Supply Chain CMMC Readiness

Flowing down CMMC requirements to your subcontractors

Author: Leonard Esere, Senior Cybersecurity Engineer, CISSP, CCSP

Date: April 2026

Organization: Aeolitech

Abstract

Prime contractors in 2026 are discovering that their own CMMC certification is a necessary but not sufficient condition for continued DoD business. Under DFARS 252.204-7012(m), 32 CFR § 170.23, and DFARS 252.204-7021, the responsibility for cybersecurity compliance does not stop at the prime's boundary — it flows through every tier of the supply chain that handles Covered Defense Information (CDI) or Federal Contract Information (FCI). A sub's CMMC lapse can delay a program, expose the prime to False Claims Act liability, and — as the major primes are now demonstrating publicly — result in termination of established supplier relationships. This whitepaper provides primes and large sub-tier contractors with a structured approach to supply chain CMMC readiness: how to inventory and scope subcontractors, determine required CMMC levels, collect and verify compliance attestations, structure tiered onboarding, draft protective contract clauses, and manage the ongoing risk of a sub's certification expiration.

Table of Contents

1. The Legal Framework: DFARS 7012 Flow-Down and 32 CFR § 170.23

2. Determining What Level Each Sub Needs

3. Subcontractor Inventory and Scoping

4. SPRS Verification and Self-Attestation Collection

5. Tiered Onboarding: Tier 1, 2, and 3 Subcontractors

6. Contract Clauses to Include in Subcontract Agreements

7. Tooling for Supply Chain Compliance Monitoring

8. Managing the Risk of a Sub's CMMC Lapse

9. How Major Primes Are Handling This in 2026

10. Building a Supplier Cybersecurity Program

11. About the Author

12. References

13. Next Steps

1. The Legal Framework: DFARS 7012 Flow-Down and 32 CFR § 170.23

DFARS 252.204-7012(m) — The Bedrock Obligation

DFARS 252.204-7012(m) requires prime contractors to include the 7012 clause without alteration in any subcontract or similar contractual instrument when:

1. Subcontract performance will involve Covered Defense Information (CDI), or

2. The subcontract is for operationally critical support.

This obligation is not discretionary. The phrase "without alteration, except to identify the parties" forecloses any attempt to dilute reporting timelines, preservation requirements, or CSP obligations when flowing the clause to subcontractors. Subcontractors receive the same regulatory burden as the prime.

The clause further requires that subcontractors:

• Notify the prime when requesting a variance from a NIST 800-171 security requirement from the Contracting Officer.
• Provide the DoD-assigned incident report number to the prime (or next higher-tier sub) as soon as practicable after reporting a cyber incident.

32 CFR § 170.23 — CMMC Flow-Down

The CMMC Final Rule codifies flow-down requirements at 32 CFR § 170.23. This section establishes that prime contractors are responsible for including CMMC requirements in subcontracts based on the type of covered information the subcontractor will receive. The applicable DFARS clauses that carry CMMC requirements through the subcontracting chain are:

• FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems (FCI-only subs; CMMC Level 1)
• DFARS 252.204-7012 — Safeguarding CDI and Cyber Incident Reporting (CDI-handling subs; CMMC Level 2 minimum)
• DFARS 252.204-7021 — CMMC Requirements (establishes the specific CMMC level required based on the data type and contract requirements)

The Critical Rule: Data Type Drives Required Level

The CMMC level a subcontractor must achieve is determined by the type of covered information the prime shares with them, not the prime's own CMMC level:

| Data Shared with Sub | Minimum CMMC Level Required |

|---|---|

| No FCI or CUI | No CMMC requirement triggered |

| Federal Contract Information (FCI) only | CMMC Level 1 (Self-Assessment) |

| Controlled Unclassified Information (CUI) | CMMC Level 2 (minimum) |

| CUI under a Level 3 prime program | CMMC Level 2 C3PAO certification (minimum) |

Primes control what flows. If a prime chooses not to share CUI with a particular subcontractor (by using non-CUI work packages, reference data, or controlled delivery methods), the Level 2 obligation is not triggered for that sub. Thoughtful CUI scoping can simplify the supply chain compliance burden — but it requires deliberate program design.

2. Determining What Level Each Sub Needs

The determination process for each subcontractor relationship should follow a structured data-flow analysis:

Step 1: Characterize the Data

For each subcontract, identify:

• Will the sub receive, create, process, transmit, or store FCI?
• Will the sub receive, create, process, transmit, or store CUI?
• If CUI, what CUI categories are involved? (Technical data, export-controlled, sensitive acquisition, etc.)

Step 2: Classify the Sub's Required Level

Apply the data type matrix above. Document the determination in your subcontractor compliance register with the date of determination, the supporting data-flow analysis, and the contract numbers involved.

Step 3: Verify Level Availability

Check whether the subcontractor has achieved (or is credibly on track to achieve) the required level:

• Level 1: Completed self-assessment posted to SPRS; annual affirmation current.
• Level 2 (Self): Completed NIST 800-171 self-assessment with SPRS score ≥ 88 equivalent; annual affirmation current.
• Level 2 (C3PAO): Certificate of CMMC Level 2 from an accredited C3PAO; status verifiable in CMMC AB lookup or SPRS.

Step 4: Document and Store

Maintain a record of the SPRS score or certification status at the time of award for each subcontractor. The date, CAGE code, SPRS score or certificate number, and affirmation status should be stored in your supplier compliance database.

3. Subcontractor Inventory and Scoping

Building the Subcontractor Inventory

Many primes are surprised to discover, when they begin this exercise, how large and fragmented their supplier base is. Start with a complete inventory before any compliance determination:

1. Pull all active subcontracts and purchase orders under current DoD prime contracts.

2. Identify any teaming agreements or consulting relationships that involve access to DoD contract information.

3. Include cloud service providers, managed IT service providers (MSPs), and SaaS vendors that process, store, or transmit data on behalf of the prime. These are subcontractors for DFARS 7012 purposes if they touch CDI.

4. Segment by data access: Which suppliers receive CDI? Which receive only FCI? Which receive neither?

Scoping Guidance

Not every supplier relationship triggers DFARS 7012 or CMMC flow-down. The obligation is triggered by the contractor's actual handling of CDI in support of DoD contract performance. Suppliers of commercial off-the-shelf (COTS) items, commodity raw materials without program-specific technical data, and administrative services with no CUI exposure are generally outside scope.

Maintain a written scoping determination for each supplier, documenting the rationale for in-scope or out-of-scope classification. This documentation protects the prime in the event of a government audit or FCA inquiry.

Sub-Tier Inventory

Prime contractors bear responsibility not only for their Tier 1 subcontractors but for the compliance posture of the entire multi-tier chain. If a Tier 1 sub shares CUI with a Tier 2 sub, that Tier 2 sub needs the appropriate CMMC level. Require Tier 1 subs to:

• Flow down DFARS 7012 and 7021 clauses to any sub-tier suppliers they engage with CUI.
• Maintain their own subcontractor compliance inventory.
• Provide annual attestation that sub-tier flow-down obligations are being met.

4. SPRS Verification and Self-Attestation Collection

Verifying SPRS Scores

SPRS (Supplier Performance Risk System) is the DoD's authoritative platform for tracking contractor compliance assessments. Before sharing CDI with any subcontractor, primes should:

1. Request the sub's SPRS printout showing the current assessment score, assessment date, and affirmation status.

2. Verify the score is current — assessments must be refreshed at least annually for self-assessments; C3PAO certifications have 3-year validity periods with annual affirmations.

3. Assess score plausibility — an SPRS score that was submitted within days of a supplier onboarding request, showing a perfect 110, without supporting SSP documentation, is a red flag. SPRS scores are self-reported; primes should request supporting evidence for scores that appear implausibly high relative to the supplier's apparent security program maturity.

4. Log the verification — record the date of verification, the score observed, and the CAGE code in your compliance register.

Self-Attestation Package Contents

For Tier 1 subcontractors handling CUI, a reasonable self-attestation package includes:

| Document | Purpose |

|---|---|

| SPRS Score Printout | Evidence of current DoD assessment submission |

| System Security Plan (Executive Summary) | Overview of system boundary and control implementation |

| Scope Boundary Diagram | Illustrates the CUI enclave or processing environment |

| NIST 800-171 Assessment Results | Supporting evidence for SPRS score |

| POA&M (if applicable) | Open items and closure timelines |

| C3PAO Certificate (if Level 2 C3PAO) | Third-party verification of Level 2 compliance |

| Annual Affirmation Record | Confirmation of continued compliance |

Vendor Questionnaire Approach

For Tier 2 and Tier 3 suppliers, or lower-risk CUI handlers, a structured vendor questionnaire may be proportionate to the risk:

• Do you handle CUI in support of your performance on this subcontract?
• Have you posted a current NIST 800-171 self-assessment to SPRS?
• What is your current SPRS score? (Provide printout)
• Are all CUI-handling personnel covered by security awareness training?
• Do you have a documented incident response plan with DFARS 7012 reporting procedures?
• Have you experienced a cyber incident affecting CDI in the past 12 months? If yes, was it reported to DoD within 72 hours?

5. Tiered Onboarding: Tier 1, 2, and 3 Subcontractors

A tiered onboarding model calibrates compliance verification effort to risk. The higher the data sensitivity and the deeper the integration into the prime's CUI environment, the more rigorous the onboarding.

Tier 1: High-Value, High-Access Subcontractors

Profile: Design-responsible subcontractors; co-development partners; IT service providers with system-level access to CUI environments; managed security service providers.

Onboarding Requirements:

• Full self-attestation package (see above) or C3PAO certificate.
• Right-to-audit clause in subcontract agreement.
• Quarterly compliance status updates.
• Immediate notification obligation for any cyber incident, SPRS score change, or certification status change.
• Evidence of ECA certificate for DFARS 7012 incident reporting.

Tier 2: Standard CUI Handlers

Profile: Manufacturing sub-tier suppliers with access to technical data and drawings; specialized service providers; software component suppliers integrated into CDI systems.

Onboarding Requirements:

• SPRS score verification (printout) and annual affirmation.
• DFARS 7012 clause in subcontract.
• DFARS 7021 clause at the appropriate level.
• Vendor questionnaire on key security controls.
• Annual attestation of continued compliance.
• Notification requirement for cyber incidents and certification changes.

Tier 3: Lower-Risk, Limited Exposure Subcontractors

Profile: Raw material suppliers with no program-specific technical data; administrative service providers; COTS product vendors with incidental access to the facility only.

Onboarding Requirements:

• Scope determination (documented) confirming CUI exposure level.
• If FCI-only: FAR 52.204-21 clause; CMMC Level 1 self-assessment in SPRS.
• If out-of-scope: Document rationale; no CMMC clause required.
• Annual review of scope determination.

6. Contract Clauses to Include in Subcontract Agreements

Every subcontract involving CDI should include the following protective clauses, in addition to the mandated DFARS flow-downs:

Mandatory Government Flow-Down Clauses

`

[FAR 52.204-21] Basic Safeguarding of Covered Contractor Information Systems

[DFARS 252.204-7012] Safeguarding Covered Defense Information and Cyber Incident Reporting

[DFARS 252.204-7019] Notice of NIST SP 800-171 DoD Assessment Requirements

[DFARS 252.204-7020] NIST SP 800-171 DoD Assessment Requirements

[DFARS 252.204-7021] Cybersecurity Maturity Model Certification Requirements

`

Protective Clauses Recommended by Aeolitech

1. Right to Audit

"Prime reserves the right to audit Subcontractor's cybersecurity posture, including review of System Security Plan, SPRS assessment documentation, and POA&M status, with 30 days' notice, no more than once per year unless a material cybersecurity event occurs."

2. Notification of Material Security Events

"Subcontractor shall notify Prime within 24 hours of: (a) any cyber incident affecting CDI; (b) any change to CMMC certification status; (c) any downward revision to SPRS score exceeding 10 points; (d) any government assessment, audit, or inquiry related to cybersecurity compliance."

3. Flow-Down Obligation

"Subcontractor shall include DFARS clauses 252.204-7012 and 252.204-7021 in all lower-tier subcontracts involving CDI or FCI, and shall require such lower-tier subcontractors to maintain the CMMC level required based on the data type shared."

4. Annual Affirmation

"Subcontractor shall submit an annual written affirmation, no later than [date], confirming that the CMMC level required under this subcontract is maintained, that all SPRS submissions are current and accurate, and that all POA&M items from the most recent assessment have been closed or are on schedule for 180-day closure."

5. CMMC Lapse Remediation

"In the event Subcontractor's CMMC certification or SPRS score falls below the level required under this subcontract, Subcontractor shall provide Prime with a remediation plan within 10 business days. During the remediation period, Subcontractor shall not receive, create, process, or store CDI. Prime may suspend CDI sharing with Subcontractor until the required CMMC level is restored."

6. Incident Report Number Provision

"Subcontractor shall provide Prime with the DoD-assigned incident report number within 24 hours of submission of any cyber incident report required under DFARS 252.204-7012."

7. Tooling for Supply Chain Compliance Monitoring

Manual tracking of subcontractor CMMC compliance across a large supplier base is error-prone and resource-intensive. The following tooling categories support scalable supply chain compliance programs:

SPRS Monitoring

There is no automated API for SPRS score monitoring currently available to primes. Compliance teams must manually request printouts from subcontractors or require subs to notify primes of score changes. Some GRC platforms (e.g., Venminder, ProcessUnity, Exostar) allow primes to build supplier compliance dashboards that track submitted documentation, attestation dates, and renewal reminders.

Supplier Risk Platforms

| Platform Category | Examples | Key Function |

|---|---|---|

| Supplier Risk Management | Exostar, Aravo, Coupa | Centralized supplier onboarding, questionnaire management, document collection |

| GRC / Compliance Tracking | Drata, Vanta, RSAM | Control implementation tracking, evidence collection, audit trail |

| Continuous Monitoring | SecurityScorecard, BitSight | Passive external signal monitoring for supplier security posture degradation |

| SPRS/CMMC Tracking | CyberSheath, CMMC DIY, PreVeil | CMMC-specific assessment management and SPRS score tracking |

Questionnaire Automation

For large supplier bases, automated questionnaire tools reduce the cost of collecting attestation data. Tools that support the Standardized Information Gathering (SIG) questionnaire framework or CAIQ can be adapted for CMMC-relevant questions. Responses feed into the supplier compliance register automatically, flagging overdue attestations and inconsistencies.

Continuous External Monitoring

Passive monitoring tools (SecurityScorecard, BitSight, CyCognito) provide an outside-in view of a supplier's security posture based on observable signals: exposed services, known vulnerabilities, domain health, certificate management. While these tools cannot directly assess internal NIST 800-171 control implementation, they can surface signals of deteriorating posture between formal attestation cycles.

8. Managing the Risk of a Sub's CMMC Lapse

A subcontractor's CMMC certification lapse does not automatically terminate the subcontract — but it does create an immediate compliance problem for the prime if CDI continues to flow to the sub. Under DFARS 7021, the prime cannot legally share CDI with a subcontractor that has failed to maintain the required CMMC level.

Lapse Scenario Planning

Primes should maintain contingency plans for the following scenarios:

| Scenario | Prime's Immediate Obligation | Contingency |

|---|---|---|

| Sub's C3PAO certification expires, not renewed | Stop CDI sharing immediately | Identify backup supplier; assess feasibility of insourcing CDI-sensitive work package |

| Sub's SPRS score drops significantly after self-reassessment | Evaluate whether sub still meets minimum threshold; request remediation plan | Suspend CDI sharing until score is restored to required level |

| Sub reports a cyber incident | Receive incident report number; assess whether prime's CDI was exposed; notify DoD if prime's CDI was at risk | Evaluate whether continued CDI sharing is appropriate during sub's investigation |

| Government assessment of sub reveals compliance gaps | Cooperate with government; assess prime's exposure | Prepare FCA voluntary disclosure analysis with legal counsel |

The "Kill a Contract" Risk

The most severe scenario is a sub whose CMMC lapse, if discovered by the contracting officer, could trigger a cure notice or termination of the prime contract. This risk is highest for:

• Single-source subcontractors with no approved alternates.
• Subcontractors with specialized technical knowledge that cannot be transferred quickly.
• Subcontractors holding the only qualified manufacturing process for a critical component.

For these suppliers, CMMC readiness support from the prime is a program risk mitigation strategy, not just a compliance formality. Some primes are providing technical assistance, cost-sharing for C3PAO assessments, or access to shared security services (e.g., the DoD's OSC² — On-Ramp to Small Business Cybersecurity) to ensure critical suppliers meet the required level before formal deadlines.

9. How Major Primes Are Handling This in 2026

The behavioral shift among major defense primes in 2025–2026 illustrates the urgency of supply chain CMMC readiness. The following represents documented actions taken by the five largest prime contractors:

| Prime | Action Taken | Minimum Requirement | Verification Method |

|---|---|---|---|

| Raytheon (RTX) | Annual supplier registration form requiring CMMC status disclosure (Feb 2025) | Active CMMC certification at level specified in prime contract/solicitation | Annual Supplier Registration update; SPRS printout |

| Lockheed Martin | Reached out directly to suppliers with unimplemented CMMC controls per SPRS scores (Jun 2025) | CMMC Level 2 (Self) now; Level 2 C3PAO anticipated | Exostar CCRA Module — submit NIST assessment and readiness level |

| Boeing | Assessed supplier cybersecurity practices for CMMC gaps across supply base (Sept 2025) | CMMC Level 1–3 as specified in solicitation; Level 2 C3PAO for CUI | Gap assessment conducted by Boeing; certification condition of award |

| Elbit Systems | Mandated Level 1 self-assessment for all non-COTS suppliers (Nov 2025) | Level 1 (Self) immediately; Level 2 C3PAO for CUI handlers encouraged | SPRS + Exostar submission |

| Northrop Grumman | Stated explicitly that primes cannot waive or deviate from CMMC requirements (Dec 2025) | Subcontractors must comply with CMMC requirements in solicitation/contract | Purchase orders will not be issued to noncompliant subs; no exceptions |

A survey conducted in August–September 2025 found that 47% of subcontractors had already received a CMMC flow-down request from a prime — before formal government enforcement began. By late 2025, the market had already made CMMC compliance a commercial prerequisite for being in the defense supply chain.

Northrop Grumman's public statement captures the current posture precisely: "Neither contracting officers nor prime contractors may waive or deviate from the CMMC cybersecurity control and assessment requirements." Long-standing supplier relationships and sole-source status do not provide protection from non-compliance consequences.

10. Building a Supplier Cybersecurity Program

Primes that handle this reactively — scrambling to verify sub compliance when a contracting officer asks — are taking unnecessary risk. A proactive Supplier Cybersecurity Program (SCP) institutionalizes supply chain CMMC readiness as an ongoing business process.

Core SCP Components

1. Governance Structure

Assign ownership: typically the Supply Chain Security Manager, reporting to the CISO or VP of Procurement. Define roles for each function in the SCP: SPRS verification, contract clause management, incident notification tracking, sub audit coordination.

2. Supplier Segmentation and Registry

Maintain a living registry of all suppliers, segmented by data access level (CUI, FCI, none), required CMMC level, current certification status, and next renewal/affirmation date.

3. Onboarding Process

Define the onboarding requirements for each supplier tier (as described in Section 5). No CDI shares until onboarding requirements are confirmed met.

4. Continuous Monitoring

Define the ongoing monitoring cadence: annual attestation collection, SPRS check at each purchase order issuance, external monitoring signals reviewed quarterly.

5. Incident Response Integration

Ensure that the prime's DFARS 7012 IR plan includes procedures for receiving sub incident report numbers, assessing whether prime CDI was affected, and making the prime-level reporting decision.

6. Supplier Development Program

For critical suppliers at risk of non-compliance, provide guidance documents, referrals to qualified C3PAO resources, or cost-sharing arrangements for assessment preparation. A critical supplier that fails CMMC costs more to replace than to assist.

7. Annual Program Review

Review the SCP annually against current CMMC phase enforcement requirements, update flow-down clause language if DFARS clauses are revised, and brief executive leadership on supply chain compliance posture.

About the Author

Leonard Esere is a Senior Cybersecurity Engineer and compliance strategist at Aeolitech with deep expertise in DFARS/CMMC, NIST SP 800-171, supply chain risk management, and DoD Industrial Security. Holding CISSP and CCSP certifications, Leonard has designed Supplier Cybersecurity Programs for prime contractors, developed subcontract clause libraries for CMMC compliance, and assisted sub-tier suppliers in achieving Level 2 C3PAO certification readiness. He has advised organizations on the CUI scoping determinations that drive supply chain CMMC level requirements.

References

| Source | URL |

|---|---|

| DFARS 252.204-7012 (MAY 2024) — Subcontracts (m) | https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting |

| DFARS 252.204-7021 — CMMC Requirements | https://www.acquisition.gov/dfars/252.204-7021 |

| 32 CFR § 170.23 — CMMC Flow-Down | https://www.law.cornell.edu/cfr/text/32/170.23 |

| 32 CFR Part 170 — CMMC Program Rule | https://www.ecfr.gov/current/title-32/part-170 |

| FAR 52.204-21 — Basic Safeguarding | https://www.acquisition.gov/far/52.204-21 |

| SPRS (Supplier Performance Risk System) | https://www.sprs.csd.disa.mil/ |

| CMMC Accreditation Body — C3PAO Registry | https://cyberab.org/ |

| NR Labs — CMMC Flow-Down Checklist | https://www.nrlabs.com/blog-posts/cmmc-flow-down-for-prime-contractors-the-complete-checklist |

| Secureframe — Prime Contractor CMMC Enforcement | https://secureframe.com/blog/prime-contractor-cmmc-compliance |

| ISI Defense — Prime Contractor Screening 2026 | https://isidefense.com/blog/how-prime-contractors-are-screening-subcontractors-in-2026 |

| CUI Registry (NARA) | https://www.archives.gov/cui/registry/category-list.html |

| Mayer Brown FCA Enforcement Report (2026) | https://www.mayerbrown.com/en/insights/publications/2026/03/false-claims-act-enforcement-record-breaking-year-signals-continued-attention-to-cybersecurity |

Next Steps

The defense supply chain is not waiting for formal government enforcement to sort itself out. Primes are making CMMC compliance a condition of business today, and the subcontractors that are not ready are already losing purchase orders. Whether you are a prime building a supplier compliance program or a subcontractor trying to understand what your prime is going to demand, the time to act is now.

Schedule a CMMC Gap Assessment with Aeolitech →

Our supply chain readiness services include CUI data-flow analysis for scope determination, subcontractor compliance registry design, contract clause review and drafting, and CMMC readiness assessments for sub-tier suppliers — delivering the documentation and evidence packages that primes actually require in their onboarding processes.