CMMCDocs.comCMMC compliance does not stop at your company's boundary. The defense supply chain is deep, with prime contractors flowing work to subcontractors who flow work to their own subcontractors. Every link in this chain that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must meet the appropriate CMMC level.
The Flow-Down Requirement
DFARS 252.204-7012 requires prime contractors to flow the cybersecurity requirements down to subcontractors at all tiers when the subcontract involves covered defense information (CDI) or requires operationally critical support. Under CMMC, DFARS 252.204-7021 extends this to include the specific CMMC level requirement.
In practice, this means that if your prime contract requires CMMC Level 2, and your subcontractor will handle CUI in performing their portion of the work, that subcontractor must also achieve CMMC Level 2. If the subcontractor handles only FCI, they need Level 1.
Prime Contractor Obligations
As a prime contractor, you must determine which subcontractors will receive CUI or FCI. Include the appropriate DFARS clauses in your subcontracts. Verify that subcontractors have a current SPRS score on file. Once CMMC assessments are required, verify that subcontractors hold the appropriate CMMC certification. You are not responsible for conducting their assessment, but you are responsible for not flowing CUI to a subcontractor who lacks the required certification.
Subcontractor Obligations
As a subcontractor, you must comply with the DFARS clauses flowed down by your prime. This means implementing the security requirements appropriate to the information you handle, maintaining a current SSP, submitting your SPRS score, and ultimately achieving CMMC certification at the level specified in your subcontract.
If your prime contractor has not flowed down any DFARS cybersecurity clauses but you believe you are receiving CUI, raise the issue proactively. Operating without the proper contractual framework creates risk for both parties.
Scoping Subcontractor Access
One effective strategy for managing supply chain complexity is to limit the CUI that flows to subcontractors. If you can restructure work packages so that a subcontractor receives only FCI instead of CUI, they need Level 1 instead of Level 2 — significantly reducing their compliance burden and your supply chain risk.
This requires careful scoping: identify exactly what information each subcontractor needs to perform their work, strip CUI from deliverables where possible, and provide only the minimum necessary information. Document these decisions in your CUI flow analysis.
Timeline Pressure
The biggest risk in the supply chain is timing. Your subcontractors need to be CMMC-certified before they can perform on contracts requiring certification. If your subcontractor cannot get certified in time, you either need to find an alternative or restructure the work. Start conversations with critical subcontractors now. Assess their readiness. Help them understand the requirements. The sooner they start, the lower the risk to your program.