CMMC doesn’t stop at the prime contractor. Subcontractors that receive a flowed-down requirement to process, store, or transmit FCI or CUI under a covered subcontract must hold the current CMMC status appropriate to that subcontract scope. For flowed-down subcontracts subject to DFARS 252.204-7021, the prime must ensure the subcontractor has current CMMC status at the level appropriate to the information being flowed down before award. Primes won’t wait — they need verification before they can make the award.
This guide covers how flow-down works, what subcontractors at every tier need to prepare, where the requirement catches small subs off guard, and how to approach certification as a subcontractor with limited resources.
How Flow-Down Works
DFARS 252.204-7012 requires contractors to include the same cybersecurity clause in every subcontract where the subcontractor will handle covered defense information. DFARS 252.204-7021, the CMMC clause, extends that flow-down to include CMMC level requirements.
The practical effect: if a prime contractor holds a DoD contract that requires CMMC Level 2, and that prime shares CUI with a subcontractor as part of the work, the sub must also hold the applicable CMMC status for the assessment scope that covers that CUI.
This applies at every tier. Tier 1 subs flow down to Tier 2 subs. Tier 2 flows to Tier 3. If CUI moves through the chain, the compliance obligation moves with it.
What triggers the requirement for a sub: The sub receives, stores, processes, or transmits CUI in performance of the subcontract. If the sub handles only FCI and no CUI, Level 1 applies instead. If the sub’s work involves no FCI or CUI, CMMC may not apply to that subcontract.
The prime’s responsibility: The prime must ensure subcontractors meet the required CMMC level. Awarding work to a subcontractor who doesn’t hold the required status creates risk for the prime’s own contract. Primes are increasingly verifying sub compliance before making award decisions, not after.
Why Subcontractors Get Caught Off Guard
Several dynamics make CMMC harder for subs than for primes.
Late notification. Some primes don’t communicate CMMC requirements to their supply chain until late in the contracting process. The sub discovers they need certification when the prime sends a teaming agreement that references CMMC, often with insufficient time to prepare. Among subcontractors we’ve worked with, many learned about their CMMC requirement less than a year before their prime needed verification — leaving barely enough time for preparation if everything goes smoothly, and not enough time if it doesn’t.
Unclear CUI boundaries. Subcontractors frequently receive information from primes without clear CUI marking or handling instructions. The sub may not realize CUI is present in their environment until they begin the scoping process. If CUI entered your systems through email attachments, shared portals, or technical data packages from the prime, it’s there whether it was explicitly marked or not.
Resource constraints. Subcontractors are often the smallest organizations in the supply chain. A 15-person machine shop or a 10-person software firm doesn’t have a compliance team, a security architect, or a large IT budget. The compliance burden is the same as a larger organization’s, but the resources to address it aren’t.
Assumption of exemption. Some subs believe their work is “too small” or “not sensitive enough” to require CMMC. The threshold isn’t the size of your company or the perceived sensitivity of the work. It’s whether CUI is present. If it is, the requirement applies.
What Subcontractors Need to Do
Step 1: Determine Your CUI Exposure
Review your subcontracts for DFARS 252.204-7012 and DFARS 252.204-7021 clauses. Review the technical data, drawings, specifications, and communications you receive from primes. Determine whether any of it qualifies as CUI under the CUI Registry categories. You can’t make a compliance plan without knowing what you’re protecting.
If CUI is flowed down to your subcontract and the subcontract requires Level 2, you will need the applicable Level 2 status for the assessment scope that covers that work. If only FCI is in scope and the subcontract carries a Level 1 requirement, Level 1 applies.
If you’re uncertain, ask your prime. Specifically ask: “Does CUI flow down to us under this subcontract? What categories? What marking requirements apply?” Get the answer in writing.
Step 2: Scope Your Environment
Map how CUI enters, moves through, and exits your systems. Identify every asset that touches CUI. Define your assessment boundary.
For many subcontractors, the CUI footprint is smaller than a prime’s. You might receive CUI through a single portal, process it on a handful of workstations, and store it in one file share. If you can contain CUI in a defined enclave, your assessment scope, and your compliance costs, shrink accordingly. Subcontractors on our platform who completed a formal scoping exercise before starting remediation reduced their in-scope asset count substantially through segmentation alone — in some cases cutting the total compliance investment by half or more.
Scope reduction through network segmentation is particularly valuable for subs. Isolating CUI processing into a contained enclave means fewer systems to secure, less documentation to maintain, and a shorter assessment.
Want to see how small your CUI boundary could be? Run a free readiness check to map your data flows and identify segmentation opportunities.
Step 3: Build Your Compliance Program
The same requirements that apply to primes apply to you. All 110 NIST 800-171 security requirements for Level 2. A System Security Plan that describes your specific environment. Evidence for each control. Policies and procedures that reflect your actual practices.
The difference for subs is usually scale, not substance. Your SSP is shorter because your environment is smaller. Your evidence repository is more contained. Your assessment takes less time because the scope is narrower.
Where subcontractors often need help:
Documentation. Small organizations rarely have existing policy frameworks. Building an SSP, access control policy, incident response plan, and the other required documentation from scratch takes effort, but the documents don’t need to be 50 pages each. A clear, specific policy that matches your actual practices is more valuable than a lengthy template.
Technical controls. The baseline controls, MFA, FIPS-validated encryption, audit logging, endpoint protection, vulnerability scanning, are the same regardless of organization size. For small subs, the most cost-effective approach is often leveraging an MSP or a cloud platform that provides these capabilities as managed services.
Evidence collection. Start capturing evidence as you implement controls. Don’t wait until the assessment is approaching. A screenshot of your MFA configuration today is evidence. A training attendance record this month is evidence. Build the habit early.
Step 4: Address the MSP Relationship
If you use a managed service provider — and most small subs do — determine whether the MSP processes CUI or Security Protection Data on your behalf. If so, they’re an External Service Provider in your assessment scope, and you need to document the division of security responsibilities. Ensure the cloud environment where your data resides meets FedRAMP Moderate authorization or equivalency requirements per DFARS 252.204-7012.
Are You Ready for Your Assessment?
If your subcontract requires Level 2 C3PAO certification, the assessment process is the same as for any other contractor. The C3PAO evaluates your environment, documentation, and evidence against the 320 assessment objectives. The scope is limited to the systems you identified in Step 2.
If Level 2 self-assessment is sufficient for your subcontract, conduct the self-assessment rigorously. Submit results to SPRS. Affirm annually.
Either way, start the preparation process well before your prime needs to verify your status. Assessment preparation takes months. Primes are increasingly asking subs for proof of compliance status during teaming and award decisions, not waiting until performance begins.
What Primes Expect from Subs
The dynamics between primes and subs are shifting. Before CMMC, primes asked subs for an SPRS score and moved on. Now, many primes are implementing more rigorous supply chain verification — and they’re not slowing down.
Evidence of compliance status. Primes want to see your CMMC certification status, your SPRS score, or at minimum a documented compliance program that demonstrates active preparation. Verbal assurances are no longer sufficient.
CUI handling procedures. Primes want to know how you receive, store, process, and return CUI. Your handling procedures should be documented and consistent with your SSP.
Incident reporting readiness. DFARS 7012 requires subs to report cyber incidents within 72 hours. Primes want confidence that their subs have a tested incident response process and know how to report through DIBNet.
Flow-down compliance. If you further subcontract work that involves CUI, the prime expects you to flow the requirement down and verify your own subs’ compliance. The chain doesn’t stop with you.
The Competitive Advantage of Early Compliance
CMMC certification is increasingly becoming a differentiator in subcontract award decisions. Primes choosing between two equally capable subs will select the one that holds certification, or is demonstrably close to it, over the one that hasn’t started.
This is especially true in the period before CMMC enforcement is fully phased in. Not every contract requires certification yet, but forward-looking primes are building supply chains they won’t have to rebuild when it does. We’re already seeing primes include CMMC status verification as a standard element in teaming agreements and subcontract award decisions — not just for contracts that currently require it, but proactively for programs they expect will require it within 12 months. Being certified early puts you on the preferred list.
The reverse is also true. Subs that can’t demonstrate compliance readiness are being passed over for teaming arrangements and awards. The cost of inaction isn’t just failing an assessment. It’s losing the opportunity to compete.
Getting Started as a Subcontractor
1. Talk to your primes. Understand which contracts involve CUI, what CMMC level applies, and what timeline the prime is working toward. Get the flow-down requirements in writing.
2. Scope your CUI environment. The smaller and more contained your CUI boundary, the less the compliance program costs and the faster you can prepare.
3. Start the compliance work. Don’t wait for a contractual deadline. Preparation takes months. Starting now gives you time to close gaps without the pressure of a looming contract decision.
Deep Fathom helps subcontractors build compliance programs that match their scale. Our platform guides you through scoping, gap assessment, remediation, documentation, and evidence collection, producing output that holds up when your prime or a C3PAO comes asking.
Check your readiness or talk to our team.
Related reading: