Skip to content

Foundations · Topic 07

Flow-Down to Subcontractors.

How CMMC requirements flow to subs, what level a sub needs, and prime obligations to verify sub status.

Flow-Down to Subcontractors

CMMC isn’t just a prime contractor problem. It flows down to every tier of the supply chain that touches FCI or CUI. The rules live in 32 CFR § 170.23 and the binding clause is DFARS 252.204-7021, which primes are required to flow down to applicable subcontracts.

If a subcontractor will process, store, or transmit FCI or CUI during contract performance, the prime contractor must ensure that subcontractor holds the appropriate CMMC status at the time of subcontract award and throughout subcontract performance.

The clause is flowed down via DFARS 252.204-7021 itself. Primes are responsible for verifying sub status before sharing covered information.

The 7021/CMMC-status flow-down sits alongside a separate, older obligation: DFARS 252.204-7012 itself flows down. The prime includes the clause without alteration — except to identify the parties — in every subcontract (including subcontracts for commercial items) involving covered defense information or operationally critical support.

A few obligations are specific to this clause:

  • The prime decides what’s still CDI. When flowing information to a sub, the prime determines whether the information retains its identity as covered defense information and therefore requires safeguarding under the clause — consulting the Contracting Officer where the answer isn’t clear.
  • Variance requests travel up the chain. A sub that wants to vary from a NIST SP 800-171 security requirement notifies the prime (or the next higher tier) at the time it submits the request.
  • Incident report numbers travel up too. When a sub reports a cyber incident to DoD, it provides the DoD-assigned incident report number to the prime (or next higher tier) as soon as practicable.

The variance process itself runs through the Contracting Officer: written requests are adjudicated by the DoD CIO, who can approve that a requirement is non-applicable or that an alternative but equally effective security measure may be used in its place.

The subcontractor’s required level is based on the type of data the sub handles, not necessarily the same level as the prime. From 32 CFR § 170.23 and the CMMC FAQ:

If your prime contract isAnd the sub handles only FCIAnd the sub handles CUI
Level 2 (Self)Level 1 (Self)Level 2 (Self) — same level as prime
Level 2 (C3PAO)Level 1 (Self)Level 2 (C3PAO) — same level as prime

If a Level 2 prime is itself a sub to a Level 3 prime, the FAQ B-A6 rule applies: when the prime contract is Level 3, the sub minimum is Level 2 (C3PAO) unless the Government provides specific contractual guidance.

DFARS 252.204-7021 requires the prime to verify the sub’s CMMC status before sharing covered information. In practice this means:

  1. Check SPRS — the sub’s CMMC Status, score, affirmation date, and CMMC Unique Identifier (UID) are visible to authorised users
  2. Confirm the status is current — affirmation within the last 365 days, no expired Conditional Status
  3. Confirm the status is appropriate to what the sub will handle — Level 2 (C3PAO) for CUI, Level 1 (Self) for FCI-only flows
  4. Document the verification — primes building best-practice processes record the verification check date, the SPRS lookup result, and the CMMC UID in their vendor record

If the sub doesn’t have a current status in SPRS, the prime cannot share covered information until the status is in place. “Pending” is not a category — either the sub has the affirmation in SPRS or they don’t.

What if the sub’s status lapses mid-contract?

Section titled “What if the sub’s status lapses mid-contract?”

A sub whose CMMC Status lapses during contract performance is in non-compliance with the flow-down clause. This affects the prime’s contract performance and can constitute a contractual breach.

In practice, primes building robust processes:

  • Track sub affirmation expiry dates and chase 60-90 days before expiry
  • Build subcontract clauses that require notice of any change in CMMC Status
  • Maintain backup vendors with current status for critical CUI-handling functions

If you’re a sub:

  • Don’t wait for a flow-down letter from the prime. The prime is required to verify your status before sharing any covered information. If your status isn’t in SPRS, you can’t be brought into the work.
  • Your required level is determined by what data you’ll handle in this contract, not by your overall corporate sophistication or what level the prime holds.
  • Continuous compliance is contractual. Annual affirmations missed = contract eligibility loss.
  • Your fastest growth lever in 2026 is being the sub who can answer compliance questions clearly, quickly, and with proof. Primes are looking for sub-tier partners who don’t drag their compliance footprint.

If you’re a prime:

  • Your subcontractor verification process is now part of your CMMC program. A C3PAO assessment may examine how you verify sub-tier compliance — particularly under control families like Risk Assessment (3.11) and Security Assessment (3.12).
  • Document everything. Verification dates, SPRS lookup results, sub CMMC UIDs, sub affirmation expiry tracking.
  • Build sub due-diligence into your standard procurement workflow — not as a one-off compliance check that happens after the master agreement is signed.