC assessments, increasingly common in prime reviews.

Red flags that disqualify

Certain patterns cause primes to reject otherwise-compliant subs. Know these and avoid them.

POA&M with chronically slipping dates. The single most common disqualifier. Primes have seen enough “we’ll get to it” POA&Ms to know what they look like.

Recent CISO departure without a named successor. Cybersecurity leadership continuity matters. If your CISO left three months ago and the CTO is “running it in the interim,” primes worry.

Declined or restricted cyber insurance. Insurers perform their own cyber due diligence. A decline is a signal.

SPRS score volatility. Scores that jump up and down significantly suggest either audit-gaming or operational instability. Either way, unreliable.

No point of contact for cyber. If the prime’s SCRM team can’t identify a specific person to call about cybersecurity at your company, that’s structurally concerning.

Incident history without documented response. Past incidents aren’t automatically disqualifying — undocumented or unclosed incidents are.

Unwillingness to accept audit rights. Subs that try to negotiate away audit rights in the subcontract often get deprioritized for future contracts, even if the current contract is awarded.

Subcontractors not in SAM.gov or with active exclusions. Basic, but missed more often than you’d think.

What to prepare before your first prime evaluation

If you’re a newly-CMMC-certified sub pursuing your first Tier-1 prime subcontract, here’s the package worth having ready before the evaluation request arrives:

SSP excerpt. 40–80 pages covering your CUI-handling environment: system description, boundary diagram, control implementation narratives for the highest-sensitivity practices, network architecture at the appropriate abstraction level.

Current POA&M. Filtered and formatted for external review. Items should be specific, dates realistic, and progress visible on items opened more than 90 days ago.

Incident response playbook. Specific to CUI handling. Includes prime-notification language and timeline (24-hour commitment is increasingly expected).

Data handling attestation. A short document describing how you segregate, protect, and ultimately destroy the prime’s data.

Cyber insurance COI. Current, with appropriate coverage limits and the prime named as additional insured if contract requires.

Named cyber point of contact. A specific person (CISO, security director, or VP of engineering) with email, phone, and backup contact.

Architecture diagram tailored to their data. Data flow diagram showing where their specific data lives, moves, and is handled — not your full enterprise architecture.

Past-performance references. Other primes or federal customers you’ve served, with contact information, scope descriptions, and any CUI-handling context.

The forward view: NIST 800-171 Rev 3 and what’s changing

NIST 800-171 Rev 3, published in 2024, is slowly replacing Rev 2 as the basis for CMMC Level 2 practices. Rev 3 reorganizes controls, tightens several requirements, and introduces “organization-defined parameters” that let organizations specify implementation details the Rev 2 baseline left implicit. DoD is gradually transitioning CMMC to Rev 3, with the full migration expected by 2028.

Tier-1 primes are starting to ask subs about Rev 3 readiness even where CMMC Level 2 is still scored against Rev 2. Getting ahead of this — understanding the 800-171 Rev 2-to-Rev 3 delta, tracking which of your controls need updating, and being able to speak to Rev 3 readiness in an evaluation — is a near-term differentiator for subs pursuing fresh Tier-1 contracts.

Where Fortinetics fits

If you’re preparing for your first Tier-1 prime evaluation and want help thinking through what the prime will actually ask — not what CMMC formally requires — we run scoping calls for this specific situation. The preparation delta between “CMMC certified” and “ready to pass a Lockheed SCRM review” is usually three-to-six weeks of focused work. Getting it right the first time is materially cheaper than losing the contract and trying to remediate for the next award cycle.

Book a 30-minute scoping call. If the situation doesn’t need a firm — and sometimes it doesn’t — we’ll say so.

Related reading: the CMMC POA&M article covers what good POA&M discipline looks like in detail, the CMMC self-assessment vs C3PAO piece explains when a third-party assessment is required vs. sufficient, and the DFARS 7012 incident-reporting article covers incident-response requirements primes increasingly ask about.