If you’ve recently seen CMMC compliance language show up in a contract amendment or flow-down clause from a prime in Connecticut’s aerospace and defense manufacturing base, you are not alone, and you are not late. But you do need to understand what’s actually being asked of you, because the answer is rarely as simple as “get certified.”
Why CMMC shows up as a flow-down requirement
CMMC compliance obligations don’t stop at the prime contractor. If a prime shares Controlled Unclassified Information (CUI) with you as part of a subcontract, that prime is required to flow the corresponding CMMC requirement down to you, regardless of your company’s size. This is one of the most common points of confusion for smaller Connecticut manufacturers: your required CMMC level is determined by what information you handle, not by how large your company is or what level your prime holds.
As of November 10, 2025, CMMC compliance requirements began appearing in new DoD solicitations, starting with Level 1 and Level 2 self-assessments. Starting November 10, 2026, Phase 2 introduces mandatory third-party certification (through a C3PAO) for most Level 2 contracts involving CUI. If your flow-down clause references Level 2, self-assessment will no longer be sufficient once your contract renews or a new option period begins after that date.
The question to ask first: do you actually handle CUI?
Before anything else, this is worth pinning down precisely, because it changes everything downstream. If your systems only handle Federal Contract Information (FCI), basic administrative or logistical data, you’re likely looking at Level 1, a lighter set of 15 foundational practices. If you handle CUI, technical drawings, specifications, engineering data tied to a defense program, you’re almost certainly looking at Level 2, which requires alignment with all 110 practices in NIST SP 800-171 Rev. 2 across 14 control families.
Many Connecticut manufacturers assume they’re out of scope because they see themselves as a small, specialized shop rather than a “defense contractor.” That assumption is exactly what’s driving the readiness gaps DoD officials have flagged across the industrial base. If your prime is sending you drawings or specs to machine to tolerance, that’s frequently CUI.
What Level 2 compliance actually involves
Level 2 certification means demonstrating, with documented evidence, that your environment meets requirements spanning access control, multifactor authentication, encryption, audit logging, incident response, and configuration management, among others. It also means maintaining a current System Security Plan describing your environment and a Plan of Action and Milestones for any remaining gaps.
Realistically, most organizations need 6 to 12 months to move from a standing start to assessment-ready, and with fewer than 100 authorized C3PAO assessors serving roughly 80,000 organizations that will need Level 2 certification nationally, assessment scheduling is becoming its own bottleneck. Waiting until your renewal date is close is the single most common way manufacturers end up scrambling.
Where ADNET fits, and where we don’t
To be direct about the division of labor: ADNET does not perform your formal CMMC gap assessment, build your SSP, or conduct your certification assessment. That work belongs to our compliance partner, Cyber74, and certification itself can only be issued by an accredited C3PAO.
What ADNET does is operate the New Charter Trust Enclave, a secured, segmented environment engineered to support the technical controls Level 2 requires, and deliver the managed IT and security services, help desk support, patching, access management, security monitoring, that keep your environment compliant on the 364 days a year you’re not being assessed. Cyber74 gets you to a certification-ready state. ADNET is what keeps you there through your next reassessment, when the assessor is looking at whether your controls held up in practice, not just on paper.
For a first-time subcontractor, that combination matters more than it might seem. A gap assessment tells you where you stand today. It doesn’t run your patch management or staff your help desk next year.
If you’re reading this because of a flow-down clause
Start by confirming, in writing if possible, exactly what CMMC level your prime is requiring and what information triggers it. Then get a realistic read on your current environment against NIST SP 800-171 Rev. 2 before your renewal date, not after a solicitation makes it urgent.
Talk to a CMMC Expert
If a flow-down clause has put CMMC on your radar for the first time, talk to a CMMC expert at ADNET. We’ll help you understand what your specific contract actually requires, connect you with Cyber74 for formal readiness work if you need it, and lay out what an ongoing compliant environment looks like for a manufacturer your size.