Skip to content
ISI is proud to have received a perfect score and a Superior DCSA Security Rating. Read more here!
Talk to an Advisor
Talk to an Advisor

CMMC Flow-Down Requirements for DoD Subcontractors

 

As the Department of Defense (DoD) strengthens its cybersecurity posture, the Cybersecurity Maturity Model Certification (CMMC) program ensures that defense contractors and subcontractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) adhere to stringent security requirements. 

If you're a DoD contractor, understanding and complying with CMMC flow-down requirements ensures you remain eligible for defense contracts and stay competitive in the defense industrial base (DIB).

The Basics: Does CMMC Apply to Subcontractors?

Yes. Subcontractors working on DoD contracts must comply with CMMC requirements. This includes subcontractors that may only handle CUI indirectly, such as via prime contractors or government-furnished equipment (GFE).

Under DFARS clauses like 252.204-7012, prime contractors must flow down CMMC and National Institute of Standards and Technology (NIST) SP 800-171 requirements to their subcontractors. These regulations also mandate reporting compliance scores in the Supplier Performance Risk System (SPRS).

Go deeper: Clause M outlines flow-down requirements in DFARS 252.204-7012.

Key Takeaways for Subcontractors

Understanding Your Role

What level of CMMC do you need accreditation for? Under the final rule, if your work involves handling CUI, even indirectly, you’ll likely need a CMMC Level 2 certification. For those only dealing with FCI safeguarding requirements, CMMC Level 1 may suffice.

Even if you only handle CUI at a prime’s office or on base using devices supplied by your prime or Government Furnished Equipment (GFE), you may still be required to meet all 110 controls in NIST 800-171A, which outline the necessary security controls to protect sensitive data, and achieve a CMMC Level 2 Certificate of Status via a third-party audit depending on the terms in your contract.

Preparing for Compliance

Subcontractors often receive flow-down forms from their primes, asking for details on your cybersecurity posture, information systems, and other cybersecurity practices. Questions may include how you manage:

  • Passwords and user accounts
  • Incident response plans
  • Device lock-out policies

If you are working on a flow-down form, an MSP—like ISI—can help you accurately complete these according to their compliance posture in your environment.

Achieving Certification

Compliance with CMMC Level 2 requires meeting all 110 controls in NIST SP 800-171A. A CMMC third-party assessment organization (C3PAO) will conduct the CMMC assessment to verify compliance. ISI can assist with preparation and ensure your information security practices align with DoD expectations.

Support Options

Not sure how to complete a flow-down form? ISI provides expert guidance to help subcontractors navigate these cybersecurity requirements and achieve CMMC compliance.

For Contractors: Flowing Down Requirements

Prime contractors must ensure their supply chain’s compliance with CMMC rules. DFARS 252.204-7012 clause M already requires contractors to flow down NIST 800-171 compliance requirements to their subcontractors if they are involved in operationally critical support or if delivery of their subcontract will involve covered defense information.

Contractors (via DFARS 252.204-7020) must confirm that their subcontractors have completed a NIST 800-171A assessment and submitted their scores to the Supplier Performance Risk System (SPRS) before awarding them contracts. To help with this confirmation, ISI has a flow-down form you can send to your subcontractors, which can be requested via your Compliance Analyst.

Here's what you need to do:

  • Flow Down CMMC Requirements: Include relevant clauses in your subcontract agreements.
  • Verify Compliance: Confirm subcontractors meet assessment requirements and submit scores to the Supplier Performance Risk System (SPRS).
  • Request a Flow-Down Form from ISI: Our customizable templates simplify compliance tracking.

 

FAQ

Who is required to be CMMC compliant?

All defense contractors, including subcontractors handling CUI or FCI, must comply with the CMMC program.

How far down the supply chain does CMMC extend?

CMMC applies to all subcontractors with access to sensitive types of information, no matter how indirectly.

How can subcontractors prepare for CMMC compliance?

  • Annual Self-Assessment: Conduct a self-assessment to determine your current compliance posture.
  • System Security Plan (SSP): Develop an SSP to document your security practices and a Plan of Action and Milestones (POA&M) to address any gaps.
  • Remediation: Address deficiencies in security practices to meet the certification requirements.

 

What are the CMMC 2.0 level requirements?

The CMMC 2.0 framework simplifies certification into three levels, depending on the sensitivity of the information handled:

  • CMMC Level 1 (Foundational): Basic cybersecurity hygiene outlined in NIST 800-53 for protecting FCI.
  • CMMC Level 2 (Advanced): Adherence to NIST SP 800-171 for CUI protection.
  • CMMC Level 3 (Expert): Same as Level 2 along with 26 additional controls from NIST 800-172 to protect sensitive information in national security contracts.

Subcontractors are typically required to meet CMMC Level 2, with certification verified through a level 2 certification assessment by a CMMC assessor.

Do small businesses need CMMC certification?

Small businesses are not exempt. Any company in the defense supply chain that handles CUI or FCI must meet CMMC compliance requirements to maintain eligibility for contracts.

 

The Bottom Line

The rollout of CMMC represents a fundamental shift in the DIB's cybersecurity requirements. Non-compliance can result in lost contract awards, disqualification from future solicitations, or even federal penalties. For subcontractors, this means preparing now to meet the required CMMC level and ensuring alignment with the Federal Acquisition Regulation (FAR).

Understanding CMMC flow-down requirements is crucial for maintaining your eligibility as a subcontractor in the defense industrial base. ISI can help you streamline compliance efforts, ensuring you meet DoD cybersecurity standards and stay competitive.

Would you like to discuss how your current compliance strategy and flow-down requirements may impact you? Fill out the form below to request a complimentary consultation with an expert at ISI.

 

Related Posts