Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

CMMC Flow Down Requirements: What Primes Require from Subcontractors

If you are a subcontractor in the defense industrial base, your CMMC obligations do not come only from the Department of Defense. Prime contractors must flow down cybersecurity requirements to their subcontractors, and many primes are imposing requirements that exceed the minimum DoD standards.

Flow-down means contractual requirements that prime contractors must pass to their subcontractors, creating compliance obligations throughout the supply chain.

Understanding flow-down helps you prepare for what prime contractors will demand—often before the DoD officially requires it.

How CMMC Flow-Down Works

The flow-down chain starts with the DoD and extends through every tier of the supply chain:

Tier 0: Department of Defense

The DoD establishes CMMC requirements in contracts with prime contractors. These requirements appear in DFARS clauses, particularly:

  • DFARS 252.204-7012 (Safeguarding Covered Defense Information)
  • DFARS 252.204-7019 (NIST 800-171 DoD Assessment)
  • DFARS 252.204-7020 (NIST 800-171 DoD Assessment Requirements)
  • DFARS 252.204-7021 (CMMC Requirements)

DFARS stands for Defense Federal Acquisition Regulation Supplement—contract clauses specific to DoD contracts.

Tier 1: Prime Contractors

Primes receiving DoD contracts with these clauses must flow down equivalent requirements to subcontractors who will handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.

FCI stands for Federal Contract Information—information provided by or generated for the government under contract.

Tier 2 and Beyond: Subcontractors

Subcontractors must flow down requirements to their own subcontractors if those lower-tier subs will handle CUI or FCI. The chain continues until reaching subcontractors who do not handle covered information.

What Flows Down

Not everything flows down—only requirements related to the information the subcontractor will handle:

If You Handle CUI:

  • CMMC Level 2 certification requirement
  • DFARS 252.204-7012 safeguarding requirements
  • 72-hour incident reporting obligation
  • NIST SP 800-171 implementation requirement

If You Handle Only FCI:

  • CMMC Level 1 certification requirement
  • FAR 52.204-21 basic safeguarding requirements

If You Handle Neither:

  • No CMMC flow-down required
  • Standard commercial terms apply

The key question is whether CUI or FCI will be shared with you or generated by your work. If not, CMMC requirements should not flow down to you.

What Prime Contractors Are Requiring

Many prime contractors are implementing requirements beyond minimum DoD standards:

Earlier Deadlines

While the DoD is phasing in CMMC requirements through 2028, many primes are requiring compliance now. Primes need their supply chain ready before their own certification assessments.

Proof of Compliance

Primes commonly require:

  • Current SPRS score on file
  • System Security Plan available for review
  • Evidence of CMMC certification or assessment
  • Attestation letters signed by executives

SPRS stands for Supplier Performance Risk System—the DoD database where contractors report compliance status.

Additional Security Requirements

Some primes impose requirements beyond CMMC:

  • Specific security tools or configurations
  • Enhanced incident notification (faster than 72 hours)
  • Right to audit subcontractor security
  • Cybersecurity insurance requirements
  • Specific cloud environment requirements (GCC High)

Supply Chain Questionnaires

Primes increasingly send detailed security questionnaires covering:

  • Current CMMC level and assessment status
  • Security controls implemented
  • Incident history
  • Third-party risk management practices
  • Business continuity capabilities

Responding to Prime Contractor Requirements

When primes impose CMMC flow-down requirements:

Understand What Is Required

Read subcontract terms carefully:

  • Which CMMC level is required?
  • What is the compliance deadline?
  • What evidence must you provide?
  • Are there additional requirements beyond CMMC?

Assess Your Current State

Determine your readiness:

  • Have you already met the required level?
  • What gaps exist?
  • How long will remediation take?

Communicate Honestly

Be transparent with the primes about your status:

  • Current compliance level
  • Timeline to achieve the required level
  • Any concerns or blockers

Primes prefer honest communication to discovering non-compliance later.

Negotiate When Appropriate

Some requirements may be negotiable:

  • Timeline extensions if you are actively working toward compliance
  • Scope clarification if requirements seem excessive
  • Alternative evidence if specific documentation is unavailable

However, core CMMC requirements tied to CUI handling are generally not negotiable.

Preparing for Prime Contractor Assessments

Many primes conduct their own assessments of subcontractor security:

Document Your Compliance

Have documentation ready:

  • System Security Plan
  • SPRS score documentation
  • Policies and procedures
  • Evidence of control implementation

Prepare for Questionnaires

Anticipate common questions:

  • What is your current SPRS score?
  • When was your last assessment?
  • Do you have a POA&M? What items are open?
  • How do you protect CUI?
  • What security tools do you use?

POA&M stands for Plan of Action and Milestones—documenting security gaps and remediation plans.

Be Ready for Audits

Some primes reserve audit rights:

  • Know what evidence you can share
  • Understand confidentiality boundaries
  • Have key personnel available for interviews

When Flow-Down Does Not Apply

Flow-down has limits. Requirements should not flow down when:

No Covered Information Involved

If your subcontract does not involve CUI or FCI, CMMC requirements should not apply. Push back if requirements flow down inappropriately.

Commercial Items Exception

Some commercial item acquisitions have limited flow-down. However, this exception is narrow, and CUI-related clauses often still apply.

Information Stays with Prime

If you provide services but never receive, store, or process CUI, flow-down may not apply. Clarify information handling in your subcontract.

Protecting Yourself as a Subcontractor

Get Clear Scoping

Before accepting CMMC obligations:

  • Clarify exactly what information you will receive
  • Document information handling boundaries
  • Ensure flow-down matches actual information flow

Limit CUI Exposure

Minimize your compliance burden:

  • Accept only necessary CUI
  • Return or destroy CUI when work completes
  • Consider whether you can perform work without receiving CUI

Build Compliance into Pricing

CMMC compliance costs money. Factor these costs into your pricing:

  • Technology investments
  • Assessment fees
  • Ongoing compliance costs
  • Personnel time

Do not absorb compliance costs that should be part of contract pricing.

Key Takeaways

CMMC requirements flow down from the DoD through prime contractors to subcontractors handling CUI or FCI. Many primes are imposing requirements earlier and more strictly than the minimum DoD standards.

Understand your flow-down obligations by reading subcontract terms carefully. Prepare documentation, respond honestly to prime assessments, and push back if requirements exceed what your information handling justifies.

Build compliance costs into your pricing and maintain communication with primes about your certification status and timeline.

Related Articles:

Official Sources: This article is based on 32 CFR Part 170, DFARS clauses 252.204-7012, 7019, 7020, and 7021, and DoD CMMC implementation guidance.

Primes are asking about your CMMC status—are you ready to answer? Contact Greypike for help navigating flow-down requirements and achieving certification. For Level 1, Obolix gets you compliant in a week or less so you can respond confidently to prime contractor inquiries.

Table of Contents