FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMCCMMC 2.0

Why Defense Subcontractors Are the Weak Link in CMMC Compliance

By Basel IsmailMay 11, 2026

Why Defense Subcontractors Are the Weak Link in CMMC Compliance

The Pentagon has been talking about Cybersecurity Maturity Model Certification for years now, and the final CMMC 2.0 rule (32 CFR Part 170) went into effect on December 16, 2024. Prime contractors have been preparing. The large defense industrial base players have compliance teams, dedicated IT security staff, and the budgets to match. But the real exposure sits two, three, four tiers down the supply chain, where small machine shops, specialty electronics firms, and niche engineering consultancies handle Controlled Unclassified Information (CUI) without anything close to the security infrastructure the rule demands.

This is where CMMC compliance will actually break down. And it is where adversaries already know to look.

Flow-Down Requirements Are Not Optional

DFARS 252.204-7012 has required flow-down of cybersecurity obligations to subcontractors since 2017. Every subcontractor that processes, stores, or transmits CUI must meet the same NIST SP 800-171 requirements as the prime. CMMC 2.0 formalizes the enforcement mechanism that DFARS lacked: third-party assessments for Level 2 (the 110 controls in NIST SP 800-171 Rev 2) and government-led assessments for Level 3.

The flow-down obligation is explicit. Section 170.23(b) of the final rule states that prime contractors must ensure subcontractors achieve the appropriate CMMC level before awarding subcontracts involving CUI. The keyword is "before." Not "eventually." Not "in parallel with performance." Before.

In practice, primes have historically handled this with a clause in the subcontract and maybe a self-attestation questionnaire. That approach is ending. Under CMMC 2.0's phased implementation, which begins appearing in solicitations in early-to-mid 2025, a subcontractor's failure to certify can disqualify an entire bid. The DoD's own cost estimate projected that roughly 76,000 contractors will need Level 2 certification, and a significant portion of those are sub-tier suppliers.

The Visibility Problem

Primes generally have decent visibility into their Tier 1 subcontractors. They have contracts, points of contact, and some history of security assessments. Below Tier 1, things get murky fast. A Tier 1 subcontractor may farm out a component to a Tier 2 supplier who in turn relies on a Tier 3 specialty shop. CUI can flow through all of these entities, and the prime may not even know the Tier 3 supplier exists.

The DoD Inspector General flagged this in a 2019 report (DODIG-2019-105), finding that contractors frequently could not identify all subcontractors handling CUI. A follow-up GAO report in 2022 (GAO-22-105084) found that the DoD itself lacked a reliable mechanism to verify subcontractor compliance with NIST SP 800-171. The Supplier Performance Risk System (SPRS) captures self-assessment scores, but those scores are self-reported and, as multiple audits have shown, often inflated.

The 2023 breach at a subcontractor working on the F-35 program is a useful reference point. The compromised entity was a small firm providing specialized machining services. It had access to technical data packages containing CUI and had self-attested to NIST SP 800-171 compliance. Post-incident analysis revealed it met fewer than half the controls. This pattern repeats across the defense industrial base.

AI Tools Are Compounding the Risk at Lower Tiers

Here is where it gets interesting, and where most CMMC discussions miss the emerging threat. Small subcontractors are adopting AI tools aggressively. They are using large language models for drafting proposals, generative AI for design assistance, AI-powered coding tools, and cloud-based analytics platforms. Many of these tools process data through external APIs, cloud inference endpoints, or third-party servers.

If any of that data qualifies as CUI, the subcontractor just created an unauthorized data flow to a system that almost certainly has not been assessed against NIST SP 800-171. This is a control failure across multiple families: Access Control (AC), Media Protection (MP), System and Communications Protection (SC), and potentially System and Information Integrity (SI).

Consider the specifics. NIST SP 800-171 control 3.1.3 requires organizations to control CUI flow in accordance with approved authorizations. Control 3.13.1 requires monitoring, control, and protection of communications at external boundaries. When an engineer at a Tier 3 supplier pastes CUI into ChatGPT or uploads a technical drawing to an AI-powered CAD tool with cloud processing, both controls are violated. The data has left the assessed boundary.

The risk is amplified because these tools are often adopted informally. No procurement process, no security review, no IT department involvement. A 30-person machine shop does not have a CISO. The owner's nephew set up the network. Someone downloaded an AI assistant because it made quoting jobs faster. This is the reality at the lower tiers.

The Enforcement Gap Is Closing

The DoD has signaled clearly that it intends to use the False Claims Act as an enforcement backstop for CMMC. The Department of Justice's Civil Cyber-Fraud Initiative, launched in October 2021, specifically targets contractors who misrepresent their cybersecurity compliance. The first major settlement came in 2022 when Aerojet Rocketdyne agreed to pay $9 million to resolve allegations that it misrepresented its compliance with DFARS cybersecurity requirements. In 2023, Penn State faced a qui tam suit alleging similar failures across multiple DoD and NASA contracts.

These cases involved large contractors. But the legal theory applies identically to a 50-person subcontractor that self-attests to NIST SP 800-171 compliance while its employees are routing CUI through uncontrolled AI platforms. The False Claims Act's treble damages provision and the availability of qui tam actions (where whistleblowers can initiate suits and share in recoveries) mean that a disgruntled employee at a small sub can trigger an investigation that unravels an entire contract chain.

For primes, this creates direct financial exposure. If a subcontractor's false attestation taints a contract, the prime faces potential liability, loss of the contract, and reputational damage that affects future bids. The incentive to actually verify sub-tier compliance, rather than just collecting paper attestations, is becoming very real.

What Practical Steps Look Like

Map CUI flows below Tier 1. If you are a prime or upper-tier sub, you need to know where CUI actually goes, not just where your contracts say it should go. This requires active engagement with your supply chain, not just contract clauses.
Audit AI tool usage at subcontractors. Add specific questions about AI and cloud-based tool adoption to your subcontractor security assessments. Ask about generative AI, cloud-based design tools, and any SaaS platforms that touch technical data.
Require evidence, not attestations. SPRS scores are a starting point, but they are insufficient. Request System Security Plans, Plans of Action and Milestones, and evidence of C3PAO assessment scheduling for Level 2 subcontractors.
Address AI governance in flow-down clauses. Your subcontracts should explicitly prohibit processing CUI through unapproved AI tools and cloud services. Make this as specific as your data handling and marking requirements.

How FirmAdapt Addresses This

FirmAdapt was built for exactly this kind of problem: regulated organizations that need to use AI tools without creating compliance gaps. The platform processes data within defined security boundaries, maintains audit trails that map to specific NIST SP 800-171 control families, and enforces data handling policies that prevent CUI from flowing to unauthorized endpoints. For defense subcontractors, this means they can adopt AI capabilities without inadvertently violating the controls they need for CMMC Level 2 certification.

For primes and upper-tier contractors evaluating their supply chain risk, FirmAdapt provides a way to offer lower-tier suppliers a compliant AI toolset rather than just telling them what they cannot use. That shifts the conversation from prohibition to enablement, which tends to produce better actual compliance outcomes than contract clauses alone.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free