CMMC applies to DoD prime contractors and subcontractors at any tier that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) while performing DoD work. Requirements are enforced through contract language, including DFARS clauses, and primes are obligated to flow down the appropriate cybersecurity requirements to subcontractors when subcontract performance involves Covered Defense Information.

Why “flow-down” gets complicated

Flow-down is not a blanket rule applied to every vendor. It depends on what information a subcontractor will actually touch and what the prime contract requires:

• Data type drives the minimum level: handling only FCI generally maps to CMMC Level 1 (Self), while handling CUI maps to at least CMMC Level 2 (Self), with higher assessment expectations when the prime contract requires them.
• Primes must scope and defend data flows: DFARS 252.204-7012 requires primes to determine whether information provided to a subcontractor “retains its identity” as covered defense information and may require coordination with the Contracting Officer.
• Requirements often cascade to lower tiers: subcontractors may need to flow the same obligations to their own suppliers if they further subcontract work involving FCI/CUI.
• Primes typically ask for proof, not promises: expect requests for an SSP/POA&M posture, incident reporting readiness, and other evidence that you can meet DFARS/NIST expectations.