CMMC Subcontractor Requirements

CMMC flow-down: the one rule every prime must internalize

If you are a prime contractor holding a DoD contract that requires CMMC, the certification is not a you problem — it is a supply chain problem. The moment you share Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) with a subcontractor, your subcontractor inherits the same CMMC-driven obligations you carry. That is flow-down, and it is the operational cornerstone of the entire CMMC program.

Flow-down is not new to defense contracting. DFARS 252.204-7012 has required flow-down of safeguarding obligations since 2017. What CMMC adds is the verification step: before you share covered information with a subcontractor, you must confirm the subcontractor holds the CMMC level the data demands. This page walks through how that works in practice and where it goes wrong.

How CMMC flow-down works

The CMMC flow-down model is straightforward in principle. Every time a contractor shares FCI or CUI with another organization, three things must be true:

1. The receiving organization must hold a CMMC certification at the appropriate level for the information being shared.
2. The receiving organization's certification must be current and visible in the Supplier Performance Risk System (SPRS).
3. The flow-down obligation cascades — if the receiving organization then shares covered information with another tier, they face the same verification duty.

This last point is what gives CMMC its depth. A prime may have ten direct subcontractors, but each of those subcontractors may have their own subs. If CUI is flowing through the chain, every layer needs certification. The DoD's economic analysis assumed this reach when estimating that roughly 80,000 organizations would pursue CMMC Level 2.

The level is set by the data, not the contract

A common misconception is that every subcontractor on a Level 2 contract needs Level 2 certification. That is only true for subcontractors that actually handle CUI. If a prime subcontracts a janitorial services company that will never see CUI, no certification is required. If the prime shares only FCI (not CUI) with a small parts vendor, the parts vendor only needs Level 1. The CMMC level is determined by the sensitivity of the information flowed to the subcontractor, not by the prime's own level.

The assessment type is set by the level, not the tier

Likewise, tier depth does not change assessment rigor. A tier-three subcontractor that handles sensitive CUI on a contract requiring Level 2 C3PAO certification needs Level 2 C3PAO certification — the same as the prime. Being further down the chain does not unlock a lighter assessment.

Prime contractor responsibilities

The prime carries most of the operational burden in CMMC flow-down. At a minimum, a prime must:

• Include CMMC clauses in every subcontract that touches covered information. The subcontract should pass through DFARS 252.204-7012, -7019, -7020, and -7021 where applicable, and should specify the CMMC level the subcontractor must hold.
• Minimize the CUI footprint. Only share CUI with subcontractors that genuinely need it. Every additional subcontractor with CUI access is another CMMC certification to verify and monitor.
• Verify CMMC status before sharing covered information. Check SPRS. Do not rely on a subcontractor's word or a dated certificate PDF.
• Track certification expirations. CMMC certifications expire after three years (with annual affirmations in between). A certification current at contract award may lapse mid-contract.
• Document the flow-down decisions. If you choose not to flow CMMC down to a particular subcontractor because they will not see covered information, document that decision. If the DoD ever audits the flow-down, you want a paper trail.
• Respond to supply chain risk. If a subcontractor loses certification, is breached, or fails an annual affirmation, the prime needs a plan. That may mean substituting suppliers or isolating the at-risk subcontractor from CUI flows.

Most primes centralize these duties in a supply chain security function or a joint responsibility between procurement and GRC. Automation helps — tracking certification status across dozens or hundreds of subcontractors is not a spreadsheet-friendly exercise.

Subcontractor responsibilities

If you are the subcontractor, the obligations are symmetrical:

• Understand which contract clauses apply to you. Ask the prime for the flow-down language explicitly. Assume DFARS 252.204-7012 at minimum; the other clauses depend on the data you will see.
• Identify the CMMC level you need. Based on whether you will see FCI, less-sensitive CUI, or more-sensitive CUI, determine whether Level 1, Level 2 self-assessment, or Level 2 C3PAO applies.
• Keep your SPRS entry current. This is how the prime will verify you. A stale SPRS score is a flow-down failure even if your posture is strong.
• Flow-down further if you engage your own subs. If you sub-subcontract CUI work, you become the "prime" for your own flow-down obligations.
• Report incidents upstream. DFARS 252.204-7012 requires rapid (72-hour) incident reporting to the DoD. In practice, most primes require subcontractors to notify them first so the prime can coordinate.

CMMC for small subcontractors

Small businesses are the group most strained by CMMC flow-down. Many small suppliers do not have dedicated security staff, have never submitted an SPRS score, and lack the budget for a C3PAO assessment. There are a few practical levers:

• Reduce scope. If the small subcontractor can do their work without touching CUI, structure the engagement that way. Send redacted drawings. Use an enclave.
• Pursue Level 1 only. Many small suppliers can limit their exposure to FCI only, which keeps them at Level 1 (self-assessment) and sidesteps Level 2 entirely.
• Share infrastructure. Some primes offer subcontractors access to a CUI enclave — a shared, pre-certified environment where the subcontractor can do CUI work without hosting CUI on their own systems. This transfers much of the certification burden to the enclave operator.

Tier-based assessment in practice

Tiered CMMC flow-down looks simple on a diagram and complicated in reality. Consider a typical example:

• Prime: Large defense integrator holding a Level 2 C3PAO contract. Certified at Level 2 C3PAO.
• Tier-1 sub: Engineering firm designing a subsystem. Receives CUI (drawings, specifications). Needs Level 2 C3PAO.
• Tier-2 sub: Machine shop fabricating parts from the drawings. Receives CUI (drawings only). Needs Level 2 — possibly self-assessment if the contract allows.
• Tier-2 sub (separate): Tooling vendor providing fixtures. Receives FCI (basic contract info) but no CUI. Needs Level 1.
• Tier-3 sub: Heat treatment service used by the machine shop. Receives no covered information (parts only, no drawings). No CMMC required.

The prime does not verify the tier-3 heat treater directly — that is the tier-2 machine shop's flow-down duty. But the prime is still exposed if any link in the chain mishandles covered information, which is why supply chain visibility is a board-level concern for large defense integrators.

How this fits into your CMMC program

Subcontractor flow-down is not a one-time project. It lives in three operational rhythms:

• Pre-award. Every new subcontract that might involve covered information needs a CMMC flow-down decision before the contract is signed. Do not award first and reconcile later.
• In-flight. Certifications expire. Subcontractors merge, spin off divisions, or lose key personnel. Your flow-down register needs to live alongside your broader third-party risk program.
• At renewal. Contract option years and recompetes are the moment to re-verify every supplier's CMMC status and close any drift.

Organizations that already run a mature vendor risk management program have a head start — CMMC flow-down is a specialization of the same discipline. Organizations without that foundation will need to stand one up.

Common mistakes

• Assuming certification status is static. A subcontractor that was Level 2 certified last year may not be today. Check SPRS on a recurring schedule.
• Over-sharing CUI. Primes sometimes flow CUI to subcontractors who do not need it "just in case." Every unnecessary share creates a new CMMC obligation to track.
• Forgetting the CMMC clauses at subcontract modification. When an existing subcontract is modified to add scope involving CUI, the CMMC clauses must be added too. A modification is the easiest place for flow-down to be missed.
• Relying on certificates instead of SPRS. PDF certificates can be doctored or stale. SPRS is the authoritative source.
• Treating COTS vendors as subcontractors. Commercial off-the-shelf product providers are explicitly excluded from CMMC. Do not burn effort chasing certifications that are not required.
• Ignoring cloud service providers. The cloud providers hosting your CUI are inside your CMMC boundary. They need their own FedRAMP authorization or CMMC certification at the appropriate level.

How episki helps

episki maintains a subcontractor flow-down register inside your CMMC workspace. Each supplier is tracked with their required CMMC level, current SPRS score, certification expiration, and the specific subcontracts where CUI flows. When a certification is expiring or a score drifts, episki alerts you before it affects an active contract. For primes running dozens or hundreds of subcontractor relationships, this turns CMMC flow-down from a spreadsheet problem into a managed program. Start a free trial to map your flow-down obligations.