Penetration Testing
Press Release
The Cybersecurity Maturity Model Certification (CMMC) program encompasses all tiers of contractors within the global US Department of Defense (DoD) supply chain—arguably the world’s largest supply network. The CMMC 2.0 final version requires DoD prime contractors and their subcontractors that handle controlled unclassified information (CUI) to comply with the same cybersecurity guidelines. The goal is to protect CUI regardless of where it resides outside US government systems.
But the initial CMMC 1.0 version was not explicit on the subject of flowdown requirements—that is, under what circumstances must a defense industrial base (DIB) contractor’s third-party subcontractors and vendors also achieve CMMC certification at the same level or a lower level?
This article explains what the CMMC final rule says about flowdown, who it applies to, and how it could impact your organization.
What is CMMC flowdown?
CMMC’s control framework is derived from the NIST 800-171 Rev. 2 cybersecurity standard, which specifies 110 controls to protect CUI and federal contract information (FCI). Suppliers that handle CUI must comply with CMMC Level 2, which is essentially identical to NIST 800-171. DIB firms that handle only FCI must comply with CMMC Level 1.
However, NIST 800-171 does not cover flowdown of cybersecurity requirements. Previously, requirements flowdown has been covered in the DFARS 7012 clause, which many DoD contracts have included.
The CMMC final rule mandates requirements flowdown based on whether subcontractors receive CUI and/or FCI. CMMC requirements will apply to all contractors and subcontractors across all supply chain tiers that process, store, and/or transmit FCI or CUI in the performance of the contract or subcontract.
“For any DIB organization, flowdown is essential,” says Sanjeev Verma, Chairman and co-founder at PreVeil. “If you have a CMMC contract and you’ve got three sub suppliers that are part of that bid, the CMMC obligation does apply to them. You’ve got to pass that along to them and their suppliers—there’s no ambiguity about it. The rule is very clear.”
Who is responsible for verifying subcontractors’ CMMC certification?
Prime contractors are responsible for ensuring that their subcontractors achieve and maintain CMMC certifications at the appropriate level for the information they receive, as defined in the contract. Subcontractors, in turn, are responsible for verifying CMMC certifications for their vendors, and so on down the line until the flow of CUI or FCI stops. The DoD estimates that CMMC flowdown will impact about 220,000 businesses worldwide.
If a subcontractor handles the same FCI or CUI as the contractor they are supplying, they are subject to the same CMMC requirements. If a subcontractor receives only less sensitive information (e.g., just FCI but not CUI), they are subject to a lower CMMC level (e.g., CMMC Level 1 versus CMMC Level 2).
For example:
- DIB orgs that receive only FCI must achieve and maintain CMMC Level 1 certification.
- DIB orgs that receive CUI must achieve and maintain CMMC Level 2 certification.
- Subcontractors that handle highly sensitive CUI on contracts where CMMC Level 3 is required may also be responsible for achieving CMMC Level 3 certification.
Does flowdown apply to subcontractors outside the US?
DIB companies that handle CUI or FCI are required to comply with CMMC regardless of what country they reside in. US and non-US entities are treated the same. CMMC requirements flow down from both US and international prime contractors to their subcontractors to the point where the CUI or FCI stops.
In short, CMMC compliance requirements are based on whether a company has a type of information (CUI or FCI) that requires protection. This holds true regardless of where a business is headquartered or where its operations are located.
What’s next?
For more guidance on this topic, listen to Episode 145 of The Virtual CISO Podcast with guest Sanjeev Verma, Chairman and co-founder at PreVeil.
