Flow-Down to Subcontractors

CMMC isn’t just a prime contractor problem. It flows down to every tier of the supply chain that touches FCI or CUI. The rules live in 32 CFR § 170.23 and the binding clause is DFARS 252.204-7021, which primes are required to flow down to applicable subcontracts.

The basic flow-down rule

If a subcontractor will process, store, or transmit FCI or CUI during contract performance, the prime contractor must ensure that subcontractor holds the appropriate CMMC status at the time of subcontract award and throughout subcontract performance.

The clause is flowed down via DFARS 252.204-7021 itself. Primes are responsible for verifying sub status before sharing covered information.

What level does a sub need?

The subcontractor’s required level is based on the type of data the sub handles, not necessarily the same level as the prime. From 32 CFR § 170.23 and the CMMC FAQ:

If your prime contract is	And the sub handles only FCI	And the sub handles CUI
Level 2 (Self)	Level 1 (Self)	Level 2 (Self) — same level as prime
Level 2 (C3PAO)	Level 1 (Self)	Level 2 (C3PAO) — same level as prime

If a Level 2 prime is itself a sub to a Level 3 prime, the FAQ B-A6 rule applies: when the prime contract is Level 3, the sub minimum is Level 2 (C3PAO) unless the Government provides specific contractual guidance.

The prime’s verification obligation

DFARS 252.204-7021 requires the prime to verify the sub’s CMMC status before sharing covered information. In practice this means:

Check SPRS — the sub’s CMMC Status, score, affirmation date, and CMMC Unique Identifier (UID) are visible to authorised users
Confirm the status is current — affirmation within the last 365 days, no expired Conditional Status
Confirm the status is appropriate to what the sub will handle — Level 2 (C3PAO) for CUI, Level 1 (Self) for FCI-only flows
Document the verification — primes building best-practice processes record the verification check date, the SPRS lookup result, and the CMMC UID in their vendor record

If the sub doesn’t have a current status in SPRS, the prime cannot share covered information until the status is in place. “Pending” is not a category — either the sub has the affirmation in SPRS or they don’t.

What if the sub’s status lapses mid-contract?

A sub whose CMMC Status lapses during contract performance is in non-compliance with the flow-down clause. This affects the prime’s contract performance and can constitute a contractual breach.

In practice, primes building robust processes:

Track sub affirmation expiry dates and chase 60-90 days before expiry
Build subcontract clauses that require notice of any change in CMMC Status
Maintain backup vendors with current status for critical CUI-handling functions

What this means for subcontractors

If you’re a sub:

Don’t wait for a flow-down letter from the prime. The prime is required to verify your status before sharing any covered information. If your status isn’t in SPRS, you can’t be brought into the work.
Your required level is determined by what data you’ll handle in this contract, not by your overall corporate sophistication or what level the prime holds.
Continuous compliance is contractual. Annual affirmations missed = contract eligibility loss.
Your fastest growth lever in 2026 is being the sub who can answer compliance questions clearly, quickly, and with proof. Primes are looking for sub-tier partners who don’t drag their compliance footprint.

What this means for primes

If you’re a prime:

Your subcontractor verification process is now part of your CMMC programme. A C3PAO assessment may examine how you verify sub-tier compliance — particularly under control families like Risk Assessment (3.11) and Security Assessment (3.12).
Document everything. Verification dates, SPRS lookup results, sub CMMC UIDs, sub affirmation expiry tracking.
Build sub due-diligence into your standard procurement workflow — not as a one-off compliance check that happens after the master agreement is signed.