Skip to content
ISI has rebranded and updated to a new URL—if you are here from dodsecurity.com you are in the right place!
Talk to an Advisor
Talk to an Advisor

CMMC Flow-Down Requirements for DoD Subcontractors


DoD contractors are required to flow down cybersecurity requirements to subcontractors that handle CUI, or that may be required to handle CUI in future in execution of their subcontract(s).

  • Once released, CMMC DFARS rules, if present in a contract, will require the contractor, and their subcontractors, to meet the specified CMMC requirements.

What This Means for Subcontractors:

If you already have DFARS 252.204-7012 in your contract(s), it is likely that CMMC Level 2 will be required once CMMC is fully rolled out.

  • Even if you only handle CUI at a Prime’s office or on base using devices supplied by your Prime or Government Furnished Equipment (GFE), you may still be required to meet all 110 controls in NIST 800-171A and achieve a CMMC Level 2 certificate via a third-party audit depending on the terms in your contract.
  • If you haven’t already, you will likely receive a flow-down form from your Prime in Excel or a PDF, asking questions about your technical cybersecurity posture, such as how you manage usernames and passwords, or whether you have lock-out timers on your devices.
  • If you are working on a flow-down form, an MSP—like ISI—can help you accurately complete these according to the compliance posture they have deployed in your environment.

What This Means for Contractors:

If you have subcontractors that currently handle, or may be required to handle, CUI, you will need to flow down CMMC requirements. You already need to ensure they are NIST 800-171A compliant and have listed their score in SPRS.

  • DFARS 252.204-7012 clause M already requires contractors to flow down NIST 800-171 compliance requirements to their subcontractors if they are involved in operationally critical support or if delivery of their subcontract will involve covered defense information.
  • Contractors are also required (via DFARS 252.204-7020) to confirm that their subcontractors have completed a NIST 800-171A assessment and submitted their scores to the Supplier Performance Risk System (SPRS) before awarding them contracts.
  • To help with this confirmation, ISI has a flow-down form you can send to your subcontractors which can be requested via your Compliance Analyst.

Go deeper: Clause M outlines flow-down requirements in DFARS 252.204-7012.

Would you be interested in discussing your current compliance strategy and flow-down requirements may impact you? Request a complimentary consultation with an expert at IsI by filling out the form below.

 

Related Posts