CNSA 2.0 Sub-Tier Supplier Guide: What to Do When Your Prime Has Not Told You
If you are new to CNSA 2.0 and need to understand what changed algorithmically from CNSA 1.0, start with What CNSA 2.0 Means for Defence Suppliers. This guide assumes you understand the algorithm changes and focuses on what a sub-tier supplier must do independently, particularly when the prime has not yet passed formal guidance down the chain.
That situation is more common than it should be. Prime contractors are themselves working through their own CMMC Level 2 assessment preparations. Sub-tier enablement frequently gets deprioritised. The absence of a formal notification from your prime does not suspend your obligation. The mechanism that creates that obligation is DFARS 252.204-7012, and its paragraph (m) is worth reading carefully.
A Scope Note on CNSA 2.0
One distinction is worth setting out before the operational guidance begins. CNSA 2.0 is, formally, a National Security Systems (NSS) directive. NSA's own FAQ states that CNSA 2.0 adoption in standards and vendor products is encouraged and is "not a requirement beyond NSS." For a sub-tier supplier whose work touches CUI but does not constitute an NSS, CNSA 2.0 is not a direct regulatory obligation. The direct obligation derives from DFARS 252.204-7012 and the FIPS-validated cryptography requirement in NIST SP 800-171. CNSA 2.0 parameter sets (ML-KEM-1024, ML-DSA-87) remain the appropriate forward-readiness selection for any sub-tier targeting government supply-chain procurements, because primes serving NSS-adjacent programmes are increasingly likely to specify them. The wording matters: "best-practice selection within the FIPS 140-3 PQC family" is the correct frame, not "CNSA 2.0 mandate" (NSA CNSA 2.0 Cybersecurity Advisory and FAQ, September 2022).
Where the Obligation Comes From
The DoD supply chain operates in tiers. A prime contractor holds a direct contract with a DoD contracting office. Tier 1 suppliers hold contracts with the prime. Tier 2 and lower suppliers, the sub-tiers, hold contracts with Tier 1 or lower without direct DoD relationships. Sub-tier suppliers are liable under DFARS 252.204-7012 if they operate, or use on behalf of the Government, a covered contractor information system. That means any unclassified information system that processes, stores, or transmits covered defence information (CDI) (DFARS 252.204-7012(a); DoD CUI Registry, https://www.archives.gov/cui).
CDI includes controlled technical information (CTI): technical information with military or space application subject to access controls. A sub-tier supplier receiving CAD files, firmware, design specifications, test parameters, or system schematics from its prime almost certainly handles CTI and therefore CDI. If you are uncertain, check the statement of work in your contract and the DoD CUI Registry. If the data type appears on that registry, you are in scope.
The Flowdown Clause That Makes It Self-Executing
DFARS 252.204-7012 paragraph (m) reads verbatim: "The Contractor shall: (1) Include the requirements of this clause, including this paragraph (m), in all subcontracts and other contractual instruments, including subcontracts for commercial items, with the exception of subcontracts solely for the acquisition of commercially available off-the-shelf (COTS) items." (DFARS 252.204-7012(m)(1); verify text against https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm)
The word "shall" is not discretionary. If your prime holds a covered contract, they are required to include this clause in their contracts with you. If they have not, that is the prime's contract compliance gap, not a release of your underlying obligation.
Any sub-tier that misrepresents its CMMC compliance status, whether in an SPRS score submission, a contract affirmation, or a response to a contracting officer, faces potential liability under the False Claims Act (31 U.S.C. 3729-3733). FCA liability requires a false or fraudulent claim or statement, materiality to a government payment, and knowing conduct. Simply handling CDI while non-compliant does not by itself create FCA exposure; the trigger is misrepresentation. Good-faith disclosure of a compliance gap, supported by a documented System Security Plan and Plan of Action and Milestones, is a materially different legal position from concealment of a known deficiency.
The cryptographic requirement that applies to CUI suppliers today is NIST SP 800-171 Rev 2, practice 3.13.11: employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Current CMMC Level 2 is anchored to Rev 2; Rev 3 has not yet been incorporated into CMMC Level 2 requirements (32 CFR Part 170). The compliance chain runs: DFARS 252.204-7012 to SP 800-171 Rev 2 practice 3.13.11 to FIPS 140-3 validated modules (as FIPS 140-2 retires September 2026) to NIST PQC standards (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA) as the available validated PQC algorithms. CNSA 2.0 parameter sets (ML-KEM-1024, ML-DSA-87) are the appropriate forward-readiness selection within that family for any sub-tier targeting government supply-chain procurements, but CNSA 2.0 itself is a National Security Systems directive and is not a direct regulatory obligation for general CUI suppliers (NIST SP 800-171 Rev 2, practice 3.13.11; NSA CNSA 2.0 Cybersecurity Advisory and FAQ, September 2022; NIST CMVP transition timeline).
CMMC Enforcement: Where the Timeline Stands
Two CMMC rules are in play and they are often confused. The 32 CFR Part 170 programme rule took effect on 16 December 2024; it established the CMMC programme structure, assessment processes, levels, and governance. The contractual phase-in is a separate instrument: the 48 CFR DFARS acquisition final rule (DFARS 252.204-7021), which became effective on 10 November 2025. The acquisition rule is the one that puts CMMC clauses into solicitations. The phase dates below count from the acquisition rule, not the programme rule.
| Phase | From | Requirement |
|---|---|---|
| Phase 1 | 10 November 2025 | CMMC Level 1 and 2 self-assessments begin appearing in new solicitations |
| Phase 2 | 10 November 2026 | CMMC Level 2 C3PAO third-party assessments required in new solicitations |
| Phase 3 | 10 November 2027 | Level 3 requirements in applicable solicitations |
| Phase 4 | 10 November 2028 | All applicable solicitations include CMMC requirements |
Sub-tier suppliers are not exempt. If a Tier 2 or Tier 3 supplier processes CUI, it falls under CMMC Level 2 requirements during Phase 2 rollout. The prime must flow down CMMC requirements to those sub-tiers as a condition of the prime's own compliance (32 CFR Part 170.21; CMMC v2.02 Programme Documentation, DoD CIO, 2024).
Primes typically require 6 to 12 months of evidence from sub-tiers before awarding contracts in a post-Phase 2 environment. C3PAO capacity is constrained, with booking lead times currently reported in the community at 3 to 6 months (verify current capacity at the DoD CMMC Marketplace before planning). A sub-tier beginning cryptographic inventory work in mid-2027 has approximately 18 months before the Phase 4 full-enforcement deadline (November 2028), when CMMC Level 2 compliance evidence will be required across all applicable contracts. The 18 months sounds comfortable. The sequence of work required within it does not leave significant slack.
Six Steps When Your Prime Has Not Briefed You
Step 1: Assume you are in scope. Do not wait for formal notification. If your organisation produces, processes, or stores defence-related technical data, you almost certainly handle CDI. The obligation does not require the prime to notify you. Treat yourself as in scope until you have documented evidence that you are not.
Step 2: Build a Cryptographic Bill of Materials (CBOM). Inventory every system, application, and interface that uses cryptography to protect CDI. This covers TLS connections carrying design files, encrypted storage volumes, VPN tunnels to the prime or other sub-tiers, code-signing pipelines, email gateways, and remote access systems. A CBOM is not optional documentation for CMMC assessment; assessors will expect to see it. The Quantum Threat Exposure Assessment provides a structured starting point for generating a preliminary cryptographic risk profile before initiating a formal CBOM exercise.
Step 3: Classify your cryptographic exposure. For each CBOM entry, identify the algorithm in use, the key length, the FIPS 140 validation level, and whether the system processes CDI. RSA and ECDH instances protecting CDI are the priority risk. They are fully vulnerable to Shor's algorithm on a CRQC. AES-256 instances protecting CDI at rest are not your quantum priority; they are your quantum hygiene (Shor, P.W., SIAM Journal on Computing, 1997).
Step 4: Select FIPS 140-3 validated PQC libraries. For new implementations, select ML-KEM and ML-DSA libraries from the NIST CMVP validated modules list. Commercial options include AWS-LC, BoringSSL with PQC patches, and Bouncy Castle 2.x. Open Quantum Safe liboqs provides reference implementations. Confirm FIPS 140-3 validation status before production use. Algorithm selection and module validation are not the same thing; a library can implement ML-KEM correctly without yet holding a CMVP validation certificate (NIST CMVP, https://csrc.nist.gov/projects/cryptographic-module-validation-program).
Step 5: Contact your prime and document the exchange. Proactively ask your prime for their CMMC Level 2 assessment timeline and their sub-tier CUI handling requirements. Document the date and content of all communications. This creates a contemporaneous record of good-faith effort before any potential False Claims Act exposure. Do not rely on the prime coming to you with requirements; go to them with the question.
Step 6: Engage a C3PAO early. Third-party assessment organisations listed on the CMMC Marketplace (cyber.mil/cmmc) have constrained capacity. If your contracts require Level 2 C3PAO assessment, booking in Q3 to Q4 2027 is advisable for sub-tiers targeting the Phase 4 full-enforcement deadline (November 2028). Assessment slots will become increasingly difficult to secure the longer you delay engagement.
Three Misconceptions Worth Correcting
"The prime has not asked, so we are exempt." False. DFARS 252.204-7012(m) is self-executing. The clause's mandatory inclusion requirement means the obligation flows to sub-tiers via the contract structure, regardless of whether the prime has actively notified you. A prime's failure to include the clause creates the prime's compliance gap, not your exemption. A sub-tier that subsequently misrepresents its compliance status, in any contract affirmation, SPRS submission, or response to a contracting officer, faces potential False Claims Act exposure under 31 U.S.C. 3729-3733, subject to the statutory elements of false claim, materiality, and knowing conduct (DFARS 252.204-7012(m); 31 U.S.C. 3729).
"CNSA 1.0 is still technically valid through 2030, so we have time." The CNSA 2.0 Advisory uses a category-specific retirement table, not a single retirement date: software, firmware, and network equipment categories target CNSA 1.0 retirement by 2030; web browsers, servers, cloud services, and operating systems target 2033. NSA states that the vast majority of NSS cryptography is expected to be quantum-resistant by 31 December 2031. Practically: new procurements are increasingly likely to specify CNSA 2.0 capability now. A sub-tier delivering a product in 2026 using CNSA 1.0 cryptography may find it non-compliant at delivery for contracts that flow the CNSA 2.0 requirement down. For current CMMC Level 2, the assessment is against NIST SP 800-171 Rev 2 practice 3.13.11, which requires FIPS-validated cryptography. FIPS 140-3 is the current FIPS validation regime (FIPS 140-2 retires September 2026 for new implementations), and the available FIPS-validated PQC algorithms are FIPS 203, 204, and 205 (NSA CNSA 2.0 Cybersecurity Advisory, September 2022; NIST SP 800-171 Rev 2, practice 3.13.11; NIST CMVP transition schedule).
"We can wait for CMMC enforcement to catch up." Phase 1 of the CMMC contractual phase-in became active on 10 November 2025 with the effective date of the 48 CFR DFARS acquisition rule. Phase 2 C3PAO third-party assessment requirements become live in solicitations from November 2026. Enforcement is not approaching; it is running. Sub-tiers that delay C3PAO engagement into late 2027 may find assessment slots unavailable before the Phase 4 full-enforcement deadline (November 2028), when CMMC Level 2 compliance evidence will be required across all applicable contracts (32 CFR Part 170; 48 CFR DFARS 252.204-7021 acquisition rule).
The Work Is Not Technically Difficult at This Stage
The cryptographic standards are finalised. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) were published by NIST in August 2024. The libraries are available and maturing. What makes this hard for sub-tier suppliers is not the technical complexity of the algorithms; it is the administrative sequence. Cryptographic inventory, CBOM documentation, FIPS 140-3 module selection, CMMC gap assessment, SSP and POAM preparation, and C3PAO engagement form a chain. Each step takes longer than it appears to. The organisations that will miss the Phase 4 full-enforcement deadline (November 2028) are not those that cannot implement ML-KEM. They are those that did not start the chain in time.
QSECDEF members have access to practitioner-level CNSA 2.0 migration methodology documentation and cryptographic inventory guidance covering the full compliance stack from CBOM through CMMC assessment preparation. QSECDEF professional membership includes the implementation resources relevant to every step in the sequence above.
This guide is general information for UK and US defence-sector suppliers. It is not legal advice. Jurisdiction-specific obligations vary; consult your contracting officer or legal counsel for binding interpretation.