Prime Contractor Risk Check
Free · 3 Minutes · No Login Required

Is Your CMMC Supply Chain
Compliance Program
Audit-Ready?

Under CMMC 2.0, prime contractors have five affirmative duties to manage subcontractor compliance. 10 questions will show you exactly where your program stands — and what a defensible supply chain looks like.

10 Questions
3 min To complete
$28K+ FCA penalty per claim
🎁 Bonus: Get our 5 Pillars of a Defensible Sub Compliance Program reference sheet at the end — free to print and share with your team.
Flow-down clause gaps
Unverified SPRS scores
Lapsed sub compliance
No annual re-verification
FCA affirmation risk
Question 1 of 10
Supply Chain Mapping
Key Findings
Close the gaps before an auditor — or a whistleblower — finds them first.

PCC's Prime Sub Compliance Program gives you a structured, documented, defensible supply chain compliance program — branded with your name, ready to deploy to your subs in days, not months.

Branded self-assessment tool for subs
FCA-defensible evidence package
Annual renewal workflow included
Hawaii-based, Pacific-region expertise
Or email us directly: matt@pacificcybercompliance.com  ·  pacificcybercompliance.com
Free Reference · Print & Post
The 5 Pillars of a Defensible
Sub Compliance Program
Five pillars. Twelve documents. The structure of a program that holds up to a CO, a DCMA auditor, or an FCA whistleblower complaint — printable as a one-page reference for your compliance team.
📋 Pillar 1
Pre-Award Verification
Catch non-compliant subs before they touch your contract
  • CMMC status captured during procurement, not after award
  • Current SPRS score on file before any FCI-handling work begins
  • Written attestation collected from every sub, every contract
  • Sub vetting documented in the contract award file
📂 Pillar 2
Onboarding & Documentation
Capture initial posture and evidence on day one
  • Sub's System Security Plan collected and reviewed
  • CMMC clauses flowed down in writing per DFARS 252.204-7012
  • Sub acknowledgment of compliance obligations on file
  • All evidence stored centrally, not scattered across emails
📊 Pillar 3
Active Monitoring
Know the status of every sub at any time
  • Live compliance dashboard — not a one-time snapshot
  • Gap tracking by sub, with status and remediation owner
  • Escalation triggers defined for non-responsive subs
  • Prime point-of-contact assigned to every active sub
🔄 Pillar 4
Annual Renewal
Catch expiring self-assessments before they lapse
  • 10-month renewal trigger on every sub
  • Automated reminders sent to sub and prime POC
  • Renewal evidence collected before expiration date
  • Refusal-to-renew protocol defined and documented
🗄️ Pillar 5
Evidence Archive
Defensible records for FCA defense or DCMA audit
  • Chain-of-custody documentation on every artifact
  • Retention period defined and enforced consistently
  • Audit-ready format — not raw emails or scattered files
  • KO and DCMA-ready package can be produced on demand
The 12 Documents an Auditor Will Ask For
If you can't produce these on request, your program is not defensible. Count what you have today.
Pre-Award & Onboarding
1.FCI-Handling Sub Inventory
Complete list of every active sub touching FCI, by contract and FCI scope.
2.SPRS Score Register
Current SPRS score for every sub, with date verified and source of verification.
3.Flow-Down Clause Log
Proof that DFARS 252.204-7012 and CMMC clauses were included in every subcontract.
4.Sub Compliance Attestations
Written statement from each sub confirming awareness of CMMC obligations.
Monitoring & Renewal
5.Sub System Security Plans
SSP from every sub — the score is meaningless without the plan behind it.
6.Compliance Dashboard / Tracker
Living record showing current status of every sub against CMMC requirements.
7.Gap Remediation Log
Documented gaps, remediation steps, owner, and target close date.
8.Renewal Calendar
Forward-looking calendar of SPRS score expirations with auto-triggered renewal workflow.
Evidence & Defense
9.Communication Archive
Record of every compliance-related communication with each sub, retrievable on demand.
10.Escalation & Removal Records
Documentation of subs flagged, escalated, or removed for non-compliance.
11.Annual Program Review
Yearly written review of program effectiveness, signed by responsible executive.
12.FCA Defense File
Pre-assembled package showing good-faith program execution, ready for KO or counsel.

This sheet shows you the structure of a defensible program. It doesn't include the rollout playbook, the sub onboarding packet, the live tracker spreadsheet, the communication templates, or the white-label compliance tool that makes this run at scale. That's what the PCC Prime Sub Compliance Program is for.