Prime-to-Sub Flow-Down Checklist: Reduce Supplier Cyber Risk Fast
Every defense prime's CMMC certification depends on the weakest link in its supply chain. If a subcontractor handling Controlled Unclassified Information (CUI) cannot demonstrate compliance with DFARS 252.204-7012 and CMMC Level 2 requirements, the prime inherits the risk — contractually, financially, and in the Supplier Performance Risk System (SPRS). This checklist walks defense contractors through the exact flow-down clauses, supplier segmentation, evidence collection, and monitoring practices that reduce third-party cyber risk quickly and defensibly.
Why supplier flow-down is the fastest-growing CMMC risk
Under DFARS 252.204-7012, every prime contractor must flow the clause down to any subcontractor at any tier that will process, store, or transmit CUI. The prime remains on the hook for the subcontractor's behavior. Under the CMMC final rule and DFARS 252.204-7021, subcontractors handling CUI must hold the CMMC level required by the contract they support — typically Level 2 certification by an authorized C3PAO. A prime that awards a CUI-handling subcontract to an uncertified supplier creates an immediate contractual violation.
This exposure is growing because DoD contracting officers increasingly require attestation that flow-down has occurred and that the prime has verified supplier posture. Gaps are no longer invisible. A single unprepared supplier can freeze contract options, trigger a False Claims Act investigation, or disqualify a prime from award competitions.
Step 1: Inventory every supplier that touches CUI
Flow-down obligations begin with a complete CUI supplier inventory. Work with procurement, contracts, and engineering to identify every supplier — at every tier — that will create, process, store, or transmit CUI in the performance of your DoD contracts. This inventory must include suppliers that may incidentally access CUI (e.g., managed service providers, SaaS vendors, engineering partners, testing labs, print and mail vendors).
Classify each supplier into one of four tiers: Tier 1 (direct CUI handling, high volume), Tier 2 (direct CUI handling, limited volume), Tier 3 (Security Protection Assets or shared infrastructure), and Tier 4 (no CUI handling but contractually bound to flow-down). The tier drives the depth of your verification effort.
Step 2: Flow the correct DFARS and CMMC clauses
The core cyber flow-down clauses for DoD contractors are:
- DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. Requires implementation of NIST SP 800-171 Rev 2 and 72-hour incident reporting via DIBNet.
- DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements. Requires a current SPRS self-assessment score before award.
- DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements. Requires posting assessment results in SPRS and cooperation with DoD assessments.
- DFARS 252.204-7021 — Cybersecurity Maturity Model Certification Requirements. Requires holding the CMMC level specified in the contract at the time of award and for the contract duration.
Your subcontract templates must include these clauses verbatim for any supplier handling CUI. Modifications, carve-outs, or "flow-down with exceptions" language create legal exposure and should be rejected in contract review.
Step 3: Segment suppliers by cyber risk
Not every supplier deserves the same verification effort. A Tier 1 supplier integrating into your CUI enclave requires a full Readiness Gap Assessment and CMMC Level 2 certification confirmation. A Tier 4 supplier with no CUI exposure requires only a signed flow-down attestation and annual refresh.
Segmentation criteria that work:
- CUI exposure level: direct, incidental, or none
- Access model: federated identity, VPN, file transfer, physical shipment
- Criticality to delivery: single-source vs. substitutable
- Geographic and ownership risk: FOCI concerns, foreign ownership, offshore operations
- Prior incident history: breach disclosures, DIBNet reports, audit findings
Step 4: Standardize the supplier onboarding evidence pack
Define a fixed evidence pack that every CUI-handling supplier must submit before onboarding. The pack should include:
- Current SPRS self-assessment score (with date)
- CMMC certification status and level (self-assessment or C3PAO, with expiration)
- SSP executive summary and control inheritance statement
- Summary of open POA&M items and target remediation dates
- Incident response contact and DIBNet submission procedure
- Proof of FIPS-validated cryptography for CUI in transit and at rest
- Attestation of cloud provider FedRAMP Moderate alignment if cloud-hosted
A standard evidence pack reduces procurement cycle time and makes supplier comparison objective. Our Supplier & Subcontractor Enablement service operationalizes this pack for primes managing dozens or hundreds of CUI suppliers.
Step 5: Build a supplier cyber scorecard
Track every CUI-handling supplier on a live scorecard. The scorecard should capture, at minimum:
- Current SPRS score and trend
- CMMC certification status and expiration date
- Number of open POA&M items by severity
- Responsiveness to corrective action requests (SLA days)
- Incident history and DIBNet report quality
- Annual attestation status
- Tier assignment and contract value at risk
A well-governed scorecard turns supplier risk into a monthly leadership metric, not a surprise at renewal time.
Step 6: Define escalation triggers and corrective actions
Decide in advance when a supplier enters corrective action, probation, or disqualification. Example triggers:
- SPRS score drops below contract-required threshold
- POA&M item ages beyond 180 days without closure
- Supplier fails to submit a 72-hour incident report after a reportable event
- Annual re-attestation is missed by more than 30 days
- C3PAO certification lapses without renewal in progress
Document the corrective action pathway: notification, remediation plan, milestone review, and, if necessary, contract termination. A documented escalation process protects the prime from inheriting supplier failures.
Step 7: Re-certify and continuously monitor
Flow-down is not one-and-done. Re-certify suppliers at least annually, and continuously monitor external signals: SPRS score changes, public breach disclosures, changes in ownership, and DIBNet filings. High-risk (Tier 1) suppliers should receive targeted re-validation — an abbreviated readiness review or certification pathway check — every six months.
Step 8: Help subcontractors close gaps when disqualification would hurt delivery
Sometimes disqualifying a supplier is more expensive than helping them remediate. Sophisticated primes run supplier enablement programs that offer shared policy and evidence templates, access to vetted remediation partners, and jointly funded assessment prep for critical suppliers. This turns flow-down from a gate into a pipeline advantage.
Frequently asked questions about cyber flow-down
What does cyber flow-down mean in a DoD contract?
Cyber flow-down is the contractual mechanism by which a prime contractor transfers DoD cybersecurity requirements to subcontractors and suppliers that handle Controlled Unclassified Information (CUI). Under DFARS 252.204-7012, the prime must include the clause in all subcontracts at any tier where the subcontractor will process, store, or transmit CUI. Flow-down also applies to CMMC Level 2 certification requirements under DFARS 252.204-7021.
Which DFARS clauses must flow down to subcontractors?
The primary cyber flow-down clauses are DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements), DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements), and DFARS 252.204-7021 (CMMC Requirements). All four must flow down to any subcontractor handling CUI, with assessment and certification requirements scaled to the subcontractor's role.
How do primes verify subcontractor CMMC compliance?
Primes verify subcontractor CMMC compliance through three mechanisms: the Supplier Performance Risk System (SPRS) score for NIST SP 800-171 self-assessments, CMMC certification records on the Cyber-AB marketplace for Level 2 and Level 3 certifications, and contractual attestations supported by evidence such as SSP extracts, POA&M summaries, and DIBNet incident response readiness confirmations. Mature primes supplement these with supplier questionnaires, risk-tiered audits, and periodic re-attestation.
What happens if a subcontractor fails to meet flow-down cyber requirements?
If a subcontractor fails to meet flow-down cyber requirements, the prime faces contractual, financial, and regulatory exposure. Consequences can include contract termination for default, False Claims Act liability if the prime attested to compliance it cannot support, disqualification from future DoD awards, and reputational damage with contracting officers. The prime is obligated to evaluate supplier remediation plans and, when necessary, remove noncompliant suppliers from the CUI supply chain.
How Andvio helps
Andvio connects defense primes and upper-tier contractors with vetted CMMC partners who can stand up a supplier flow-down program end-to-end — from contract clause templates to supplier scorecards to remediation support for critical subcontractors. Instead of building a supply-chain compliance function from scratch, you receive a short list of matched partners aligned to your supplier base, contract mix, and CMMC level.