Does anyone know what the responsibility of a DIB contractor (who receives CUI from a prime) is for their own sub-contractors/vendors for NIST 800-171 / CMMC L2 requirements? Do we ourselves need to have them self attest to all 110 requirements? How far down the supply chain does CMMC go? And do sub-contractors only need to self-attest to NIST 800-171 or will they need L2 certification?

This issue is becoming convoluted when we have, for example, a deliverable (such as a part) that is created as the result of a contract that is CUI that ships to another contractor for something like being painted. Most of these contractors are SMBs far down the supply chain have NO CLUE what NIST 800-171 is.