The Supply Chain Problem Is Your Problem
When a defense contractor achieves CMMC certification, there is sometimes a temptation to treat that certification as a complete picture of their compliance posture. It is not. CMMC obligations flow down through the supply chain, and prime contractors bear significant responsibility for ensuring that their subcontractors who handle CUI are meeting the same requirements.
This is not a hypothetical risk. DoW program reviews increasingly examine not just whether a prime is certified, but whether the prime has appropriate controls and oversight in place for the subcontractors touching CUI on the same program.
How Flow-Down Requirements Work
DFARS 252.204-7021, the CMMC contract clause, requires that contractors who receive it flow the clause down to subcontractors at all tiers when those subcontractors will process, store, or transmit CUI or provide security protection of such systems. This means:
- If you are a prime and you pass CUI to a sub, that sub must meet the same CMMC level your contract requires
- If that sub passes CUI to their own subs, the requirement flows further
- The prime is responsible for verifying and managing this flow-down, not just including the clause in contracts
What Prime Contractors Must Actually Do
Identify Which Subs Touch CUI
Start with a supply chain map. Which of your subcontractors receive, process, store, or transmit CUI as part of work on covered contracts? Not every subcontractor is in scope. A non-disclosure agreement alone does not make a sub in scope. Actual access to CUI data or systems does.
Verify Subcontractor CMMC Compliance
For subcontractors required to be CMMC certified, primes must verify that certification is in place or that the subcontractor is on a credible path to compliance before they begin handling CUI. For Level 2, this means requesting and validating proof of a current CMMC certification directly from the subcontractor. For Level 1, it means confirming the subcontractor has submitted their SPRS score.
In both cases, the responsibility sits with the prime contractor to collect and maintain evidence of compliance rather than relying on a centralized CMMC database.
Include CMMC Requirements in Subcontracts
DFARS clause flow-down is required, but strong primes go further. Subcontract agreements should specify the required CMMC level, the CUI handling requirements, incident reporting obligations, and the right to audit compliance as appropriate for the program.
Manage Ongoing Compliance, Not Just Point-in-Time
CMMC certifications have a three-year validity for Level 2 C3PAO assessments. Primes need processes to track subcontractor certification expiration, monitor for changes in a sub’s compliance status, and respond appropriately when a subcontractor’s certification lapses or is suspended.
The Risk of Getting This Wrong
Prime contractors who fail to adequately manage CMMC flow-down face several risks beyond contract performance issues. DoW program officers are increasingly asking primes to demonstrate supply chain compliance management. False Claims Act exposure exists when primes certify contract compliance while knowingly using non-compliant subcontractors. And in the event of a breach involving a non-compliant subcontractor’s systems, the prime’s failure to manage flow-down becomes a significant factor in the investigation and liability analysis.
Building a Supply Chain Compliance Program
Effective supply chain CMMC management looks like a structured program, not a checkbox in a subcontract template. It includes a subcontractor inventory with CUI access mapping, defined compliance verification processes, contractual requirements with teeth, and ongoing monitoring rather than one-time verification.
Fortreum helps prime contractors build and operate supply chain compliance programs that are proportionate to their program requirements and subcontractor complexity. We also work directly with subcontractors to accelerate their path to certification, which directly benefits the primes who depend on them.
Build your supply chain compliance program with Fortreum.
About Fortreum
Whether you are preparing for a self-assessment and need gap analysis support, or pursuing a full C3PAO assessment, Fortreum’s CMMC practice covers both. We work with contractors at every level of readiness to build compliant programs and achieve the certification outcomes their contracts require.
Let us know how Fortreum can help you navigate the changing currents of cybersecurity. For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, CMMC, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/