All defense contractors are subject to the CMMC model requirement, prime contractor, or subcontractor; the issue is based on the handling of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).  The prime contractor is responsible for ensuring their subcontractors secure Covered Defense Information (CDI). “The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause … .”

Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.