The Cybersecurity Maturity Model Certification won’t require all subcontractors on a contract to meet the same level of requirements, depending on the type of information they will be handling. This means smaller companies won’t need to obtain the more-costly higher level CMMC certifications to be included on contracts that require the prime to meet that requirement. DoD will clarify in requests for information notices which parts of a contract will require different certification levels.
