Winning a government contract moves cybersecurity obligations to the top of the compliance stack. But for prime contractors, those obligations don't stop at the prime's own systems — they travel down the supply chain to every subcontractor that touches covered information.
The most commonly overlooked cybersecurity compliance question in government contracting is not "what do I owe the government?" — it's "what do I owe my subs, and what do they owe me?" The answer is embedded in the clauses already in your prime contract. Get the flowdown wrong and you expose yourself to liability not just for your own security gaps, but for the gaps in your supply chain.
The Trigger: When Does Flowdown Apply?
Not every subcontract carries cybersecurity flowdown obligations. Two triggers matter under federal rules:
For DoD contracts, DFARS 252.204-7012 paragraph (m) is the controlling provision. It requires the prime to include the clause — including the flowdown paragraph itself — in any subcontract that involves covered defense information (CDI) or operationally critical support. CDI is the DoD-specific term that maps closely to Controlled Unclassified Information (CUI): controlled technical information, export-controlled data, and similar material identified in the CUI Registry. The flowdown applies even to commercial product and commercial service subcontracts — the only exception is COTS items.
For all federal contracts, FAR 52.204-21 requires the prime to flow its fifteen basic safeguarding requirements down to any subcontract where performance involves processing, storing, or transmitting Federal Contract Information (FCI), or accessing a federal information system — again excluding COTS.
The practical upshot: if a subcontractor's scope of work requires them to see, store, process, or transmit covered information, the clause goes in the subcontract. Period.
What the Prime Must Actually Do
DFARS 252.204-7012(m)(1) requires the prime to include the clause in subcontracts "without alteration, except to identify the parties." The "without alteration" requirement matters. Primes cannot water down the clause, carve out incident reporting, or narrow the NIST SP 800-171 requirement to suit a sub's existing security posture. The clause flows as written.
Beyond including the clause, the prime also bears a determination obligation: the prime must actively assess whether the information flowing to the subcontractor retains its character as CDI in the sub's hands and will require protection. This is not a passive checkbox — it requires the prime to think through what the sub actually receives and whether it triggers the clause.
The prime must also require subcontractors to notify the prime when requesting a waiver from a NIST SP 800-171 control, and to provide the DoD-assigned incident report number to the prime as soon as practicable after reporting a cyber incident to DoD. That last requirement means a cyber incident at your subcontractor is information you are obligated to receive — and you should have a process for handling it.
CMMC Adds Another Layer
Beyond the contractual clause requirements, CMMC introduces an assessment layer. Under 32 C.F.R. Part 170, DoD prime contractors must ensure that subcontractors handling CUI obtain the appropriate CMMC level — Level 2 for most CUI work, Level 3 for advanced CUI categories. The prime cannot certify to a CMMC level on behalf of a sub; each tier of the supply chain that handles CUI must independently meet and, when required, be independently assessed against the applicable CMMC level.
Practically, this means primes with CMMC Level 2 requirements should be verifying subcontractor CMMC status — not simply flowing the clause and assuming compliance. SPRS scores for subs are a starting point, but Phase 2 (beginning November 10, 2026) will require third-party certifications for Level 2 work.
Practical Steps for Prime Contractors
Before the next subcontract goes out the door:
1. Map your subs to CDI/FCI. Identify which subcontractors will actually receive or generate covered information in performance. If it's CDI, DFARS 7012 flows. If it's FCI only, FAR 52.204-21 flows. Both can flow simultaneously. 2. Include the clause verbatim. Don't rely on a clause crosswalk or a summary — insert the full clause text or incorporate it by reference with the correct change date. 3. Build an incident notification channel. Your subcontracts should specify how and when a sub must notify you of a cyber incident. The 72-hour reporting clock to DoD runs from the sub's discovery — you need to know quickly. 4. Track CMMC status by tier. Maintain a record of each sub's SPRS score and, starting in Phase 2, their C3PAO certification status for any subcontract involving CUI. 5. Review cloud service use. Under DFARS 7012(b)(2)(ii)(D), if a sub uses a cloud service provider to store or process CDI, that provider must meet FedRAMP Moderate equivalent security. Confirm before the sub's cloud environment is in scope.
Key Takeaways
- DFARS 252.204-7012(m) mandates verbatim flowdown of the full clause to every subcontractor whose work involves covered defense information or operationally critical support — including commercial subs, excluding COTS.
- Primes have a determination duty, not just a paperwork duty: actively assess whether subcontracted work involves CDI, and require incident notification up the chain within the 72-hour reporting window.
- CMMC adds a verification obligation: primes cannot simply flow the clause and walk away — they must confirm that subs handling CUI hold the appropriate CMMC level, with third-party certification required for Level 2 work beginning November 10, 2026.
For more on what the cybersecurity clause stack looks like across contract tiers, see FAR Cybersecurity Baseline and Find My Requirements. To understand how enforcement exposure tracks these obligations, see Enforcement & Penalties. Defense contractors can also review DoD-specific requirements and use the Build-a-Program guide to build flowdown tracking into your compliance structure.