The Defense Compliance Report — Research & Data

CMMC Flowdown Checklist for Prime Contractors (2026)

By The Defense Compliance Report Editorial Team · Last verified:

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and Defense Industrial Base (DIB) compliance.


Bottom line up front

Under 32 CFR § 170.23, a prime contractor must flow CMMC requirements down to any subcontractor — at any tier — that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems used in performance of the subcontract. The required level is set by the information the subcontractor actually handles, not by the prime’s level. A subcontractor that handles FCI only needs Level 1; one that handles CUI needs at least Level 2; and the assessment type (self-assessment vs. C3PAO) follows the prime contract’s required assessment type — with one important exception: Level 3 does not cascade to subcontractors by default.

One caveat we’ll come back to: on , the government renumbered several of the clauses in this analysis through interim class deviations. It did nottouch the two that carry the flowdown weight. We’ll show you exactly what moved and what didn’t.

Two definitions up front, because everything downstream depends on them. FCI is information not intended for public release that the government provides, or that is generated for the government under a contract — but not public-website content or simple transactional data like payment information. CUIis information the government creates or possesses — or that is created or possessed for or on behalf of the government — that a law, regulation, or government-wide policy requires or permits an agency to protect with safeguarding or dissemination controls. CUI is not classified; it is a separate and broader category.

The CMMC flowdown decision matrix

The whole rule fits in one table. It converts the four scenarios in 32 CFR § 170.23(a) into the minimum CMMC status each subcontractor must hold. This is the single most important thing on the page, so we put it first.

Dataset: CMMC Flowdown Decision Data (2026) — a source-mapped table of subcontractor information type, prime-contract CMMC requirement, minimum subcontractor status, assessment type, and rule basis. Last verified .

Table 1 — CMMC flowdown: minimum subcontractor status by information handled (2026)
What the subcontractor will process, store, or transmitWhat the prime contract requiresMinimum status for the subcontractorAssessment typeRule
Neither FCI nor CUI on contractor information systems used in subcontract performanceAny levelNo CMMC status is triggered for that subcontractorNone32 CFR § 170.23(a)
FCI only (no CUI)Any level (1, 2, or 3)Level 1Self-assessment32 CFR § 170.23(a)(1)
CUILevel 2 (Self)Level 2Self-assessment32 CFR § 170.23(a)(2)
CUILevel 2 (C3PAO)Level 2C3PAO (third-party)32 CFR § 170.23(a)(3)
CUILevel 3 (DIBCAC)Level 2 — not Level 3C3PAO (third-party)32 CFR § 170.23(a)(4)

Source: 32 CFR § 170.23(a)(1)–(4), eCFR. Under § 170.23(b), DoD may issue specific guidance that raises these minimums for a given solicitation or contract. Verified .

A few terms in that table: C3PAO is a Certified Third-Party Assessment Organization — an accredited outside assessor. DIBCACis the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center, the government team that runs Level 3 assessments. “Self” means the contractor assesses itself and posts the result.

How to read this matrix — and what it does not decide

The matrix decides one thing: the minimum CMMC status a subcontractor must hold, based on the information it will handle and the assessment type your prime contract requires. It does notdecide whether a given document is CUI, whether your specific contract adds requirements beyond the floor, or whether a subcontractor’s actual security implementation is adequate. Those are separate calls — the first belongs to the government or the data owner, the second to your contract, the third to a qualified assessor.

Key terms, defined

Because a wrong classification cascades into a wrong level, here are the load-bearing terms with their official meanings and why each matters for flowdown.

Table 2 — Key CMMC flowdown terms (source-mapped)
TermOfficial definition (summary)Why it matters for flowdownPrimary source
FCI (Federal Contract Information)Information not intended for public release, provided by or generated for the government under a contract; excludes public info and simple transactional data.FCI-only handling sets the floor at Level 1 (Self).FAR 52.204-21; DFARS 252.204-7021(a)
CUI (Controlled Unclassified Information)Information the government creates/possesses, or that is created/possessed for or on behalf of the government, that law, regulation, or government-wide policy requires or permits an agency to protect with safeguarding or dissemination controls.CUI handling raises the floor to at least Level 2.DFARS 252.204-7021(a); 32 CFR 2002.4(h)
Covered defense information (CDI)The category safeguarded under DFARS 252.204-7012; controlled technical information and other information requiring protection, marked or identified in the contract.Triggers the DFARS 252.204-7012 flowdown (72-hour incident reporting, NIST SP 800-171).DFARS 252.204-7012
Contractor information systemAn information system owned or operated by or for a contractor that processes, stores, or transmits FCI or CUI in performance.Flowdown attaches to the systems that touch the data, not the whole enterprise.32 CFR § 170.23(a); DFARS 252.204-7021(d)
COTS (commercially available off-the-shelf)A commercial product sold in substantial quantities in the commercial marketplace and offered without modification, as defined at FAR 2.101.Subcontracts solely for COTS are excluded from the flowdown clauses.FAR 2.101; 32 CFR § 170.3(c)
CMMC UID (unique identifier)A 10-character alphanumeric code assigned in SPRS to each CMMC assessment, per contractor information system.Ties a status to specific in-scope systems; requested during verification.DFARS 252.204-7021(a)
Affirming officialThe company official who affirms continuous compliance in SPRS (replaced “senior company official”).Every level requires an annual affirmation by this person; subs must maintain theirs.32 CFR § 170.4; DFARS 252.204-7021(d)

Sources: DFARS 252.204-7021 (Acquisition.gov); 32 CFR Part 170 (eCFR); FAR 52.204-21 (Acquisition.gov). Verified .

How we built this

We didn’t rewrite someone else’s summary. We read the source. For this reference, our team went through the CMMC Program rule at 32 CFR Part 170 (specifically § 170.3 on the phased rollout and § 170.23 on subcontractors); the current contract-clause text of DFARS 252.204-7021 and the safeguarding clause DFARS 252.204-7012 on Acquisition.gov; the solicitation provision DFARS 252.204-7025; the FCI baseline clause FAR 52.204-21; the Defense Acquisition Regulations System (DARS) page for the Revolutionary FAR Overhaul class deviations, including Deviation 2026-O0025; the 2024 CMMC Program rule and 2025 DFARS rule in the Federal Register; and the final-rule preamble responses to public comments at 90 FR 43566.

Where the primary source is ambiguous or contested, we say so. Where the rule was changed, we tell you what changed and what didn’t. Where we express editorial judgment, we label it as such. See the verification log and primary sources sections at the bottom.

Does CMMC actually flow down to subcontractors?

Yes — but only when the subcontractor will handle FCI or CUI on contractor information systems.32 CFR § 170.23(a) requires prime contractors to comply with, and to require their subcontractors to comply with and flow down, CMMC requirements “throughout the supply chain at all tiers.” The trigger is the data, not the relationship. A supplier that never touches FCI or CUI is not pulled into CMMC just because it sits in your supply chain.

That distinction is where a lot of primes overreach or fall short. “At all tiers” means the obligation cascades: your subcontractor must, in turn, flow the appropriate requirements to itssubcontractors, and so on down the chain. But the same rule that makes it cascade also limits it — the requirement attaches only “in performance of the subcontract” and only for systems that process, store, or transmit the protected information. A janitorial vendor with no access to your controlled data is not in scope. A software developer who receives technical drawings marked CUI is.

DoD was blunt about the prime’s role. In the final rule’s response to public comments, the Department stated it expects prime contractors to flow down the requirements and to notshare information with subcontractors that “have not indicated they meet the [requisite] CMMC level” (90 FR 43566). And per the Department, subcontractors comply the same way a prime does, “with the exception of sharing CMMC UID data with the contracting officer.” Translation: the burden of confirming a sub’s status sits with the prime, and the sub’s obligation to maintain and report flows upward.

What CMMC level does each subcontractor need?

It depends entirely on the data. FCI-only work requires Level 1 (Self). CUI work requires at least Level 2 (Self), and the assessment type escalates to Level 2 (C3PAO) when the prime contract requires a C3PAO or DIBCAC assessment. Here is each scenario in plain terms.

FCI-only subcontractors

If a subcontractor will handle FCI but never CUI, the minimum is Level 1 (Self), regardless of what the prime is required to hold. A Level 3 prime does not push Level 3 — or even Level 2 — onto an FCI-only sub. Level 1 is built on the 15 basic safeguarding requirements in FAR 52.204-21, and it is verified by an annual self-assessment plus an affirmation posted in SPRS.

CUI subcontractors under a Level 2 (Self) prime contract

If the subcontractor will handle CUI and the prime contract calls for a Level 2 self-assessment, the sub’s minimum is Level 2 (Self). It performs the Level 2 self-assessment against the 110 requirements in NIST SP 800-171 Revision 2, posts the result in SPRS, and maintains the annual affirmation.

CUI subcontractors under a Level 2 (C3PAO) prime contract

Same data, higher bar on the assessment type. If the prime contract requires a Level 2 C3PAO certification, a CUI-handling sub needs Level 2 (C3PAO)— a certification from an accredited third-party assessor, not a self-attestation. Self-assessment is no longer sufficient for that subcontract.

CUI subcontractors under a Level 3 (DIBCAC) prime contract

This is the scenario people get wrong most often. If the prime contract requires Level 3 (DIBCAC) and the subcontractor will handle CUI, the sub’s minimum is Level 2 (C3PAO)notLevel 3 — unless DoD provides specific flowdown guidance (32 CFR § 170.23(a)(4) and (b)). Level 3 does not automatically cascade.

Subcontractors that handle neither FCI nor CUI

No CMMC status is triggered for that subcontractor by the flowdown rule. Document the “no FCI, no CUI” determination, keep the reasoning with the subcontract file, and re-check if the statement of work changes. The moment controlled data starts flowing to that vendor, it moves into one of the rows above.

Does CMMC Level 3 flow down to subcontractors?

Not automatically as Level 3.For a CUI-handling subcontractor under a Level 3 prime, 32 CFR § 170.23(a)(4) sets the minimum at Level 2 (C3PAO). DoD made a deliberate, risk-based choice here: it did not require Level 3 to cascade down the chain by default, though § 170.23(b) reserves the Department’s right to give specific flowdown guidance on a given contract.

Level 3 is rare to begin with. DoD’s own regulatory estimates tell the story: of the affected population, roughly 62% of contractors are expected to fall at Level 1, about 2% at Level 2 (Self), about 35% at Level 2 (C3PAO), and only about 1% at Level 3(DoD’s estimates from the rulemaking; the total impacted population was estimated at 337,968 entities, primes and subcontractors combined). And a company can’t jump straight to Level 3 — under 32 CFR § 170.18, it must first achieve a Final Level 2 (C3PAO) status before DIBCAC will conduct the Level 3 assessment.

Two cautions. First, don’t overcorrect into “Level 3 never flows down.” The floor is Level 2 (C3PAO), and DoD can raise it with specific guidance, so on a Level 3 program you should read the solicitation, the contract, any security classification materials, and any DoD-specific instructions before assuming Level 2 (C3PAO) covers every subcontract. Second, “Level 2 minimum” is a floor, not a ceiling — nothing stops a prime from requiring more where the risk warrants it.

Which clauses do you flow down — and what changed on February 1, 2026?

Three clause families do the work — and on , two of the surrounding clauses were renumbered while the two that matter most stayed exactly the same.The FCI baseline is FAR 52.204-21 (renumbered to FAR 52.240-93 in the deviation). The safeguarding-and-incident-reporting clause is DFARS 252.204-7012 (unchanged). The CMMC clause is DFARS 252.204-7021 (unchanged). Here’s the crosswalk — and a crucial nuance about what “changed” really means.

Table 3 — CMMC flowdown clause crosswalk: codified numbering vs. the Feb. 1, 2026 RFO deviation
Role in the flowdown analysisCodified / legacy clause numberRFO deviation treatment (solicitations issued under the Feb. 1, 2026 deviation)Flows down to subs?What the sub must do
FCI basic safeguarding — 15 controls; basis of CMMC Level 1FAR 52.204-21Replaced/renumbered as FAR 52.240-93; the 15 basic safeguarding requirements are retained (verify the exact solicitation text during the transition)Yes — paragraph (c), when the sub may have FCI in or transiting its system (except COTS-only)Implement the 15 basic safeguarding controls; flow the clause further down
Safeguard covered defense information + 72-hour incident reporting (NIST SP 800-171 R2)DFARS 252.204-7012UnchangedYes — paragraph (m), for covered defense information or operationally critical support (except COTS-only)Implement NIST SP 800-171 R2; report cyber incidents to DoD within 72 hours; flow the clause further down
Notice of NIST SP 800-171 assessment (basic self-assessment score to SPRS)DFARS 252.204-7019Not carried forward in the Feb. 1, 2026 deviation; still visible in the codified DFARS during the transitionN/A — assessment now runs through CMMC under DFARS 252.204-7021Post assessment results and affirmations through the CMMC process
NIST SP 800-171 government assessment requirements (Medium/High)DFARS 252.204-7020Replaced in the deviation by DFARS 252.240-7997; codified 252.204-7020 still appears during the transition; the “Basic” self-assessment concept is removedGovernment-led Medium/High assessment mechanics carried forward; CMMC verification runs through 7021Be prepared for a government Medium/High assessment; meet CMMC obligations via 7021
CMMC certification / level compliance — the CMMC clauseDFARS 252.204-7021UnchangedYes — paragraph (f): consult 32 CFR § 170.23, flow the correct level, and verify the sub’s current status before awardHold the required CMMC status; post an annual affirmation in SPRS; flow requirements further down
Solicitation notice of the required CMMC level (offeror-facing, not a flowdown clause)DFARS 252.204-7025UnchangedNo — it puts offerors on notice that 7021 will be in the resulting contractHave the required status and affirmation in SPRS before award; provide CMMC UIDs in the proposal

Sources: FAR 52.204-21; DFARS 252.204-7012; DFARS 252.204-7021; DFARS 252.204-7025; DARS Revolutionary FAR Overhaul class deviations, incl. Deviation 2026-O0025. Subcontracts solely for COTS are excluded from the clauses in this table under the cited applicability/prescription language. Verified .

The February 2026 changes came from the Revolutionary FAR Overhaul (RFO), a government-wide effort launched by Executive Order 14275 (April 2025). DoD implemented its piece through interim class deviations that direct contracting officers to use a new FAR Part 40 and DFARS Part 240 in lieu of the codified text, effective . The catch: the codified DFARS still shows the old numbers— DFARS 252.204-7019 and 252.204-7020 remain in the codified display, and DFARS Part 240 is still marked “Reserved.” So the renumbering is real for new solicitations issued under the deviation, while the published CFR text hasn’t caught up.

The practical rule: check the actual clause numbers in your specific solicitation rather than trusting a clause list from last year.

What did not change matters just as much: DFARS 252.204-7012 and DFARS 252.204-7021 are untouched.The underlying cybersecurity requirements — 110 NIST SP 800-171 Rev. 2 controls, a system security plan, 72-hour incident reporting, and CMMC certification when required — are all still in force.

How “current” does a subcontractor’s CMMC status have to be?

“Current” isn’t “we did this once.”DFARS 252.204-7021 defines it by status type, and the windows are strict. A conditional status is current only if it’s not older than 180 days. A final status runs one year for Level 1 and three years for Levels 2 and 3 — and in every case it depends on a maintained annual affirmation of continuous compliance.

Table 4 — When a CMMC status counts as “current” (DFARS 252.204-7021)
CMMC status“Current” if not older thanAffirmation required
Conditional Level 2 (Self)180 daysAffirmation of continuous compliance by an affirming official
Conditional Level 2 (C3PAO)180 daysAffirmation of continuous compliance by an affirming official
Conditional Level 3 (DIBCAC)180 daysAffirmation of continuous compliance by an affirming official
Final Level 1 (Self)1 yearAffirmation not older than 1 year
Final Level 2 (Self)3 yearsAnnual affirmation (not older than 1 year)
Final Level 2 (C3PAO)3 yearsAnnual affirmation (not older than 1 year)
Final Level 3 (DIBCAC)3 yearsAnnual affirmation (not older than 1 year)

Source: DFARS 252.204-7021(a), definition of “Current” (NOV 2025), Acquisition.gov. A “conditional” status means the contractor is operating with an open plan of action and milestones (POA&M) and must close it out to reach “final.” Verified .

Two things follow. First, a conditionalstatus has a hard 180-day life, and the contractor must close out a valid POA&M to reach a final status. Second, the multi-year windows for final statuses are only as good as the annual affirmation behind them. A three-year-old Level 2 certification with a lapsed affirmation is not “current.” When you verify a subcontractor, check both the assessment date and the affirmation date.

What to verify before award — and what to ask for

Before you award a subcontract or share any FCI or CUI, DFARS 252.204-7021(f)(2) requires you to confirm the subcontractor has a current CMMC certificate or current CMMC status at the level appropriate for the information being flowed down.And here’s the operational wrinkle: you can’t just look it up. DoD does not give prime contractors automated visibility into a subcontractor’s SPRS record.

The Department stated in the final rule that while it has no automated tool giving upper-tier suppliers visibility into certification status, “subcontractors may voluntarily share their CMMC SPRS assessment scores or certificates in order to facilitate business teaming arrangements.” So verification is a direct, cooperative exchange between you and your sub — not a database query.

Table 5 — Pre-award CMMC evidence checklist for primes
What to confirmWhy it mattersRe-check whenPrimary-source basis
Data-flow classification: none / FCI / CUIDrives the required CMMC level (Table 1). Everything else depends on this.Award, SOW change, new CUI markings, engineering-data transfer, or option exercise32 CFR § 170.23(a)
Prime contract’s required CMMC status and assessment typeA CUI sub needs Level 2 (Self), Level 2 (C3PAO), or — under a Level 3 prime — at least Level 2 (C3PAO).Any modification to the solicitation, contract, task order, or delivery order32 CFR § 170.23(a)(2)–(4)
Current CMMC status or certificate at the right levelRequired before award and before sharing FCI/CUI; check the date against Table 4.At award, before any data release, and at each optionDFARS 252.204-7021(f)(2)
Current annual affirmation of continuous complianceA status without a current affirmation is not “current.”Annually; sooner if the sub’s compliance changesDFARS 252.204-7021(d)(4); 32 CFR § 170.22
CMMC UID(s) for the sub’s in-scope systemsTies the status to the specific systems that will handle your data.Award, system-boundary change, or reassessmentDFARS 252.204-7021(a), (e)
Conditional-status age and POA&M closeout pathConditional statuses expire at 180 days and must be closed out to final.Before award, before data release, and before the conditional window expiresDFARS 252.204-7021 (def. of “current”); 32 CFR § 170.21
The correct flowdown clause package in the subcontractThe obligation, and the flowdown paragraph itself, must be inserted.At subcontract award and modificationDFARS 252.204-7021(f)(1)

Sources: DFARS 252.204-7021(d), (e), (f) and the definition of “current”; DoD response in the final rule (90 FR 43566) on voluntary sharing and prime responsibility. Verified .

What to request — and what not to

This is our editorial guidance, grounded in the clause. Put simply: ask for proof of status, not the keys to the kingdom. The clause obliges you to confirm the subcontractor hasa current status or certificate — it does not ask you to collect the subcontractor’s full system security plan, its POA&M internals, vulnerability-scan output, or an assessor’s workpapers. Requesting those is usually more than the rule requires, creates new risk for both parties, and — where those artifacts contain sensitive detail — should never travel over an uncontrolled channel.

Table 6 — Evidence request boundary: what to ask for vs. what not to collect by default
Ask forUse whenDon’t collect by defaultWhy
Current CMMC status / certificate + assessment dateEvery FCI or CUI subcontractThe full System Security Plan (SSP)The clause requires status verification, not SSP collection; the SSP is sensitive.
CMMC UID(s) for in-scope systemsEvery FCI or CUI subcontractRaw vulnerability-scan outputNot required for verification; increases risk if mishandled.
Current affirmation dateEvery level, checked at award and annuallyAssessor workpapers / draft evidenceWorking papers and drafts are not valid evidence and are the assessor’s, not yours to hold.
Level 2 self-assessment scoreOnly when the required status is Level 2 (Self)Full POA&M internalsConfirm a conditional status is current and on track — you don’t need every line item.
POA&M closeout status (open/closed, within 180 days)When the sub holds a conditional statusNetwork diagrams / control-by-control detailBeyond what verification requires; sensitive if it leaks.

Editorial guidance derived from DFARS 252.204-7021(f)(2) (status/certificate confirmation) and the DoD final-rule statement on voluntary sharing of scores/certificates (90 FR 43566). Verified .

Does DFARS 252.204-7021 flow down to commercial-item subcontracts?

Yes, when the subcontract will require handling FCI or CUI — including commercial products and services, but excluding commercially available off-the-shelf (COTS) items.DFARS 252.204-7021(f)(1) directs the contractor to insert the substance of the clause, “including this paragraph (f) and excluding paragraph (e)(1),” into subcontracts and other contractual instruments “if the subcontract or other contractual instrument will contain a requirement to process, store, or transmit FCI or CUI.”

Unpack that and there are three precise points most summaries miss. First, the flowdown includes the flowdown paragraph itself — your subcontractor is obligated to flow requirements to its subs the same way. Second, it excludes paragraph (e)(1), the piece where the prime reports its own CMMC UIDs to the contracting officer — that’s a prime-to-government reporting duty, not something a sub owes upstream. Third, it reaches commercial products and commercial services but carves out COTSitems. A subcontract solely for off-the-shelf commercial goods doesn’t carry CMMC just because the vendor is in your chain (32 CFR § 170.3(c); COTS is defined at FAR 2.101).

The prime contractor’s CMMC flowdown checklist, step by step

Here’s the whole process in order, with the controlling authority for each step. Work it top to bottom for every subcontract that might touch controlled data.

Table 7 — The prime contractor’s CMMC flowdown checklist
#StepWhat to doAuthority
1Classify the data for each subcontract scopeDecide whether the sub will handle FCI, CUI, or covered defense information, and whether it provides operationally critical support. Map the data flow.32 CFR § 170.23(a); DFARS 252.204-7012
2Minimize what you shareAsk whether the sub can perform with FCI-only or CUI-free data. Less exposure means a lower required level and a smaller assessment.32 CFR § 170.23(a) (level tracks the data)
3Set the sub’s required CMMC levelApply the decision matrix (Table 1). Remember a CUI sub under a Level 3 prime needs Level 2 (C3PAO), not Level 3.32 CFR § 170.23(a)(1)–(4)
4Insert the correct clausesInclude the flowdown clauses (Table 3), including the flowdown paragraph itself. Use current numbering for new subcontracts. Skip COTS-only subcontracts.FAR 52.204-21(c) / 52.240-93; DFARS 252.204-7012(m); DFARS 252.204-7021(f)
5Verify status before award and before sharing dataRequest the sub’s current CMMC status/certificate, CMMC UID(s), affirmation, and (for Level 2 Self) the self-assessment score. You have no automatic SPRS access — the sub shares it.DFARS 252.204-7021(f)(2); final rule (90 FR 43566)
6Confirm the sub’s affirmation is postedEnsure the sub’s affirming official has posted an affirmation of continuous compliance in SPRS before award, and require it annually.DFARS 252.204-7021(d)(4); 32 CFR § 170.22
7Require further flowdownThe sub must pass the appropriate requirements to its own lower-tier vendors, at all tiers.32 CFR § 170.23(a); each clause’s flowdown paragraph
8Gate the data releaseDon’t release CUI until clauses, verification, and technical protections are in place. If a sub won’t accept DFARS 252.204-7012, keep covered defense information off its systems.DFARS 252.204-7012; final rule (90 FR 43566)
9Re-verify at option exercise and on changeConfirm the sub’s status is still current at each option or extension, and whenever its systems or scope change. Keep the records.DFARS 252.204-7021 (“current”); DFARS 204.7504(c)
10Watch the phase clockThe assessment type hardens over time: Level 2 (C3PAO) becomes the intended standard in Phase 2 (); Level 3 (DIBCAC) may appear at DoD’s discretion in Phase 2 and is intended for applicable solicitations in Phase 3 (); full application in Phase 4 ().32 CFR § 170.3(e)

Sources as cited per row (eCFR 32 CFR Part 170; DFARS 252.204-7021; Federal Register). This checklist states regulatory minimums; your contract or DoD guidance may require more. Verified .

What changed in 2026 that affects this checklist

Two moving parts: the phased rollout advanced into Phase 1, and the RFO renumbered the surrounding clauses — but the flowdown rule at 32 CFR § 170.23 and the core clauses are unchanged.

The DFARS acquisition rule that put CMMC into contracts took effect , kicking off a four-phase rollout defined in 32 CFR § 170.3(e). We’re in Phase 1 today, and the calendar tightens fast:

  • Phase 1 — : Level 1 and Level 2 self-assessments appear in applicable solicitations as a condition of award. DoD may require Level 2 (C3PAO) for select high-priority acquisitions.
  • Phase 2 — : DoD intends to include Level 2 (C3PAO) certification as a condition of award for applicable contracts, and — at its discretion — may include Level 3 (DIBCAC). Self-attestation stops being enough for a wide range of CUI work.
  • Phase 3 — : DoD intends to include Level 2 (C3PAO) across the board and Level 3 (DIBCAC) for all applicable, highest-sensitivity solicitations and contracts.
  • Phase 4 — : Full application — every applicable solicitation and contract (except COTS-only) carries the appropriate CMMC level as a condition of award.

Why does that change your flowdown work now, before Phase 2? Because the required status must be current before award or option exercise(32 CFR § 170.17; DFARS 204.7504), and a Level 2 (C3PAO) certification is a third-party assessment that has to be scheduled and completed — it isn’t instant. If your Phase-2-affected subcontracts will require certified subs, the decisions you make today — which vendors handle CUI, and at what level — determine whether your supply chain is ready when the requirement hardens. The rule is phased; the preparation isn’t.

The second change is the RFO renumbering detailed in Table 3. The single most important takeaway: check the actual clause numbers in your specific solicitation.A subcontract clause list you built in 2025 may reference FAR 52.204-21 and DFARS 252.204-7019/7020; a 2026 solicitation issued under the deviation may reference FAR 52.240-93 and DFARS 252.240-7997, or omit 7019. The obligations are substantially the same, but the citations aren’t — and a subcontract that flows down a stale clause number invites confusion you don’t need.

What this checklist shows — and what it doesn’t

We’d rather tell you the edges than let you assume they aren’t there.

  • It states minimums. 32 CFR § 170.23 sets floors. DoD (§ 170.23(b)) or your specific contract can require more, and a Service or Component Acquisition Executive can waive CMMC in limited cases (§ 170.3).
  • It doesn’t classify your data. Whether a specific document is CUI, FCI, or covered defense information is set by the government or data owner and the applicable CUI program (Executive Order 13556; 32 CFR Part 2002; DoDI 5200.48; the National Archives CUI Registry) — not by this page.
  • The RFO numbers are interim. The February 2026 renumbering lives in class deviations, not yet codified in the CFR, and remains until rescinded or formally incorporated. Both schemes circulate today.
  • You can’t self-serve a subcontractor’s SPRS record. Verification depends on the subcontractor sharing its status, UID, and certificate.
  • It’s not legal advice. This is an educational reference. Confirm clause applicability and level determinations with your contracting officer and counsel for your contract. We’re a trade publication, not your law firm.

Frequently asked questions

Do CMMC requirements flow down to subcontractors?

Yes. Under 32 CFR § 170.23(a), CMMC requirements apply to prime contractors and subcontractors at all tiers that will process, store, or transmit FCI or CUI on contractor information systems in performance of a DoD contract or subcontract. A supplier that never handles that data is not automatically covered. (Source: Table 1.)

Do all subcontractors need CMMC certification?

No. Flowdown is conditioned on the subcontractor handling FCI or CUI, and certification is not always required. FCI-only work and some CUI work are satisfied by a self-assessment; third-party (C3PAO) or government (DIBCAC) certification applies where the prime contract requires it. (Source: Table 1.)

What CMMC level does an FCI-only subcontractor need?

Level 1 (Self), regardless of the prime’s level, verified by an annual self-assessment and affirmation in SPRS. (Source: Table 1.)

What CMMC level does a CUI subcontractor need?

At least Level 2 (Self). If the prime contract requires Level 2 (C3PAO), the sub needs Level 2 (C3PAO). If the prime contract requires Level 3 (DIBCAC), the sub still needs at least Level 2 (C3PAO) — not Level 3 — unless DoD provides specific guidance. (Source: Table 1.)

Does CMMC Level 3 flow down?

Not automatically as Level 3. Under 32 CFR § 170.23(a)(4), a CUI-handling subcontractor under a Level 3 prime has a minimum of Level 2 (C3PAO), while § 170.23(b) lets DoD issue specific flowdown guidance. Level 3 is estimated to apply to only about 1% of affected contractors. (Source: Table 1.)

Did DFARS 252.204-7020 change in 2026?

Under the Revolutionary FAR Overhaul, effective , solicitations issued under the deviation replace DFARS 252.204-7020 with DFARS 252.240-7997 (the “basic” self-assessment concept is removed), do not carry forward DFARS 252.204-7019, and use FAR 52.240-93 for basic safeguarding. DFARS 252.204-7012 and 252.204-7021 are unchanged. These are interim class deviations — the codified DFARS still displays 7019 and 7020 — so both numbering schemes appear during the transition. (Source: Table 3.)

Are COTS suppliers subject to CMMC flowdown?

No. Subcontracts solely for commercially available off-the-shelf items are excluded from the flowdown clauses and from CMMC program requirements under the cited applicability and prescription language (32 CFR § 170.3(c); FAR 2.101). (Source: Table 3.)

How do I verify a subcontractor’s CMMC status before award?

Request the sub’s current CMMC status and assessment date, CMMC UID(s), current affirmation, the Level 2 self-assessment score if the required status is Level 2 (Self), and certificate/status evidence for Level 2 (C3PAO) or Level 3 (DIBCAC). Primes have no automatic SPRS visibility into subs, so verification is a direct exchange (DFARS 252.204-7021(f)(2); final rule at 90 FR 43566). (Source: Tables 5 and 6.)

How current does a subcontractor’s status have to be?

A conditional status must be no older than 180 days; a final Level 1 status no older than one year; final Level 2 and Level 3 statuses no older than three years — each with a current annual affirmation (DFARS 252.204-7021, definition of “current”). (Source: Table 4.)

What happens if I flow down the wrong level or skip a clause?

You can trigger standard contractual remedies and become ineligible for additional awards until you restore the required status (32 CFR § 170.17), and — if cybersecurity compliance is knowingly misrepresented — create False Claims Act exposure under the Department of Justice’s Civil Cyber-Fraud Initiative. Bake clause flowdown and status verification into subcontractor onboarding, and gate any data release on confirmed status. (Source: Tables 3, 5, and 7.)

Verification log

  • — Checked against official sources: 32 CFR §§ 170.3, 170.17, 170.18, 170.22, and 170.23 (eCFR); DFARS 252.204-7021, 252.204-7025, and 252.204-7012 (Acquisition.gov); FAR 52.204-21 (Acquisition.gov); the DARS Revolutionary FAR Overhaul class deviations page and Deviation 2026-O0025; and the CMMC final-rule Federal Register notices (2024 program rule; 2025 DFARS rule). Next scheduled verification: October 2026, or sooner if 32 CFR Part 170, DFARS 252.204-7021/7025, SPRS, or the RFO Part 40 / DFARS Part 240 deviation changes.

How to cite this page

Publication:
The Defense Compliance Report
Title:
CMMC Flowdown Checklist for Prime Contractors (2026)
Last verified:

Example, APA-style: The Defense Compliance Report Editorial Team. (2026). CMMC flowdown checklist for prime contractors (2026). The Defense Compliance Report. https://thedefensecompliancereport.com/research/cmmc-flowdown-checklist/

Always confirm the regulatory requirements against the primary sources below for your specific contract.

Primary sources

The Defense Compliance Report is an independent trade publication. This is educational research, not legal, contractual, or compliance advice. Confirm all requirements against primary sources and with qualified counsel before acting.