Subcontractor Flowdown of CUI Obligations: What Primes Actually Require

Prime contractors flow cybersecurity clauses to you based on the data you will handle, not their own certification goal. DFARS and FAR clauses set the floor, CMMC ties the bar to FCI or CUI, and many primes add due-diligence terms before they share sensitive work.

Regulatory foundation for CUI flowdown obligations

The CUI Registry defines CUI categories and the need for safeguarding and dissemination controls under law, regulation, or government-wide policy. DoD builds on that by requiring specific clauses in contracts that involve CUI or Federal Contract Information (FCI).

DFARS 252.204-7012 requires contractors to protect covered defense information (CDI) in contractor systems and to report cyber incidents to DoD within 72 hours of discovery. The clause directs primes to include the substance of 7012 in any subcontract where a subcontractor may have CDI, or where the subcontractor provides operationally critical support. Those obligations move with the work.

FAR 52.204-21 sets basic safeguarding requirements for systems that contain FCI. Primes include that clause in subcontracts when a subcontractor’s system may contain FCI. This sets a baseline, separate from CUI obligations.

NIST SP 800-171 Rev. 2 defines the 110 security requirements that underpin DFARS 252.204-7012 and CMMC Level 2. The DoD CIO CMMC Level 2 Assessment Guide aligns Level 2 with those 110 requirements. The technical baseline comes from NIST, the contractual mandate comes from DFARS, and the assessment regime comes through CMMC.

DFARS and FAR clauses primes must flow down

DFARS 252.204-7012. Primes include 7012 when you may receive or generate CDI, or when you provide operationally critical support. The clause requires incident reporting to DoD within 72 hours, media preservation, and cooperation with DoD damage assessment activities. It requires you to flow the substance of 7012 to any lower-tier subcontract that will handle CDI, or that provides operationally critical support. See our primer on the clause for scoping and reporting mechanics in practice: DFARS 252.204-7012 requirements.

DFARS 252.204-7021. This clause implements CMMC through acquisition. It directs contractors to ensure that the applicable CMMC level appears in subcontracts, and that subcontractors possess the required level before award when the subcontract will involve FCI or CUI. The level ties to the information the subcontractor will receive or develop.

DFARS 252.204-7019 and 252.204-7020. 7019 notifies offerors that they need a current NIST SP 800-171 assessment on record in SPRS. 7020 requires primes to include its substance in any subcontract that includes 7012, and it obligates covered subcontractors to have a current assessment in SPRS. You keep your assessment current, and you make it available for verification. If you need a method to calculate and maintain your score, start here: SPRS scoring for NIST 800-171.

FAR 52.204-21. Primes include the basic safeguarding clause when a subcontractor system will contain FCI. That clause applies even when the subcontract does not involve CUI.

CMMC level application to subcontractors

The CMMC final rule at 32 CFR Part 170 anchors the flowdown principle in the type of information shared. Primes identify which subcontractors will receive FCI or CUI, then flow the applicable CMMC requirement level based on that data. The rule preamble states that only subcontractors that will receive, process, store, or transmit covered information in performance of the contract must meet flowed-down CMMC requirements. The DoD CIO model overview reinforces that the required level depends on the information, not on the prime’s own target level.

Level 1 covers basic safeguarding for FCI. Level 2 aligns with NIST SP 800-171 and applies when you will handle CUI. The DoD CIO Level 2 Assessment Guide links Level 2 assessments directly to the 110 NIST requirements. You can see the mapping and assess the lift here: NIST 800-171 to CMMC Level 2 mapping.

Assessors also look at how you control risk from outside entities that may touch in-scope CUI. The Cyber AB CMMC Assessment Process describes how an organization demonstrates that it has flowed applicable requirements to external service providers and subcontractors that process, store, or transmit in-scope CUI on its behalf. If you plan to involve a managed service provider or a specialized manufacturer as a sub-tier, build those expectations into your agreements.

What major primes add beyond the minimums

Large primes meet their regulatory obligations, then add business terms to manage supply chain risk. These terms vary by program and by buyer. You can expect patterns.

Evidence and attestation requests. Many primes require a current SPRS score, the date of the last assessment, and the assessment method used. Several primes also request your system security plan (SSP), select policy excerpts, and status of open Plans of Action and Milestones. You should maintain a package that you can share under NDA. This post outlines the content that primes ask for most often: System Security Plan for NIST 800-171.
Oversight and flowdown mechanics. Primes often reserve rights to request updated evidence during performance and to confirm that you flowed 7012, 7021, and related requirements to any lower tiers that will handle CUI. Many also set incident reporting terms that coordinate DoD’s 72-hour requirement with prime notifications, points of contact, and data preservation steps.

These measures go beyond the minimums in the clauses. They reflect each prime’s risk posture, the sensitivity of the work, and the customer’s expectations.

Practical strategies for subcontractors accepting CUI flowdown terms

Scope the data in writing. Request clear statements in the SOW about the presence of FCI and CUI, the format of that data, and the systems where you will handle it. Ask whether you will generate new CUI or only receive it. Tie CMMC levels and clauses to those statements.

Propose right-sized clauses. Align FAR 52.204-21 for FCI-only work and DFARS 252.204-7012, 7019, 7020, and 7021 when the work includes CUI. Cite the information flows and deliverables. Primes respond when you map clauses to scope with specificity.

Keep your SPRS assessment current. Calculate your NIST SP 800-171 score, upload to SPRS, and update it as you close gaps. Record the assessment method and date. Many primes validate those fields before they send you any CUI.

Prepare an evidence package. Maintain your SSP, network and data flow diagrams, asset and software inventories, and recent scans. Include select control narratives that primes tend to review:

AC.L2-3.1.1 and AC.L2-3.1.3 for access control and control of CUI flow.
RA.L2-3.11.2 and CP.L2-3.7.1 for vulnerability scanning cadence and contingency plans.

Harden collaborative tech that touches CUI. Document how you meet SC.L2-3.13.8 for conference room devices and cameras during classified-adjacent or CUI-sensitive sessions. Primes look for practical controls in meeting rooms and labs where engineers display drawings and models.

Align incident response with 72-hour reporting. Name roles, escalation paths, and technical evidence capture tied to DFARS 252.204-7012. Share prime notification mechanics and contact channels in your IR plan. Build tabletop scenarios that include the prime’s program office and supply chain contacts.

Manage external providers with the same discipline. Identify each provider that can process, store, or transmit in-scope CUI. Flow the appropriate clauses and CMMC expectations into those agreements. Record how you validate their status and evidence. The Cyber AB CAP frames how assessors expect you to handle this.

Set lower-tier controls early. If you plan to place make-buy work with a sub-tier, draft their scope, data flows, and timing now. Share clause language and evidence expectations during vendor selection. Require a current SPRS score before award, and set an update cadence during performance.

Negotiate terms you can meet. Primes sometimes offer templates that include broad audit rights, unrestricted on-site access, or blanket Level 2 assertions when the scope only includes FCI. Propose edits that tie oversight to in-scope systems and data, commit to reasonable evidence updates, and acknowledge the prime’s right to push stronger terms if scope expands to include CUI.

Track your plan to close open items. If you carry POA&Ms, publish target dates, milestones, and interim risk treatments. Maintain a log that you can share with the prime. This post outlines patterns that pass buyer scrutiny: POA&M management for CMMC.

Primes often run two checks before they release CUI to you.

Contract and clause alignment. Supply chain teams confirm that the subcontract includes 7012, and, where applicable, 7019, 7020, and 7021. They check SOW language to confirm that the CMMC level matches the information in scope.
Evidence of readiness. Teams look for a current SPRS score, an SSP that matches the described environment, and incident response plans that reflect 72-hour reporting. Several teams request proof that you flowed obligations to key external providers who will touch the work.

You can prepare these checkpoints in parallel with pricing and schedule negotiations. Lead time helps both sides. Program teams prefer to resolve these items before kickoff, not after the first drawing package arrives.