CMMC Flowdown Checklist for Prime Contractors (2026)
By The Defense Compliance Report Editorial Team · Last verified:
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and Defense Industrial Base (DIB) compliance.
Bottom line up front
Under 32 CFR § 170.23, a prime contractor must flow CMMC requirements down to any subcontractor — at any tier — that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems used in performance of the subcontract. The required level is set by the information the subcontractor actually handles, not by the prime’s level. A subcontractor that handles FCI only needs Level 1; one that handles CUI needs at least Level 2; and the assessment type (self-assessment vs. C3PAO) follows the prime contract’s required assessment type — with one important exception: Level 3 does not cascade to subcontractors by default.
One caveat we’ll come back to: on , the government renumbered several of the clauses in this analysis through interim class deviations. It did nottouch the two that carry the flowdown weight. We’ll show you exactly what moved and what didn’t.
Two definitions up front, because everything downstream depends on them. FCI is information not intended for public release that the government provides, or that is generated for the government under a contract — but not public-website content or simple transactional data like payment information. CUIis information the government creates or possesses — or that is created or possessed for or on behalf of the government — that a law, regulation, or government-wide policy requires or permits an agency to protect with safeguarding or dissemination controls. CUI is not classified; it is a separate and broader category.
The CMMC flowdown decision matrix
The whole rule fits in one table. It converts the four scenarios in 32 CFR § 170.23(a) into the minimum CMMC status each subcontractor must hold. This is the single most important thing on the page, so we put it first.
Dataset: CMMC Flowdown Decision Data (2026) — a source-mapped table of subcontractor information type, prime-contract CMMC requirement, minimum subcontractor status, assessment type, and rule basis. Last verified .
Table 1 — CMMC flowdown: minimum subcontractor status by information handled (2026)
What the subcontractor will process, store, or transmit
What the prime contract requires
Minimum status for the subcontractor
Assessment type
Rule
Neither FCI nor CUI on contractor information systems used in subcontract performance
Any level
No CMMC status is triggered for that subcontractor
None
32 CFR § 170.23(a)
FCI only (no CUI)
Any level (1, 2, or 3)
Level 1
Self-assessment
32 CFR § 170.23(a)(1)
CUI
Level 2 (Self)
Level 2
Self-assessment
32 CFR § 170.23(a)(2)
CUI
Level 2 (C3PAO)
Level 2
C3PAO (third-party)
32 CFR § 170.23(a)(3)
CUI
Level 3 (DIBCAC)
Level 2 — not Level 3
C3PAO (third-party)
32 CFR § 170.23(a)(4)
Source: 32 CFR § 170.23(a)(1)–(4), eCFR. Under § 170.23(b), DoD may issue specific guidance that raises these minimums for a given solicitation or contract. Verified .
A few terms in that table: C3PAO is a Certified Third-Party Assessment Organization — an accredited outside assessor. DIBCACis the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center, the government team that runs Level 3 assessments. “Self” means the contractor assesses itself and posts the result.
How to read this matrix — and what it does not decide
The matrix decides one thing: the minimum CMMC status a subcontractor must hold, based on the information it will handle and the assessment type your prime contract requires. It does notdecide whether a given document is CUI, whether your specific contract adds requirements beyond the floor, or whether a subcontractor’s actual security implementation is adequate. Those are separate calls — the first belongs to the government or the data owner, the second to your contract, the third to a qualified assessor.
Key terms, defined
Because a wrong classification cascades into a wrong level, here are the load-bearing terms with their official meanings and why each matters for flowdown.
Table 2 — Key CMMC flowdown terms (source-mapped)
Term
Official definition (summary)
Why it matters for flowdown
Primary source
FCI (Federal Contract Information)
Information not intended for public release, provided by or generated for the government under a contract; excludes public info and simple transactional data.
FCI-only handling sets the floor at Level 1 (Self).
FAR 52.204-21; DFARS 252.204-7021(a)
CUI (Controlled Unclassified Information)
Information the government creates/possesses, or that is created/possessed for or on behalf of the government, that law, regulation, or government-wide policy requires or permits an agency to protect with safeguarding or dissemination controls.
CUI handling raises the floor to at least Level 2.
DFARS 252.204-7021(a); 32 CFR 2002.4(h)
Covered defense information (CDI)
The category safeguarded under DFARS 252.204-7012; controlled technical information and other information requiring protection, marked or identified in the contract.
We didn’t rewrite someone else’s summary. We read the source. For this reference, our team went through the CMMC Program rule at 32 CFR Part 170 (specifically § 170.3 on the phased rollout and § 170.23 on subcontractors); the current contract-clause text of DFARS 252.204-7021 and the safeguarding clause DFARS 252.204-7012 on Acquisition.gov; the solicitation provision DFARS 252.204-7025; the FCI baseline clause FAR 52.204-21; the Defense Acquisition Regulations System (DARS) page for the Revolutionary FAR Overhaul class deviations, including Deviation 2026-O0025; the 2024 CMMC Program rule and 2025 DFARS rule in the Federal Register; and the final-rule preamble responses to public comments at 90 FR 43566.
Where the primary source is ambiguous or contested, we say so. Where the rule was changed, we tell you what changed and what didn’t. Where we express editorial judgment, we label it as such. See the verification log and primary sources sections at the bottom.
Does CMMC actually flow down to subcontractors?
Yes — but only when the subcontractor will handle FCI or CUI on contractor information systems.32 CFR § 170.23(a) requires prime contractors to comply with, and to require their subcontractors to comply with and flow down, CMMC requirements “throughout the supply chain at all tiers.” The trigger is the data, not the relationship. A supplier that never touches FCI or CUI is not pulled into CMMC just because it sits in your supply chain.
That distinction is where a lot of primes overreach or fall short. “At all tiers” means the obligation cascades: your subcontractor must, in turn, flow the appropriate requirements to itssubcontractors, and so on down the chain. But the same rule that makes it cascade also limits it — the requirement attaches only “in performance of the subcontract” and only for systems that process, store, or transmit the protected information. A janitorial vendor with no access to your controlled data is not in scope. A software developer who receives technical drawings marked CUI is.
DoD was blunt about the prime’s role. In the final rule’s response to public comments, the Department stated it expects prime contractors to flow down the requirements and to notshare information with subcontractors that “have not indicated they meet the [requisite] CMMC level” (90 FR 43566). And per the Department, subcontractors comply the same way a prime does, “with the exception of sharing CMMC UID data with the contracting officer.” Translation: the burden of confirming a sub’s status sits with the prime, and the sub’s obligation to maintain and report flows upward.
What CMMC level does each subcontractor need?
It depends entirely on the data. FCI-only work requires Level 1 (Self). CUI work requires at least Level 2 (Self), and the assessment type escalates to Level 2 (C3PAO) when the prime contract requires a C3PAO or DIBCAC assessment. Here is each scenario in plain terms.
FCI-only subcontractors
If a subcontractor will handle FCI but never CUI, the minimum is Level 1 (Self), regardless of what the prime is required to hold. A Level 3 prime does not push Level 3 — or even Level 2 — onto an FCI-only sub. Level 1 is built on the 15 basic safeguarding requirements in FAR 52.204-21, and it is verified by an annual self-assessment plus an affirmation posted in SPRS.
CUI subcontractors under a Level 2 (Self) prime contract
If the subcontractor will handle CUI and the prime contract calls for a Level 2 self-assessment, the sub’s minimum is Level 2 (Self). It performs the Level 2 self-assessment against the 110 requirements in NIST SP 800-171 Revision 2, posts the result in SPRS, and maintains the annual affirmation.
CUI subcontractors under a Level 2 (C3PAO) prime contract
Same data, higher bar on the assessment type. If the prime contract requires a Level 2 C3PAO certification, a CUI-handling sub needs Level 2 (C3PAO)— a certification from an accredited third-party assessor, not a self-attestation. Self-assessment is no longer sufficient for that subcontract.
CUI subcontractors under a Level 3 (DIBCAC) prime contract
This is the scenario people get wrong most often. If the prime contract requires Level 3 (DIBCAC) and the subcontractor will handle CUI, the sub’s minimum is Level 2 (C3PAO) — notLevel 3 — unless DoD provides specific flowdown guidance (32 CFR § 170.23(a)(4) and (b)). Level 3 does not automatically cascade.
Subcontractors that handle neither FCI nor CUI
No CMMC status is triggered for that subcontractor by the flowdown rule. Document the “no FCI, no CUI” determination, keep the reasoning with the subcontract file, and re-check if the statement of work changes. The moment controlled data starts flowing to that vendor, it moves into one of the rows above.
Does CMMC Level 3 flow down to subcontractors?
Not automatically as Level 3.For a CUI-handling subcontractor under a Level 3 prime, 32 CFR § 170.23(a)(4) sets the minimum at Level 2 (C3PAO). DoD made a deliberate, risk-based choice here: it did not require Level 3 to cascade down the chain by default, though § 170.23(b) reserves the Department’s right to give specific flowdown guidance on a given contract.
Level 3 is rare to begin with. DoD’s own regulatory estimates tell the story: of the affected population, roughly 62% of contractors are expected to fall at Level 1, about 2% at Level 2 (Self), about 35% at Level 2 (C3PAO), and only about 1% at Level 3(DoD’s estimates from the rulemaking; the total impacted population was estimated at 337,968 entities, primes and subcontractors combined). And a company can’t jump straight to Level 3 — under 32 CFR § 170.18, it must first achieve a Final Level 2 (C3PAO) status before DIBCAC will conduct the Level 3 assessment.
Two cautions. First, don’t overcorrect into “Level 3 never flows down.” The floor is Level 2 (C3PAO), and DoD can raise it with specific guidance, so on a Level 3 program you should read the solicitation, the contract, any security classification materials, and any DoD-specific instructions before assuming Level 2 (C3PAO) covers every subcontract. Second, “Level 2 minimum” is a floor, not a ceiling — nothing stops a prime from requiring more where the risk warrants it.
Which clauses do you flow down — and what changed on February 1, 2026?
Three clause families do the work — and on , two of the surrounding clauses were renumbered while the two that matter most stayed exactly the same.The FCI baseline is FAR 52.204-21 (renumbered to FAR 52.240-93 in the deviation). The safeguarding-and-incident-reporting clause is DFARS 252.204-7012 (unchanged). The CMMC clause is DFARS 252.204-7021 (unchanged). Here’s the crosswalk — and a crucial nuance about what “changed” really means.
Table 3 — CMMC flowdown clause crosswalk: codified numbering vs. the Feb. 1, 2026 RFO deviation
Role in the flowdown analysis
Codified / legacy clause number
RFO deviation treatment (solicitations issued under the Feb. 1, 2026 deviation)
Yes — paragraph (m), for covered defense information or operationally critical support (except COTS-only)
Implement NIST SP 800-171 R2; report cyber incidents to DoD within 72 hours; flow the clause further down
Notice of NIST SP 800-171 assessment (basic self-assessment score to SPRS)
DFARS 252.204-7019
Not carried forward in the Feb. 1, 2026 deviation; still visible in the codified DFARS during the transition
N/A — assessment now runs through CMMC under DFARS 252.204-7021
Post assessment results and affirmations through the CMMC process
NIST SP 800-171 government assessment requirements (Medium/High)
DFARS 252.204-7020
Replaced in the deviation by DFARS 252.240-7997; codified 252.204-7020 still appears during the transition; the “Basic” self-assessment concept is removed
The February 2026 changes came from the Revolutionary FAR Overhaul (RFO), a government-wide effort launched by Executive Order 14275 (April 2025). DoD implemented its piece through interim class deviations that direct contracting officers to use a new FAR Part 40 and DFARS Part 240 in lieu of the codified text, effective . The catch: the codified DFARS still shows the old numbers— DFARS 252.204-7019 and 252.204-7020 remain in the codified display, and DFARS Part 240 is still marked “Reserved.” So the renumbering is real for new solicitations issued under the deviation, while the published CFR text hasn’t caught up.
The practical rule: check the actual clause numbers in your specific solicitation rather than trusting a clause list from last year.
What did not change matters just as much: DFARS 252.204-7012 and DFARS 252.204-7021 are untouched.The underlying cybersecurity requirements — 110 NIST SP 800-171 Rev. 2 controls, a system security plan, 72-hour incident reporting, and CMMC certification when required — are all still in force.
How “current” does a subcontractor’s CMMC status have to be?
“Current” isn’t “we did this once.”DFARS 252.204-7021 defines it by status type, and the windows are strict. A conditional status is current only if it’s not older than 180 days. A final status runs one year for Level 1 and three years for Levels 2 and 3 — and in every case it depends on a maintained annual affirmation of continuous compliance.
Table 4 — When a CMMC status counts as “current” (DFARS 252.204-7021)
CMMC status
“Current” if not older than
Affirmation required
Conditional Level 2 (Self)
180 days
Affirmation of continuous compliance by an affirming official
Conditional Level 2 (C3PAO)
180 days
Affirmation of continuous compliance by an affirming official
Conditional Level 3 (DIBCAC)
180 days
Affirmation of continuous compliance by an affirming official
Two things follow. First, a conditionalstatus has a hard 180-day life, and the contractor must close out a valid POA&M to reach a final status. Second, the multi-year windows for final statuses are only as good as the annual affirmation behind them. A three-year-old Level 2 certification with a lapsed affirmation is not “current.” When you verify a subcontractor, check both the assessment date and the affirmation date.
What to verify before award — and what to ask for
Before you award a subcontract or share any FCI or CUI, DFARS 252.204-7021(f)(2) requires you to confirm the subcontractor has a current CMMC certificate or current CMMC status at the level appropriate for the information being flowed down.And here’s the operational wrinkle: you can’t just look it up. DoD does not give prime contractors automated visibility into a subcontractor’s SPRS record.
The Department stated in the final rule that while it has no automated tool giving upper-tier suppliers visibility into certification status, “subcontractors may voluntarily share their CMMC SPRS assessment scores or certificates in order to facilitate business teaming arrangements.” So verification is a direct, cooperative exchange between you and your sub — not a database query.
Table 5 — Pre-award CMMC evidence checklist for primes
What to confirm
Why it matters
Re-check when
Primary-source basis
Data-flow classification: none / FCI / CUI
Drives the required CMMC level (Table 1). Everything else depends on this.
Award, SOW change, new CUI markings, engineering-data transfer, or option exercise
32 CFR § 170.23(a)
Prime contract’s required CMMC status and assessment type
A CUI sub needs Level 2 (Self), Level 2 (C3PAO), or — under a Level 3 prime — at least Level 2 (C3PAO).
Any modification to the solicitation, contract, task order, or delivery order
32 CFR § 170.23(a)(2)–(4)
Current CMMC status or certificate at the right level
Required before award and before sharing FCI/CUI; check the date against Table 4.
At award, before any data release, and at each option
DFARS 252.204-7021(f)(2)
Current annual affirmation of continuous compliance
A status without a current affirmation is not “current.”
Annually; sooner if the sub’s compliance changes
DFARS 252.204-7021(d)(4); 32 CFR § 170.22
CMMC UID(s) for the sub’s in-scope systems
Ties the status to the specific systems that will handle your data.
Award, system-boundary change, or reassessment
DFARS 252.204-7021(a), (e)
Conditional-status age and POA&M closeout path
Conditional statuses expire at 180 days and must be closed out to final.
Before award, before data release, and before the conditional window expires
DFARS 252.204-7021 (def. of “current”); 32 CFR § 170.21
The correct flowdown clause package in the subcontract
The obligation, and the flowdown paragraph itself, must be inserted.
This is our editorial guidance, grounded in the clause. Put simply: ask for proof of status, not the keys to the kingdom. The clause obliges you to confirm the subcontractor hasa current status or certificate — it does not ask you to collect the subcontractor’s full system security plan, its POA&M internals, vulnerability-scan output, or an assessor’s workpapers. Requesting those is usually more than the rule requires, creates new risk for both parties, and — where those artifacts contain sensitive detail — should never travel over an uncontrolled channel.
Table 6 — Evidence request boundary: what to ask for vs. what not to collect by default
Ask for
Use when
Don’t collect by default
Why
Current CMMC status / certificate + assessment date
Every FCI or CUI subcontract
The full System Security Plan (SSP)
The clause requires status verification, not SSP collection; the SSP is sensitive.
CMMC UID(s) for in-scope systems
Every FCI or CUI subcontract
Raw vulnerability-scan output
Not required for verification; increases risk if mishandled.
Current affirmation date
Every level, checked at award and annually
Assessor workpapers / draft evidence
Working papers and drafts are not valid evidence and are the assessor’s, not yours to hold.
Level 2 self-assessment score
Only when the required status is Level 2 (Self)
Full POA&M internals
Confirm a conditional status is current and on track — you don’t need every line item.
POA&M closeout status (open/closed, within 180 days)
When the sub holds a conditional status
Network diagrams / control-by-control detail
Beyond what verification requires; sensitive if it leaks.
Editorial guidance derived from DFARS 252.204-7021(f)(2) (status/certificate confirmation) and the DoD final-rule statement on voluntary sharing of scores/certificates (90 FR 43566). Verified .
Does DFARS 252.204-7021 flow down to commercial-item subcontracts?
Yes, when the subcontract will require handling FCI or CUI — including commercial products and services, but excluding commercially available off-the-shelf (COTS) items.DFARS 252.204-7021(f)(1) directs the contractor to insert the substance of the clause, “including this paragraph (f) and excluding paragraph (e)(1),” into subcontracts and other contractual instruments “if the subcontract or other contractual instrument will contain a requirement to process, store, or transmit FCI or CUI.”
Unpack that and there are three precise points most summaries miss. First, the flowdown includes the flowdown paragraph itself — your subcontractor is obligated to flow requirements to its subs the same way. Second, it excludes paragraph (e)(1), the piece where the prime reports its own CMMC UIDs to the contracting officer — that’s a prime-to-government reporting duty, not something a sub owes upstream. Third, it reaches commercial products and commercial services but carves out COTSitems. A subcontract solely for off-the-shelf commercial goods doesn’t carry CMMC just because the vendor is in your chain (32 CFR § 170.3(c); COTS is defined at FAR 2.101).
The prime contractor’s CMMC flowdown checklist, step by step
Here’s the whole process in order, with the controlling authority for each step. Work it top to bottom for every subcontract that might touch controlled data.
Table 7 — The prime contractor’s CMMC flowdown checklist
#
Step
What to do
Authority
1
Classify the data for each subcontract scope
Decide whether the sub will handle FCI, CUI, or covered defense information, and whether it provides operationally critical support. Map the data flow.
32 CFR § 170.23(a); DFARS 252.204-7012
2
Minimize what you share
Ask whether the sub can perform with FCI-only or CUI-free data. Less exposure means a lower required level and a smaller assessment.
32 CFR § 170.23(a) (level tracks the data)
3
Set the sub’s required CMMC level
Apply the decision matrix (Table 1). Remember a CUI sub under a Level 3 prime needs Level 2 (C3PAO), not Level 3.
32 CFR § 170.23(a)(1)–(4)
4
Insert the correct clauses
Include the flowdown clauses (Table 3), including the flowdown paragraph itself. Use current numbering for new subcontracts. Skip COTS-only subcontracts.
FAR 52.204-21(c) / 52.240-93; DFARS 252.204-7012(m); DFARS 252.204-7021(f)
5
Verify status before award and before sharing data
Request the sub’s current CMMC status/certificate, CMMC UID(s), affirmation, and (for Level 2 Self) the self-assessment score. You have no automatic SPRS access — the sub shares it.
DFARS 252.204-7021(f)(2); final rule (90 FR 43566)
6
Confirm the sub’s affirmation is posted
Ensure the sub’s affirming official has posted an affirmation of continuous compliance in SPRS before award, and require it annually.
DFARS 252.204-7021(d)(4); 32 CFR § 170.22
7
Require further flowdown
The sub must pass the appropriate requirements to its own lower-tier vendors, at all tiers.
32 CFR § 170.23(a); each clause’s flowdown paragraph
8
Gate the data release
Don’t release CUI until clauses, verification, and technical protections are in place. If a sub won’t accept DFARS 252.204-7012, keep covered defense information off its systems.
DFARS 252.204-7012; final rule (90 FR 43566)
9
Re-verify at option exercise and on change
Confirm the sub’s status is still current at each option or extension, and whenever its systems or scope change. Keep the records.
DFARS 252.204-7021 (“current”); DFARS 204.7504(c)
10
Watch the phase clock
The assessment type hardens over time: Level 2 (C3PAO) becomes the intended standard in Phase 2 (); Level 3 (DIBCAC) may appear at DoD’s discretion in Phase 2 and is intended for applicable solicitations in Phase 3 (); full application in Phase 4 ().
32 CFR § 170.3(e)
Sources as cited per row (eCFR 32 CFR Part 170; DFARS 252.204-7021; Federal Register). This checklist states regulatory minimums; your contract or DoD guidance may require more. Verified .
What changed in 2026 that affects this checklist
Two moving parts: the phased rollout advanced into Phase 1, and the RFO renumbered the surrounding clauses — but the flowdown rule at 32 CFR § 170.23 and the core clauses are unchanged.
The DFARS acquisition rule that put CMMC into contracts took effect , kicking off a four-phase rollout defined in 32 CFR § 170.3(e). We’re in Phase 1 today, and the calendar tightens fast:
Phase 1 — : Level 1 and Level 2 self-assessments appear in applicable solicitations as a condition of award. DoD may require Level 2 (C3PAO) for select high-priority acquisitions.
Phase 2 — : DoD intends to include Level 2 (C3PAO) certification as a condition of award for applicable contracts, and — at its discretion — may include Level 3 (DIBCAC). Self-attestation stops being enough for a wide range of CUI work.
Phase 3 — : DoD intends to include Level 2 (C3PAO) across the board and Level 3 (DIBCAC) for all applicable, highest-sensitivity solicitations and contracts.
Phase 4 — : Full application — every applicable solicitation and contract (except COTS-only) carries the appropriate CMMC level as a condition of award.
Why does that change your flowdown work now, before Phase 2? Because the required status must be current before award or option exercise(32 CFR § 170.17; DFARS 204.7504), and a Level 2 (C3PAO) certification is a third-party assessment that has to be scheduled and completed — it isn’t instant. If your Phase-2-affected subcontracts will require certified subs, the decisions you make today — which vendors handle CUI, and at what level — determine whether your supply chain is ready when the requirement hardens. The rule is phased; the preparation isn’t.
The second change is the RFO renumbering detailed in Table 3. The single most important takeaway: check the actual clause numbers in your specific solicitation.A subcontract clause list you built in 2025 may reference FAR 52.204-21 and DFARS 252.204-7019/7020; a 2026 solicitation issued under the deviation may reference FAR 52.240-93 and DFARS 252.240-7997, or omit 7019. The obligations are substantially the same, but the citations aren’t — and a subcontract that flows down a stale clause number invites confusion you don’t need.
What this checklist shows — and what it doesn’t
We’d rather tell you the edges than let you assume they aren’t there.
It states minimums. 32 CFR § 170.23 sets floors. DoD (§ 170.23(b)) or your specific contract can require more, and a Service or Component Acquisition Executive can waive CMMC in limited cases (§ 170.3).
It doesn’t classify your data. Whether a specific document is CUI, FCI, or covered defense information is set by the government or data owner and the applicable CUI program (Executive Order 13556; 32 CFR Part 2002; DoDI 5200.48; the National Archives CUI Registry) — not by this page.
The RFO numbers are interim. The February 2026 renumbering lives in class deviations, not yet codified in the CFR, and remains until rescinded or formally incorporated. Both schemes circulate today.
You can’t self-serve a subcontractor’s SPRS record. Verification depends on the subcontractor sharing its status, UID, and certificate.
It’s not legal advice. This is an educational reference. Confirm clause applicability and level determinations with your contracting officer and counsel for your contract. We’re a trade publication, not your law firm.
Frequently asked questions
Do CMMC requirements flow down to subcontractors?
Yes. Under 32 CFR § 170.23(a), CMMC requirements apply to prime contractors and subcontractors at all tiers that will process, store, or transmit FCI or CUI on contractor information systems in performance of a DoD contract or subcontract. A supplier that never handles that data is not automatically covered. (Source: Table 1.)
Do all subcontractors need CMMC certification?
No. Flowdown is conditioned on the subcontractor handling FCI or CUI, and certification is not always required. FCI-only work and some CUI work are satisfied by a self-assessment; third-party (C3PAO) or government (DIBCAC) certification applies where the prime contract requires it. (Source: Table 1.)
What CMMC level does an FCI-only subcontractor need?
Level 1 (Self), regardless of the prime’s level, verified by an annual self-assessment and affirmation in SPRS. (Source: Table 1.)
What CMMC level does a CUI subcontractor need?
At least Level 2 (Self). If the prime contract requires Level 2 (C3PAO), the sub needs Level 2 (C3PAO). If the prime contract requires Level 3 (DIBCAC), the sub still needs at least Level 2 (C3PAO) — not Level 3 — unless DoD provides specific guidance. (Source: Table 1.)
Does CMMC Level 3 flow down?
Not automatically as Level 3. Under 32 CFR § 170.23(a)(4), a CUI-handling subcontractor under a Level 3 prime has a minimum of Level 2 (C3PAO), while § 170.23(b) lets DoD issue specific flowdown guidance. Level 3 is estimated to apply to only about 1% of affected contractors. (Source: Table 1.)
Did DFARS 252.204-7020 change in 2026?
Under the Revolutionary FAR Overhaul, effective , solicitations issued under the deviation replace DFARS 252.204-7020 with DFARS 252.240-7997 (the “basic” self-assessment concept is removed), do not carry forward DFARS 252.204-7019, and use FAR 52.240-93 for basic safeguarding. DFARS 252.204-7012 and 252.204-7021 are unchanged. These are interim class deviations — the codified DFARS still displays 7019 and 7020 — so both numbering schemes appear during the transition. (Source: Table 3.)
Are COTS suppliers subject to CMMC flowdown?
No. Subcontracts solely for commercially available off-the-shelf items are excluded from the flowdown clauses and from CMMC program requirements under the cited applicability and prescription language (32 CFR § 170.3(c); FAR 2.101). (Source: Table 3.)
How do I verify a subcontractor’s CMMC status before award?
Request the sub’s current CMMC status and assessment date, CMMC UID(s), current affirmation, the Level 2 self-assessment score if the required status is Level 2 (Self), and certificate/status evidence for Level 2 (C3PAO) or Level 3 (DIBCAC). Primes have no automatic SPRS visibility into subs, so verification is a direct exchange (DFARS 252.204-7021(f)(2); final rule at 90 FR 43566). (Source: Tables 5 and 6.)
How current does a subcontractor’s status have to be?
A conditional status must be no older than 180 days; a final Level 1 status no older than one year; final Level 2 and Level 3 statuses no older than three years — each with a current annual affirmation (DFARS 252.204-7021, definition of “current”). (Source: Table 4.)
What happens if I flow down the wrong level or skip a clause?
You can trigger standard contractual remedies and become ineligible for additional awards until you restore the required status (32 CFR § 170.17), and — if cybersecurity compliance is knowingly misrepresented — create False Claims Act exposure under the Department of Justice’s Civil Cyber-Fraud Initiative. Bake clause flowdown and status verification into subcontractor onboarding, and gate any data release on confirmed status. (Source: Tables 3, 5, and 7.)
Verification log
— Checked against official sources: 32 CFR §§ 170.3, 170.17, 170.18, 170.22, and 170.23 (eCFR); DFARS 252.204-7021, 252.204-7025, and 252.204-7012 (Acquisition.gov); FAR 52.204-21 (Acquisition.gov); the DARS Revolutionary FAR Overhaul class deviations page and Deviation 2026-O0025; and the CMMC final-rule Federal Register notices (2024 program rule; 2025 DFARS rule). Next scheduled verification: October 2026, or sooner if 32 CFR Part 170, DFARS 252.204-7021/7025, SPRS, or the RFO Part 40 / DFARS Part 240 deviation changes.
How to cite this page
Publication:
The Defense Compliance Report
Title:
CMMC Flowdown Checklist for Prime Contractors (2026)
Example, APA-style: The Defense Compliance Report Editorial Team. (2026). CMMC flowdown checklist for prime contractors (2026). The Defense Compliance Report. https://thedefensecompliancereport.com/research/cmmc-flowdown-checklist/
Always confirm the regulatory requirements against the primary sources below for your specific contract.
Executive Order 14347, Restoring the United States Department of War () — The White House
The Defense Compliance Report is an independent trade publication. This is educational research, not legal, contractual, or compliance advice. Confirm all requirements against primary sources and with qualified counsel before acting.