CMMC Prime & Subcontractor Compliance
CMMC Flowdown Letter Template (2026): Copy-Paste Letters, the Level Matrix, and the Evidence Checklist
If you searched for a CMMC flowdown letter template, you’re probably a prime or upper-tier contractor with a deadline and a quiet worry: send the wrong requirement and you either scare off a supplier you need, or you expose your company under the False Claims Act.
A CMMC flowdown letter is the notice you send a subcontractor to (1) state the CMMC level the subcontract requires, (2) point to the governing clauses — DFARS 252.204-7021 (the Cybersecurity Maturity Model Certification clause) and DFARS 252.204-7012(the safeguarding and cyber-incident-reporting clause) — and (3) request proof of the sub’s current CMMC status before you award the subcontract or share covered information. The level you flow down is not automatically your own level; it’s the level that matches the information the subcontractor will actually handle.
Copy the letters below. They’re ready to use. But two things almost every template on the internet gets wrong — one about the level, one about the clause numbers— and both can turn a routine supplier notice into a liability. We’ll fix those first, because getting them right is the whole point.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
Use this page if you need to send a CMMC supplier notice, a subcontractor flowdown letter, an evidence request, or build the procurement file that proves you did your diligence before award.
Do not send one generic letter if your suppliers handle different information. A machine shop that only sees a purchase order is not the same as an engineering sub that receives CUI drawings. FCI-only, CUI under a self-assessment, CUI under a third-party assessment, Level 3 prime work, commercial services, and commercial-off-the-shelf purchases should not all get the same demand.
The key qualifier:the contract clause and the actual FCI/CUI handling set the requirement — a checklist can’t. A letter template clarifies the ask and collects the proof. It does not decide your legal obligations or make anyone compliant.
The one mistake almost every CMMC flowdown template makes
Here’s the trap. A lot of “CMMC flowdown letter” templates tell you to demand that every supplier “be CMMC Level 2 certified.” That’s wrong, it’s expensive, and it will cost you good vendors who don’t need Level 2 at all.
The rule that governs this is 32 CFR 170.23 (“Application to subcontractors”) in the CMMC Program Rule. We read it directly. It says prime contractors shall require subcontractors to comply and flow down the applicable CMMC level and assessment type for each subcontract, throughout the supply chain at all tiers, based on the information the subcontractor will process, store, or transmit. In plain terms: the information drives the level.
The CMMC flowdown level matrix (what to require — and what not to ask for)
| The subcontractor will handle… | Your prime contract requires… | Flow down (minimum) | Do not do this |
|---|---|---|---|
| FCI only (no CUI) | Any level (L1, L2, or L3) | Level 1 (Self) — annual self-assessment | Demand a Level 2 certificate "to be safe." It over-scopes the vendor and isn't required. |
| CUI | Level 2 (Self) | Level 2 (Self) | Ask for the sub's full SSP or POA&M by email. Confirm status; don't collect sensitive system documentation you don't need. |
| CUI | Level 2 (C3PAO) | Level 2 (C3PAO) | Accept a self-assessment as "close enough." If your contract requires C3PAO, the sub's minimum is C3PAO. |
| CUI | Level 3 (DIBCAC) | Level 2 (C3PAO) — Level 3 does not flow down absent specific DoD guidance | Reflexively push Level 3 onto lower-tier suppliers. DoD made a deliberate, risk-based decision not to flow Level 3 down. |
| Commercial products/services that involve FCI/CUI | Match the FCI/CUI row above | Same as the matching FCI/CUI row | Assume "commercial" means exempt. It doesn't. |
| COTS only, no FCI/CUI | — | No CMMC flowdown triggered (confirm the scope) | Send a full CMMC evidence demand. COTS is excluded from the CMMC clause's flowdown. |
Why Level 3 doesn’t automatically flow down.People assume the strictest tier cascades downhill. It doesn’t. Under 32 CFR 170.23, a subcontractor handling CUI under a Level 3 (DIBCAC) prime contract has a minimum requirement of Level 2 (C3PAO) — not Level 3 — unless DoD provides specific flowdown guidance for that subcontract. That single fact can save a lower-tier supplier from chasing NIST SP 800-172 enhanced requirements they were never obligated to meet.
That’s mistake number one — the level. Mistake number two is about the clause numbers you cite, and if you’re using an older template, you may be citing at least one clause the FAR overhaul has already renumbered in newer solicitations. We’ll get to it. First, the letters.
Ready for the letters? Jump straight to the copy-paste templates, matched to each scenario in the matrix above. Do not include CUI, drawings, or sensitive contract details in any letter or reply.
Copy-paste CMMC flowdown letter templates
Below is a master letter you can copy today, followed by the exact sentence to swap in for each supplier scenario, plus two situational letters (a no-covered-data confirmation and a polite escalation). Every version ends with the same secure-submission footer. Fill in the brackets, then have contracts or counsel align it with your actual subcontract terms.
The master flowdown letter (copy-paste)
Subject: CMMC and cybersecurity flowdown — supplier evidence request for [Program / Prime Contract No. / Subcontract or PO No.]
[Your Company Name]
Date: [Date]
To: [Subcontractor / Supplier Name], Attn: [Name, Title]Dear [Name],
[Your Company] is confirming cybersecurity requirements for suppliers supporting the above program. Based on the current scope of work, your organization is expected to [choose one: process, store, or transmit Federal Contract Information (FCI) / process, store, or transmit Controlled Unclassified Information (CUI)] on your own information systems in performance of this subcontract or purchase order.
1. Required CMMC status. For this work, your organization must hold and maintain a [insert the level from the matrix — see the scenario sentence below] for the information system(s) used in performance. This requirement is set by the information you will handle, in accordance with 32 CFR 170.23, and is being incorporated into your subcontract terms.
2. Applicable clauses. You must comply with DFARS 252.204-7021 (the CMMC clause) and, where your performance involves covered defense information, DFARS 252.204-7012 (safeguarding and 72-hour cyber-incident reporting). If your solicitation, subcontract, or purchase order uses Revolutionary FAR Overhaul deviation numbering, cite the corresponding deviation clause numbers from that instrument.
3. Evidence requested before award. Prior to subcontract award or release of covered information, please provide: (a) confirmation of your current CMMC Status, Level, and assessment type for the relevant system; (b) appropriate confirmation of your status in the Supplier Performance Risk System (SPRS), including your CMMC unique identifier (UID) if applicable; and (c) confirmation that your annual affirmation of continuous complianceis current. Please also identify the information system(s) to be used in performance, without including CUI or sensitive system detail. Do not send your System Security Plan (SSP), Plan of Action and Milestones (POA&M), or control artifacts through ordinary email.
4. Ongoing obligations. You must maintain the required CMMC status for all systems used in performance, keep your annual affirmation current in SPRS, avoid processing FCI/CUI on any system that does not meet the required status, report cyber incidents within 72 hours per DFARS 252.204-7012, and flow these requirements down to your own lower-tier subcontractors who will handle FCI or CUI.
5. Scope changes. Notify [Your Company] before any change in scope, systems, or information handling that could affect these requirements.
Please respond by [date] so we can review the requested evidence before award. Questions to [name, email, phone].
Sincerely,
[Name, Title, Company]This notice summarizes contractual cybersecurity requirements and is not legal advice. Please confirm applicability with your CMMC Registered Practitioner (RP/RPO) or qualified federal-contracts counsel.
⚠ Do not submit CUI, technical drawings, export-controlled data, System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), vulnerability details, credentials, or sensitive contract information through ordinary email, this request, or any channel not approved for that information.
Swap in the right sentence for each supplier (paragraph 1)
Everything in the master letter stays the same. Only the level statement changes:
- FCI-only supplier → Level 1 (Self): “…must hold and maintain a CMMC Status of Level 1 (Self), achieved through an annual self-assessment against the basic safeguarding requirements (FAR 52.204-21, or FAR 52.240-93 if that deviation number appears in your solicitation, subcontract, or purchase order).”
- CUI supplier, prime is Level 2 (Self) → Level 2 (Self): “…must hold and maintain a CMMC Status of at least Level 2 (Self-Assessment)against NIST SP 800-171 Revision 2 (110 security requirements).”
- CUI supplier, prime is Level 2 (C3PAO) → Level 2 (C3PAO): “…must hold and maintain a CMMC Status of at least Level 2 (C3PAO), assessed by a Certified Third-Party Assessment Organization.”
- CUI supplier, prime is Level 3 (DIBCAC) → Level 2 (C3PAO): “…must hold and maintain a CMMC Status of at least Level 2 (C3PAO). Unless the contract or DoD guidance states otherwise, our current understanding is that Level 3 does not flow down to subcontractors handling CUI; the minimum is Level 2 (C3PAO).”
The no-covered-data confirmation (when a supplier says CMMC doesn’t apply)
Don’t argue from a template. Confirm the scope instead.
Based on our current understanding, your organization will not process, store, or transmit FCI or CUI on your own systems in performance of [Subcontract/PO No.]. Please confirm this in writing, and notify us immediately if the scope changes. Because no covered information is involved, we are not requesting CMMC status evidence for this purchase at this time. Do not send any CUI or sensitive contract information in your reply.
The polite escalation (when a supplier can’t provide evidence)
Thank you for your response. To make sure we handle this correctly, could you confirm which of the following applies: (a) the requirement does not apply because no FCI/CUI is involved; (b) the requested artifact is sensitive and needs a secure channel; or (c) the required CMMC status is not yet current for the relevant system? If it’s (b), please do not send sensitive documentation by ordinary email — contact [security/contracts POC] and we’ll identify an approved method. If it’s (c), let’s discuss timing before award or before any covered information is shared.
Notice what this does. It separates “the rule doesn’t apply to me” from “I don’t want to email you my SSP” from “I’m not ready yet.” Those are three different problems with three different answers, and lumping them together is how supplier relationships break.
A flowdown letter isn’t what makes it binding — read this before you send
Here’s the one uncomfortable thing we’ll tell you that most template pages won’t: a flowdown letter — including the one on this page — cannot make a supplier compliant, and by itself it is not the flowdown DoD requires. If all you do is email a letter, you have not met your obligation.
We’re telling you that because it’s the difference between looking compliant and being compliant. And the fix is simple. The letter does two jobs: it communicates the requirement, and it collects the proof you need before award. The legally operative flowdown happens in two other places:
- 1.In the subcontract clause— you incorporate the substance of DFARS 252.204-7021 into the subcontract or other contractual instrument, and where covered defense information is involved, you flow DFARS 252.204-7012 down under its paragraph (m) without alteration except to identify the parties.
- 2.In pre-award verification— DFARS 252.204-7021 requires you to confirm the subcontractor holds a current CMMC certificate or status at the appropriate level before you award. The letter is how you gather that proof; the subcontract clause is what binds; the verification is what protects you.
So pair them. Send the letter, incorporate the clause into your terms, verify the status, and keep the records. That combination is your good-faith diligence — and in a False Claims Act environment, documented follow-up carries real weight.
If a supplier response reveals a readiness gap, map the next step. The right CMMC provider category depends on what the gap actually is — an RPO/RP, MSP/MSSP, GRC platform, or CUI enclave. Do not submit CUI or contract details.
Which DFARS clauses belong in a 2026 CMMC flowdown letter?
Your two anchors haven’t moved. DFARS 252.204-7021 and DFARS 252.204-7012 are current on Acquisition.gov and carry the CMMC flowdown and the safeguarding/incident-reporting obligations. Reference those two, and you’re on solid ground for any covered subcontract.
The wrinkle is the Revolutionary FAR Overhaul (RFO). Under RFO class deviations that took effect in early 2026, DoD, for solicitations that use the deviation package, removed DFARS 252.204-7019, renumbered DFARS 252.204-7020 to DFARS 252.240-7997, and renumbered FAR 52.204-21 to FAR 52.240-93. Here’s the part most write-ups miss: a class deviation is a temporary exception — it does not amend the codified regulation. When we pulled the current DFARS (Change 5/7/2026) on Acquisition.gov, 252.204-7019 and 252.204-7020 were still there, in full, and DFARS Part 240 was still marked “Reserved.” So both numbering systems are live right now.
Cite the number that appears in your actual contract instrument.Anchor on DFARS 252.204-7021 and DFARS 252.204-7012 (unchanged either way), and add “as renumbered where applicable” so you’re covered under both systems.
| Clause | RFO deviation number | What it does for flowdown | Still in codified DFARS (Change 5/7/2026)? | Use in your letter |
|---|---|---|---|---|
| DFARS 252.204-7021 | (unchanged) | The CMMC clause. Flow down the correct level; verify the sub's current status before award; ensure subs complete and annually maintain an affirmation of continuous compliance in SPRS | Yes | Yes — primary anchor |
| DFARS 252.204-7012 | (unchanged) | Safeguard covered defense information; 72-hour incident reporting; flow down under paragraph (m) without alteration except to identify the parties | Yes | Yes — where CDI/CUI is involved |
| DFARS 252.204-7025 | (unchanged) | Solicitation notice provision; CMMC status as a condition of award eligibility | Yes | Solicitation-level |
| DFARS 252.204-7020 | 252.240-7997 (deviation) | Government (DIBCAC) Medium/High NIST SP 800-171 assessment access | Yes (legacy still listed) | Cite the number in your instrument |
| DFARS 252.204-7019 | Removed in the deviation package | Old notice of the NIST SP 800-171 self-assessment / SPRS score requirement | Yes (still codified, NOV 2023) | Cite the number in your instrument; the assessment obligation now runs through CMMC (7021) |
| FAR 52.204-21 | FAR 52.240-93 (overhaul) | Basic safeguarding (15 requirements) for FCI; underpins CMMC Level 1 | Yes | CMMC Level 1 still references 52.204-21 |
One more accuracy point: CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3.The codified text of DFARS 252.204-7012 points to the version of NIST SP 800-171 “in effect at the time the solicitation is issued.” DoD resolved the mismatch with Class Deviation 2024-O0013, which directs contractors subject to 7012 to implement Revision 2. So if a supplier tells you they’re building to Rev. 3 for CMMC, that’s a flag worth a conversation.
How do you tell whether a supplier is FCI-only or CUI?
The whole letter hinges on this one distinction. The definitions come from DFARS 252.204-7021 (FCI) and the CUI framework referenced in DFARS 252.204-7012 and the National Archives CUI Registry.
Quick way to triage a supplier:
- Likely FCI-only:the supplier receives contract mechanics — purchase orders, delivery schedules, non-sensitive specifications, basic requirements — but nothing marked CUI and no controlled technical data.
- Likely CUI:the supplier receives or generates controlled technical information, engineering drawings, export-controlled data, or documents marked “CUI” or “Controlled.” DFARS 252.204-7012 being in your contract is itself a strong signal that CUI (covered defense information) is in play.
When it’s genuinely unclear — the classic case is a shop that gets CUI drawings only to quote or run takeoffs — treat it as a scoping question, not a guess. Route it to contracts, security, and compliance before you share anything or decide the supplier is out of scope. Getting this wrong in either direction is expensive: call CUI “FCI” and you under-protect; call FCI “CUI” and you over-scope a vendor who then walks. For the full flow-down logic, see our CMMC flow-down requirements for primes.
What to ask each subcontractor for — and what not to
A detail that surprises a lot of primes: you can’t see your subcontractor’s SPRS score. DoD does not share subcontractor CMMC data with prime contractors. The subcontractor owns their record, so verification runs on what theyprovide you — a screenshot, a status confirmation, a copy of a certificate. For the full picture on SPRS access, see how to verify a company’s CMMC status in SPRS.
| Ask for this… | When | Safer wording |
|---|---|---|
| CMMC Status, level, and assessment type | Any covered supplier | "Please confirm your current CMMC Status, level, and assessment type for the system used in performance of this subcontract." |
| SPRS confirmation + CMMC UID | CUI / NIST SP 800-171 context | "Please provide appropriate confirmation of your current status in SPRS, and your CMMC UID if applicable." |
| Annual affirmation confirmation | Any covered supplier | "Please confirm that your annual affirmation of continuous compliance is current for the relevant system." |
| System / scope identifier | Any covered supplier | "Please identify the information system used for this work — without including CUI or sensitive system details." |
| No-covered-data attestation | Supplier says CMMC doesn't apply | "Please confirm whether your organization will process, store, or transmit FCI or CUI under this subcontract." |
Should you ask for the SSP or POA&M?Not in a broad first-touch letter. An SSP or POA&M can contain sensitive details about a supplier’s systems and gaps. If contracts, legal, or security decides those documents are genuinely needed, request them through an approved secure channel on a need-to-know basis — never “reply to this email with your SSP attached.”
Should you require an SPRS screenshot?Some primes do exactly that. But the safer default is to ask for “appropriate confirmation” of current status and let the supplier choose the least-sensitive way to prove it.
→ Use the supplier evidence tracker ↓ — a ready-made way to log the letter sent, the level, the assessment type, the evidence received, and the next recheck date. Never log CUI or sensitive contract details in the tracker.
Can a subcontractor use Conditional CMMC Status or a POA&M?
A supplier may come back with a Conditional status rather than a Final one — and the two are not interchangeable.
- Conditional CMMC Status (Level 2 or Level 3):the supplier met the threshold but has open items on a POA&M. Under the CMMC Program (32 CFR 170.21), only certain lower-weighted requirements are POA&M-eligible, and the POA&M must be closed out — generally within 180 days— to reach Final status. A Conditional status is time-boxed, not a finish line.
- Final CMMC Status:all applicable requirements are met with no open POA&M. This is what you ultimately want on file.
- Level 1:no Conditional option. FCI-only suppliers need a Final Level 1 (Self) status; you can’t POA&M your way in at Level 1.
If a supplier is Conditional, note it explicitly in your file, record the POA&M closeout date they’re working toward, and set a recheck before that window closes. Accepting a Conditional status without tracking the 180-day clock is how a “compliant” supplier quietly becomes a non-compliant one mid-performance.
What deadline should the letter set?
| Situation | Deadline logic | Review before award | Escalation trigger |
|---|---|---|---|
| New subcontract award | Response well before award decision | Status, level, assessment type, affirmation | No response, or status below required level |
| Option period / renewal | Recheck before exercising the option | Current status still valid; affirmation renewed | Lapsed affirmation or changed status |
| Supplier says no FCI/CUI | Quick turnaround for a written confirmation | No-covered-data attestation | Any sign covered data is actually involved |
| Supplier has Conditional status | Track to the POA&M closeout window | POA&M items and closeout date | 180-day window approaching without closeout |
| Supplier can't provide evidence | Short clarification window | Which issue: applicability, channel, or readiness | Covered work pending with no path to status |
Language that works: “Please respond by [date] so [Your Company] can review the required evidence before subcontract award and before any covered information is shared.”
Keep the phase clock in mind. The DFARS CMMC final rule became effective November 10, 2025; Phase 1 runs November 10, 2025 through November 9, 2026; and Phase 2begins November 10, 2026. Several large primes are already enforcing ahead of the DoD schedule, and a supplier that isn’t ready can stall your own award.
When CMMC flowdown does NOT apply (COTS, commercial, and no covered data)
Three limits worth knowing so you don’t over-flow the requirement:
- COTS is excluded from the CMMC clause.If the subcontract is solely for commercially available off-the-shelf items, the CMMC flowdown paragraph in DFARS 252.204-7021 doesn’t reach it. Confirm the scope, file the confirmation, and move on.
- “Commercial” ≠ “COTS.” This is a common and expensive mix-up. A commercial product or service supplier who will handle FCI or CUI is still in scope. Only true COTS gets the exclusion.
- No covered data, no trigger. Flowdown attaches when the sub will process, store, or transmit FCI or CUI on its own systems. A supplier that never touches covered information under the subcontract doesn’t get a CMMC evidence demand — they get a no-covered-data confirmation (template above).
One nuance to keep straight: the safeguarding clause and the CMMC clause have different subcontract paragraphs. DFARS 252.204-7012, paragraph (m)flows down for covered defense information or operationally critical support — including commercial products or services — without alteration except to identify the parties. The COTS carve-out lives in the CMMC clause (DFARS 252.204-7021), not in 7012(m).
What to do if a subcontractor pushes back
When a supplier resists, the winning question is diagnostic, not adversarial:
Are you declining because the requirement doesn’t apply, because the requested document is sensitive, because you need a secure channel, or because the required status isn’t yet current?
- "It doesn't apply." → Confirm the scope with a no-covered-data attestation. If they're right, you're done.
- "That document is sensitive." → Fair. Don't ask for the SSP by email. Offer an approved secure method to confirm status without unnecessary disclosure.
- "We need a secure channel." → Provide one. This is a process fix, not a compliance failure.
- "We're not there yet." → Now it's a readiness and timing conversation. Decide whether to pause covered work, adjust the schedule, or route them to help.
When to pause covered work:if a supplier can’t confirm applicability or current status for covered work, hold the award and the information transfer, and loop in contracts, legal, procurement, and security. Sharing CUI with a supplier who can’t show the required status is precisely the exposure the program exists to prevent.
How major primes are actually sending these letters
Based on publicly reported supplier communications and prime supplier portals — which you should verify directly with your own prime, since requirements change — the pattern across the largest contractors is consistent:
- RTX: Updated supplier certification requirements and, as reported, built CMMC status into its supplier registration, requiring suppliers to declare their certification status before a purchase order or letter of subcontract for covered work.
- Lockheed Martin: As reported, reached out to suppliers with low self-assessment scores and warned that a lapse in required CMMC status will directly affect a supplier's ability to receive DoD subcontracts.
- Northrop Grumman: In a reported December 2025 supplier message, told suppliers that CMMC requirements can't be waived regardless of relationship history.
- L3Harris: In a reported 2026 supplier letter, communicated an expectation that suppliers be certified by a set mid-2026 date.
- Boeing & General Dynamics: Operate supplier cybersecurity portals and annual certification requirements to collect CMMC status and evidence.
What to copy from these: the evidence workflow (status, level, assessment type), a clear submission path, and links to supplier resources. What not to copy:any prime-specific deadline, a company-specific portal process, or a requirement your own contract and scope don’t support. Their letters reflect their contracts. Yours should reflect yours.
The takeaway isn’t “match Lockheed.” It’s that the market has already standardized around one question — prove your current status before award— and your letter should ask it cleanly.
If YOU received a CMMC flowdown letter (subcontractor’s next move)
Not everyone reading this is the sender. If you’re a subcontractor who just got a letter and a due date, here’s the calm version of what to do:
- 1.Confirm the data. Will you actually process, store, or transmit FCI or CUI under this subcontract? That single answer sets your level (use the matrix above).
- 2.Read the required level from the letter. FCI-only means Level 1 (Self). CUI means at least Level 2, and Level 2 (C3PAO) if the prime's contract requires it.
- 3.Check your status. Know your current CMMC/SPRS position before you reply.
- 4.Respond safely. Provide the confirmation requested. Do not attach CUI, drawings, or your SSP to an email.
- 5.If you're not ready, start now. Level 2 readiness is not a weekend project — it's commonly a multi-month effort. And with primes enforcing early, waiting for a government deadline is the riskier bet.
You don’t have to figure out your level or your path alone. The point of the tool below is to turn “a prime sent me a scary letter” into “here’s my required level and the kind of help that fits.”
▶ You got a flowdown letter — find your path
Tell us your contract, FCI/CUI scope, assessment type, and timeline, and we’ll map you to the right provider category before you spend a dollar. Do not submit CUI or contract details.
Flowdown mistakes that create False Claims Act exposure
The reason to get flowdown right isn’t tidiness. It’s liability. The Department of Justice launched the Civil Cyber-Fraud Initiative in October 2021 to use the False Claims Act against contractors and grant recipients that misrepresent their cybersecurity, and it has pursued defense-contractor cybersecurity cases under that authority.
| Mistake | Why it’s exposure | Record to keep |
|---|---|---|
| Flowing down your own level | Over-scopes FCI-only vendors; under-protects CUI when your contract requires C3PAO | The FCI/CUI scope decision and the level you applied, per supplier |
| Pushing Level 3 down the chain | Level 3 doesn't flow down absent specific guidance; subs cap at Level 2 (C3PAO) | The 170.23 basis for the level you required |
| Editing the 7012 clause | 7012(m) flows down without alteration except to identify the parties | The subcontract clause text as incorporated |
| Sharing CUI before verifying status | Sharing covered information with an unverified sub is the exact risk the program targets | Dated status evidence received before any transfer |
| Treating the letter as oversight | A letter with no verification and no follow-up isn't diligence | Letter sent, evidence received, reviewer, review date, next recheck |
Do these right and you’ve done more than send a letter — you’ve built a defensible record. Do them wrong and a routine subcontract can become an enforcement problem.
What should you keep in the procurement file?
The letter plus verification only protects you if you can prove it later. Use this as your supplier-evidence tracker — the same fields work as columns in a spreadsheet, minus anything sensitive.
| File item | Why it matters |
|---|---|
| Supplier scope / data-flow note (FCI, CUI, or none) | Shows why you flowed the requirement down — or didn't |
| Letter version sent | Shows you right-sized by supplier type |
| Clause numbers referenced | Shows you cited what was in the actual instrument |
| Status evidence received (status, level, assessment type) | Shows the sub met the required level before award |
| CMMC UID (if applicable) | Ties the evidence to a specific system |
| Affirmation status (and Conditional vs Final) | Shows continuous-compliance posture and any POA&M clock |
| Reviewer + review date | Shows accountability and timing |
| Next review trigger | Shows you'll recheck at option years, mods, and scope changes |
How we verified this (and what could change)
We built this page from the primary sources, not from other summaries. We read 32 CFR 170.23 on the eCFR for the subcontractor level matrix; DFARS 252.204-7021 and DFARS 252.204-7012 on Acquisition.gov for the flowdown, verification, and safeguarding requirements; and the Federal Register DFARS final rule for the November 10, 2025 effective date. For the 2026 clause renumbering, we checked the current codified DFARS on Acquisition.gov (Change 5/7/2026) directly.
| What we verified | Source | As of |
|---|---|---|
| Subcontractor level matrix | 32 CFR 170.23 | July 3, 2026 |
| Flowdown + pre-award verification + subcontractor annual affirmation | DFARS 252.204-7021 | July 3, 2026 |
| 7012 flows down under paragraph (m) without alteration; 72-hour incident reporting; NIST 800-171 version in effect at solicitation | DFARS 252.204-7012 | July 3, 2026 |
| COTS exclusion for the CMMC flowdown | DFARS 252.204-7021 subcontracts paragraph | July 3, 2026 |
| Effective date November 10, 2025; phased implementation | Federal Register final rule; DoD CMMC page | July 3, 2026 |
| Codified DFARS still lists 252.204-7019 and 252.204-7020 (Change 5/7/2026); RFO deviations remove/renumber them for deviation-governed solicitations | Acquisition.gov (DFARS Change 5/7/2026) | July 3, 2026 |
CMMC flowdown letter FAQ
Is there an official, government-issued CMMC flowdown letter template?
No single DoD-mandated public letter template exists in the primary sources we reviewed. The obligation comes from 32 CFR 170.23 and DFARS 252.204-7021, so your letter should mirror those requirements and be aligned with your actual contract. Use the templates on this page as an educational starting point, not an official form.
Which CMMC level do I flow down to a subcontractor that only handles FCI?
Level 1 (Self). Under 32 CFR 170.23, a subcontractor that only processes, stores, or transmits FCI (and not CUI) needs a CMMC Status of Level 1 (Self), achieved through an annual self-assessment — regardless of the prime contract's level.
Does a Level 3 prime have to flow Level 3 down to every subcontractor?
No. Under 32 CFR 170.23, a subcontractor handling CUI under a Level 3 (DIBCAC) prime contract has a minimum requirement of Level 2 (C3PAO), unless DoD provides specific flowdown guidance otherwise. Level 3 does not automatically flow down.
Is Level 2 (Self) enough for a subcontractor handling CUI?
Sometimes. Level 2 (Self) is the minimum for some CUI scenarios, but if your prime contract requires a Level 2 (C3PAO) assessment, then a subcontractor handling CUI needs Level 2 (C3PAO) as its minimum.
Should my flowdown letter ask for SPRS evidence?
For CUI and NIST SP 800-171 contexts, appropriate SPRS confirmation is relevant — but you cannot view a subcontractor's SPRS record yourself, so the sub must provide it. Ask for confirmation of current status without forcing sensitive artifacts through unsecured channels.
Should the letter ask for the supplier's SSP or POA&M?
Not by default in a first-touch letter. Ask first for status, level, assessment type, scope, and affirmation. If sensitive documents are genuinely needed, request them through an approved secure channel on a need-to-know basis.
What clauses go in a 2026 flowdown letter now that the FAR overhaul renumbered some clauses?
Anchor on DFARS 252.204-7021 (the CMMC clause) and DFARS 252.204-7012 (safeguarding and incident reporting) — both current and unchanged. Under Revolutionary FAR Overhaul deviations, some solicitations use DFARS 252.240-7997 in place of 252.204-7020 and FAR 52.240-93 in place of FAR 52.204-21, while the codified DFARS still lists 252.204-7019 and 252.204-7020. Cite the numbers that appear in your actual contract instrument.
Are commercial suppliers exempt from CMMC flowdown?
Not simply for being commercial. The CMMC flowdown in DFARS 252.204-7021 extends to commercial products and services when the subcontract involves processing, storing, or transmitting FCI or CUI. Only commercially available off-the-shelf (COTS) items are excluded.
What if a supplier only accesses CUI inside the prime's approved environment or enclave?
Treat it as a scoping question, not an automatic no-CMMC answer. Document whether the supplier will process, store, or transmit FCI or CUI on its own systems, on prime-provided systems, or in another approved environment, and route the decision to contracts, security, and compliance before sending or withholding the flowdown.
What if a supplier only receives CUI to quote or do estimating and takeoffs?
Treat it as a scoping question, not an automatic yes or no. If the supplier will process, store, or transmit CUI for that work, route the question to contracts, security, and compliance before sharing any covered information.
Do I need a lawyer to use this template?
This page is educational research, not legal or contractual advice. Your contracts and legal team should align the final letter with the solicitation, prime contract, subcontract terms, data rights, and CUI handling. When in doubt, confirm scope with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.
Can I send CUI through a form or a builder tool?
No. Do not submit CUI, drawings, export-controlled technical data, SSPs, POA&Ms, credentials, or sensitive contract details into any tool, email, or channel not approved for that information.
Download the supplier-ready version
Everything you need is on this page and copy-ready. If you’d rather work from editable files, the flowdown pack bundles the letter template, the evidence checklist, the supplier-response tracker, and the no-covered-data confirmation into one download.
Get the editable flowdown pack →
Your next step
You came for a CMMC flowdown letter template, and you now have the letters, the level matrix that keeps you from over-scoping suppliers, the 2026 clause reference that keeps you citing the right numbers, the evidence checklist that keeps sensitive documents out of your inbox, and the procurement-file tracker that turns all of it into a defensible record. That’s the whole job — done right, and documented.
If the harder question underneath all this is “which kind of provider do I actually need”— to scope FCI vs CUI, to get a supplier (or yourself) ready, to stand up a CUI enclave, or to track evidence and affirmations across a supplier base — don’t guess.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Not ready to talk to anyone yet? Start with the CMMC readiness checklist →
Related reading on The Defense Compliance Report
Primary sources