On September 10, 2025, the Department of Defense published the final DFARS rule for CMMC, will take effect November 10, 2025. From that effective date forward, new DoD solicitations and contracts may require compliance under CMMC, beginning Phase 1 of the rollout.
What Flow-Down Means in Practice
When a prime contract includes the DFARS clause 252.204-7021, the requirement for CMMC flows down to any subcontractor that handles covered information. That clause, updated as part of the new rule, compels subcontractors to meet the same level of cybersecurity compliance as the prime, particularly if they receive, store, or transmit sensitive data.
There are two key categories of sensitive information that trigger obligations:
- Federal Contract Information (FCI): Information provided by or produced for the government under contract, which is not intended for public release.
- Controlled Unclassified Information (CUI): Unclassified but sensitive information that demands safeguarding, such as technical data, proprietary methods, or export-controlled information.
If your subcontract work involves FCI, you may need a CMMC Level 1 self-assessment and a formal affirmation in the Supplier Performance Risk System (SPRS). If your work involves CUI, the requirement escalates: CMMC Level 2 compliance, built on NIST SP 800-171, will apply, and in Phase 1, select solicitations can even demand third-party certification, not just self-assessment.
The Clauses That Govern Flow-Down
CMMC does not stand alone. It builds on existing DFARS clauses that already impose cybersecurity obligations in DoD contracts, most in existence since circa 2017:
- 252.204-7012: Requires safeguarding of CUI and reporting of cybersecurity incidents
- 252.204-7019: Requires contractors and subcontractors to submit NIST SP 800-171 self-assessment scores to SPRS
- 252.204-7020: Governs government verification of those assessments
- 252.204-7021: Embeds CMMC obligations into contract awards and makes compliance a factor through performance
Together, these clauses establish a shared, supply chain–wide responsibility for safeguarding information. Every subcontractor that handles FCI or CUI must be able to demonstrate compliance. The key point is that CMMC requirements flow down through the entire supply chain. Any subcontractor delivering products or services under a prime contract must ensure that the vendors (e.g. subcontractors and job shops) they engage outside their own systems meet the required level of cybersecurity compliance. In practice, these subcontractors are the ones disclosing sensitive information, FCI or CUI, to others. Because they are sharing that information, the responsibility rests with them to verify that appropriate security measures are in place before disclosure occurs.
Practical Steps for Subcontractors
Meeting CMMC requirements as a subcontractor begins with understanding where responsibility lies. Compliance does not stop at your own network boundary; it extends to the partners and suppliers that support your performance under a contract. Each organization must be able to prove that it is protecting the information it receives or generates for the government—and that its vendors are doing the same.
The following steps outline practical actions that subcontractors can take to establish and maintain compliance across their portion of the supply chain.
- Map your data flows. Confirm which systems, people, and facilities will ever interact with FCI or CUI.
- Assess your requirements. If you only handle FCI, prepare for Level 1 self-assessment and affirmation. If you will handle CUI, design your compliance for Level 2. Be ready for third-party certification in some solicitations.
- Use SPRS carefully. Upload and maintain self-assessment scores and affirmations. Assign ownership to monitor and refresh entries annually or whenever your environment changes. This system establishes a legal attestation to the federal government. Don’t open yourself up to a false claims case, use SPRS with care and maintain the evidence supporting your SPRS attestation for 6 years.
- Demand proper flow-downs. Ensure primes include clauses mirroring DFARS 7012, 7019, 7020, and 7021, and obligate subcontracts to require the appropriate CMMC level and proof from subcontractors. If you are unsure about your contractual obligations, what specifically is considered covered (e.g. gcode or molds), or the specific marking requirements, ask your prime’s contracting office. Remember to get all responses in writing and preserve them as you would the contract itself.
- Extend compliance downstream. If your work relies on lower-tier vendors that may access or handle FCI or CUI, require the same cybersecurity standards in your own subcontracts. Begin engaging with those suppliers now to identify where potential exposure exists. The worst time to discover that a long-standing, trusted partner cannot continue providing services because they lack adequate cybersecurity capability is when you need them most.
Final Word
The publication of the 48 CFR rule makes CMMC a contractual reality. With an effective start date of November 10, 2025, primes and subcontractors must treat cybersecurity not as a checkbox but as a gating consideration in each award. Subcontractors that embrace flow-down obligations and maintain clean, current SPRS records stand to avoid last-second disqualifications and establish credibility as reliable participants in the Defense Industrial Base.
When the 48 CFR rule takes effect in November, CMMC Level 1 moves from guidance to enforcement. For any new DoD solicitation or contract that includes the updated DFARS 252.204-7021 clause, contractors will be required to demonstrate compliance with Level 1 as a condition of eligibility. That means completing the basic safeguarding requirements from FAR 52.204-21, posting a self-assessment and senior official affirmation in the Supplier Performance Risk System (SPRS), and ensuring those entries are current before award. In short, once the rule is effective, handling Federal Contract Information without a valid Level 1 self-assessment on file will no longer be permitted.
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
