CMMC Subcontractor Requirements: What Primes Must Flow Down (and When)
If you're a prime contractor with CMMC obligations, your compliance doesn't stop at your own organization. DFARS 252.204-7012 and 32 CFR Part 170 make clear: you are responsible for your subcontractors' security posture when CUI flows to them. Here's exactly what that means.
The Core Rule
Under DFARS 252.204-7012(m), prime contractors must include the DFARS cybersecurity clause in all subcontracts or task orders that involve operationally critical support or the processing, storage, or transmission of covered defense information (which includes CUI).
Under 32 CFR Part 170.20, primes must also ensure that subcontractors handling CUI meet the applicable CMMC level for the work they perform. This obligation flows to all tiers, not just your direct subs, but their subs as well.
False Claims Act exposure: Primes that certify CMMC compliance while knowingly using non-compliant subcontractors handling CUI face liability under the False Claims Act, including treble damages (triple the government's loss, plus civil penalties per false claim). "I didn't know my sub wasn't compliant" is not a sufficient defense if you didn't check. "We trusted them" has never been a successful False Claims Act defense.
When Does Flow-Down Apply?
Flow-down is triggered by one condition: will the subcontractor receive, process, store, or transmit CUI as part of performing the subcontract?
If yes, CMMC requirements apply to that subcontractor. If no, the sub only receives non-CUI Federal Contract Information (FCI), or performs work entirely unrelated to the CUI environment, CMMC Level 1 may apply or no CMMC requirement at all.
Examples of Subs That Require Flow-Down
IT support providers who access systems that process CUI
Engineering subcontractors who receive technical drawings or design files marked CUI
Cloud service providers storing CUI data on behalf of the prime
Staffing agencies whose personnel will work in a CUI environment
Software developers building systems that will handle CUI
Examples of Subs That May Not Require Flow-Down
Janitorial services that never access offices where CUI is processed
Marketing or PR firms that receive no technical program information
Office supply vendors
Subcontractors working exclusively on unclassified, non-CUI deliverables
The determination must be made for each subcontract individually and documented. Don't assume, assess each relationship.
What Must Be Flowed Down
For subcontracts where CUI is involved, primes must include all of the following:
1
The DFARS 252.204-7012 Clause
The full text of the DFARS cybersecurity clause must be included in the subcontract. This establishes the sub's obligations for reporting cyber incidents, preserving forensic evidence, and implementing adequate security controls per NIST SP 800-171.
2
The Applicable CMMC Level Requirement
Based on the CUI the subcontractor will handle, specify the required CMMC level (Level 1 for FCI only; Level 2 for CUI). The subcontract should state when the sub must be certified and what evidence of compliance must be provided.
3
72-Hour Incident Reporting Requirement
Under DFARS 252.204-7012(c), cyber incidents must be reported to DoD via the DIBNet portal within 72 hours of discovery. Your subcontract must require the sub to notify you immediately so you can meet this deadline. Define "immediately", 24 hours is a reasonable contractual standard.
4
90-Day Evidence Preservation Requirement
System images and other forensic artifacts from compromised systems must be preserved for at least 90 days and made available to DoD upon request. Your subcontract must require the same of your sub.
5
Further Flow-Down Obligation
Your sub must include the same requirements in any lower-tier subcontracts where CUI is involved. State this explicitly in your subcontract language, don't rely on your sub to figure it out.
How to Verify Subcontractor CMMC Compliance
Flowing down the requirement is not enough, primes are expected to verify. Accepted methods include:
SPRS score verification: Request the subcontractor's current SPRS score and the date it was submitted. Scores are self-reported but create a documented compliance record.
C3PAO certification verification: Once CMMC certifications are issued, they will be recorded in the Supplier Performance Risk System (SPRS) and verifiable directly.
Written representation: At minimum, require a signed written representation that the sub meets the applicable CMMC level. This creates a paper trail and shifts liability exposure.
Right-to-audit clause: Include a contractual right to audit or review the sub's security posture on reasonable notice.
Practical tip: Build CMMC status into your subcontractor onboarding checklist. Before any CUI is shared with a new sub, get their SPRS score in writing and document when it was last updated. This takes 10 minutes and creates the evidence trail you'd need in an audit or investigation. Ten minutes now vs. an uncomfortable DOJ deposition later.
What Happens If a Subcontractor Isn't Compliant
If a subcontractor handling CUI is not CMMC-compliant, you have three options:
Don't share CUI with them, restructure the work so the sub performs only non-CUI tasks. Document this determination.
Require remediation before work begins, make CMMC certification a condition precedent in the subcontract, with a timeline for achieving compliance.
Replace them, if a sub cannot achieve compliance on the required timeline and the work requires CUI access, find a compliant alternative.
Using a non-compliant sub and hoping nobody notices is not an option, particularly after the DoD's Civil Cyber-Fraud Initiative began using the False Claims Act to pursue contractors with inadequate cybersecurity practices. Hoping nobody notices is a strategy. It's just not a good one.
Build Your CMMC Documentation Foundation
Your SSP must document all external connections and service providers, including subcontractors who access CUI systems. Our CMMC Level 2 SSP Template includes the external system connections section assessors expect to see.
Yes, when subcontractors will process, store, or transmit CUI on behalf of the prime contractor, or operate part of the prime's covered contractor information system. Under DFARS 252.204-7012(m) and 32 CFR Part 170, prime contractors are required to flow CMMC requirements down to subcontractors at all tiers when CUI is involved. Subcontractors that never receive or handle CUI do not need CMMC certification, but primes must verify this in writing.
Prime contractors bear significant liability. Under the False Claims Act, primes that certify CMMC compliance while knowingly using non-compliant subcontractors handling CUI can face treble damages and civil penalties. DFARS 252.204-7012(m) explicitly places the obligation on primes to include the clause in subcontracts and verify compliance. DoD has made clear through guidance that primes cannot outsource compliance responsibility, they remain accountable for their supply chain's security posture.
CMMC flows down to all tiers of subcontractors who will process, store, or transmit CUI. Under 32 CFR Part 170 and DFARS 252.204-7012(m), the flow-down requirement applies to subcontractors, sub-subcontractors, and any tier below that handles CUI. Primes are responsible for ensuring that each tier includes the appropriate CMMC requirement in their subcontracts. If a sub-tier subcontractor handles CUI without the appropriate CMMC certification, the prime's contract is at risk.
Under DFARS 252.204-7012(m), primes must flow the following to subcontracts where CUI is involved: the DFARS 252.204-7012 clause itself, the requirement to report cyber incidents to DoD within 72 hours, the requirement to preserve images of compromised systems for 90 days, and the applicable CMMC level requirement for the work being performed. Additionally, primes should obtain written confirmation of the subcontractor's CMMC status or self-assessment score before award.
Not necessarily. The required CMMC level flows based on what the subcontractor actually does with CUI, not what the prime's contract requires. If the prime has a CMMC Level 2 contract but a specific subcontractor only receives FCI (Federal Contract Information, the lower-sensitivity baseline tier that includes things like contract SOWs, deliverable specs, and invoices, as opposed to CUI which is the higher-sensitivity category that triggers Level 2) and not CUI, that sub may only require CMMC Level 1. Under 32 CFR Part 170, the applicable level is determined by the CUI involved in the subcontract scope of work, primes must assess this for each sub relationship and document the determination.
📬
Get CMMC tips and template updates
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.