Supply Chain Flow Down Requirements
What prime contractors must demand from subcontractors and what every subcontractor needs to know.
The Chain of Accountability
1
DoD Contract
2
Prime Contractor
3
Tier 1 Sub
4
Tier 2 sub
5
MSP/Vendor
What Is Flow Down
“Flow down” refers to the contractual obligation for prime contractors to pass applicable security requirements to their subcontractors. Under CMMC and DFARS, if a prime handles CUI, every subcontractor with access to that CUI must meet the same compliance standards. They cannot exempt themselves because they’re a tier removed from the DoD.
What Primes Are Required to Flow Down
DFARS 252.204-7012
Requires subs to implement NIST SP 800-171 and report cyber incidents when they handle CUI or provide operationally critical support.
DFARS 252.204-7021 (CMMC)
Requires subs to hold the CMMC level specified in the contract or appropriate to the CUI they handle
FAR 52.204-21
Basic safeguarding of covered contractor information systems. This applies broadly to any system processing government information.
What Primes Must Do
- Identify which subcontractors have access to CUI or FCI in your program.
- Include CMMC and DFARS flow-down clauses in subcontract agreements.
- Verify that subs have the required CMMC certification before sharing CUI.
- Maintain documentation of sub certifications and assessment status.
- Report to the DoD if a sub has a cyber incident. Your reporting obligation extends to your supply chain.
What Subcontractors Must Do
- Understand which flow-down clauses apply to your scope of work
- Achieve and maintain the CMMC level required by your prime’s contract
- Report cyber incidents to your prime within the required timeframe (typically 72 hours)
- Ensure your own suppliers also meet compliance requirements if they touch CUI
- Do not assume your prime’s certification covers your environment.
Supply Chain Attrition: The Hidden Risk
Prime contractors do not want to replace suppliers. It is expensive, disruptive, and slows delivery. But when suppliers cannot meet cybersecurity requirements, primes are forced to act. This is creating a growing trend of supply chain attrition where capable SMB contractors are gradually removed not because of poor performance, but because compliance becomes too difficult to maintain.
CMMC is not an audit problem. It is an operational execution problem. Organizations that treat it as a one-time project will struggle to maintain the posture primes require, and risk being replaced by suppliers who can.
Why Primes Are Accountable
Prime contractors are now responsible not only for their own security posture — but for yours. CMMC flows down, incident reporting tightens, and continuous validation is becoming mandatory.
Why SMBs Fall Out
Most SMBs fail compliance not because they lack understanding, but because they lack internal resources, rely on fragmented tools, and treat compliance as a project instead of an ongoing operation.
How to Stay In
Demonstrate that controls are actively enforced, the environment is continuously monitored, incidents are handled in real time, and audit evidence is always available.
Common Flow Down Failures
| Primes skipping sub vetting | Assuming subs are compliant without verification creates prime liability when incidents occur. |
| Subs assuming exemption | Being one tier removed does not exempt a subcontractor from CMMC or DFARS obligations. |
| Missing contract language | Flow-down clauses must be explicitly included in subcontracts. They don't apply automatically. |
| No incident coordination plan | Primes and subs need a pre-agreed incident escalation procedure before an event occurs. |
Ready to Get Started?
Stay in the supply chain. Primes are cutting suppliers who cannot demonstrate compliance. Espresso Labs ensures you are never one of them.