Prime contractors occupy a unique position in CMMC. You are responsible for your own compliance, and you are also legally responsible for ensuring the subcontractors you share covered data with meet the appropriate CMMC level before you share it with them.
Getting flow-down wrong has consequences in two directions. Pass CUI to a non-compliant subcontractor and you face False Claims Act exposure. Impose overly broad CMMC requirements on subcontractors who only handle FCI and you add cost and friction without security benefit.
This article explains the flow-down rules, what primes are required to verify, how to manage subcontractor compliance, and a practical checklist for prime contractor CMMC programs.
CMMC flow-down obligations are established at 32 CFR § 170.23. The rule requires prime contractors to include CMMC requirements in subcontracts based on the type of covered information the subcontractor will receive.
The DFARS clauses that carry CMMC requirements flow down through the FAR/DFARS clause framework:
The prime contractor is responsible for including the appropriate clauses in subcontracts and for verifying subcontractor compliance before sharing covered data.
Rule 1: Data type drives the required level.
The CMMC level required for a subcontractor is determined by the type of data the prime shares with them, not the prime's own CMMC level.
Rule 2: The prime controls what flows.
If a prime chooses not to share CUI with a particular subcontractor, the CUI flow-down requirement does not apply to that subcontractor. The obligation is triggered by the actual data sharing, not by the existence of a DoD subcontract.
This has practical implications for supply chain design. Primes who structure their subcontracts to limit CUI to a smaller number of trusted, compliant subcontractors can simplify their overall supply chain compliance burden.
Rule 3: Verification is required before sharing.
Before sharing FCI or CUI with a subcontractor, the prime must verify the subcontractor's CMMC compliance status. For FCI, this means confirming Level 1 self-assessment and affirmation in SPRS. For CUI requiring C3PAO assessment, this means confirming an active C3PAO certification.
Verification of subcontractor compliance is not a one-time event at subcontract award. It is an ongoing obligation. Here is what primes should verify and when:
Check SPRS. Access sprs.army.mil and verify that the subcontractor has an active, current self-assessment submission. For Level 1, confirm an annual self-assessment is on file with a senior official affirmation. For Level 2 self-assessment, confirm the score, affirmation, and that the submission is not stale. For Level 2 C3PAO, confirm an active certification with a valid date.
Verify scope alignment. Confirm that the subcontractor's CMMC assessment covered the systems and processes that will be involved in your work. A subcontractor with a Level 2 certification for a different business unit or facility than the one doing your work may not have the right systems covered.
Review the CAGE code. SPRS submissions are tied to CAGE codes. Verify that the CAGE code for the SPRS submission matches the organizational entity actually performing the work.
Annual affirmation monitoring. Level 1 subcontractors must re-affirm annually. Level 2 subcontractors must re-affirm annually even with a C3PAO certification. Monitor SPRS for lapsed affirmations during the subcontract period.
Significant event monitoring. If a subcontractor discloses a significant security incident, undergoes a major technology change, or is acquired, their CMMC status may have changed. Follow up to verify continued compliance.
Contractual right to audit. Include a clause in subcontracts that gives you the right to request updated compliance documentation if you have reason to believe the subcontractor's status has changed.
Use this checklist for each subcontractor relationship involving covered data:
One of the most complex aspects of CMMC flow-down for primes is managing compliance at sub-tiers: subcontractors who work with their own suppliers.
If your Tier 1 subcontractor shares CUI with a Tier 2 sub, that Tier 2 sub needs Level 2 compliance. Your Tier 1 sub is responsible for managing that flow-down, but your prime contract may hold you responsible for the overall supply chain compliance.
To manage this:
Assuming all subs need Level 2. Not every subcontractor receives CUI. Subcontractors who receive only routine contract administration data (schedules, deliverable status, invoicing information) may handle only FCI or potentially not even FCI. Overapplying Level 2 requirements adds cost and friction without security value.
Not verifying SPRS before sharing data. Checking SPRS at contract award and never again is insufficient. SPRS affirmations expire, and a subcontractor's compliance status can change. Build SPRS verification into your annual subcontract management process.
Missing the CAGE code nuance. A large subcontractor may have different CAGE codes for different business units or facilities. The SPRS submission for the corporate headquarters may not cover the specific facility doing your work. Verify that the assessed CAGE code matches the entity performing the subcontracted work.
Not including the right clauses. Omitting DFARS 252.204-7012 or 252.204-7021 from a subcontract where CUI flows creates a contractual gap. Include the required clauses in subcontracts even when the subcontractor is clearly compliant.
No incident notification requirement. Subcontractors must report cybersecurity incidents to primes within 72 hours under DFARS 252.204-7012, and the prime is responsible for reporting to DoD. If your subcontracts do not include this obligation, you may not receive the incident notifications you are required to pass to the government.
Prime contractors bear FCA exposure on two fronts: their own compliance and their supply chain management.
A prime that passes CUI to a subcontractor it knows is not CMMC-compliant and continues collecting government payments on a contract that requires supply chain compliance has potential FCA exposure. The "knowingly" standard under the FCA includes deliberate ignorance: if a prime deliberately avoids checking subcontractor compliance status, a court can find knowledge.
Primes with robust, documented subcontractor compliance verification programs are in a much better position if a supply chain compliance question arises. Documentation of each SPRS verification, the date, and the result is the evidence that a prime exercised reasonable diligence.
Managing CMMC flow-down across a large supply chain? NR Labs helps prime contractors build supply chain compliance programs including subcontractor vetting processes, template subcontract language, and SPRS monitoring procedures. Contact us to discuss your supply chain compliance needs.
Only subcontractors who will receive, process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under the contract need CMMC certification. The required level depends on the data type: subcontractors handling only FCI need Level 1, while those handling CUI need Level 2. Subcontractors who do not receive covered data do not need CMMC certification for that contract.
CMMC flow-down applies at every tier of the subcontracting chain. If a first-tier subcontractor shares CUI with a second-tier subcontractor, the second-tier sub must also meet the appropriate CMMC level. Primes are responsible for including DFARS 252.204-7021 in all subcontracts involving covered data and should require subcontractors to flow down the same requirements to their own subcontractors.
Subcontracts involving CUI must include DFARS 252.204-7012 (Safeguarding Covered Defense Information), DFARS 252.204-7021 (CMMC Requirements), and DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements). The prime must also verify the subcontractor's SPRS score before sharing covered data and maintain records of this verification as part of their own compliance documentation.
