October 23, 2024

Last Updated on October 23, 2024

The Cybersecurity Maturity Model Certification (CMMC) program aims to manage cyber risk not just for individual companies but across the entire US Department of Defense (DoD) supply chain—one the world’s largest supply networks. CMMC not only requires DoD contractors to demonstrate robust cybersecurity, but also mandates them to ensure their own suppliers comply with DoD guidelines.

What does CMMC’s multi-tier “flowdown” process look like and who has to do it? The article tells you what you need to know about CMMC flowdown and how it could impact your business.

 

What is flowdown of CMMC compliance requirements?

CMMC’s compliance framework is based on the NIST 800-171 Rev. 2 cybersecurity standard, which defines 110 controls specifically to protect controlled unclassified information (CUI) and federal contract information (FCI) wherever it is resides outside of US government systems. Contractors that handle CUI must comply with CMMC Level 2, while contractors that handle only FCI need to achieve CMMC Level 1.

NIST 800-171 does not include explicit third-party risk management (TPRM) or vendor due diligence requirements. Prior to CMMC, it has been the DFARS Clause 252.204-7012 included in many DoD contracts that requires contractors to validate cybersecurity compliance for vendors that receive CUI or FCI.

But with subsequent CMMC proposed rule changes beginning in December 2023, CMMC itself now mandates requirements flowdown based on the type of information shared with subcontractors and vendors.

The latest proposed rule from August 2024 states that CMMC requirements “apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit FCI or CUI on contractor information systems in the performance of the contract or subcontract.”

This means that prime contractors must flow down CMMC requirements to all their subcontractors based on the type of information the subcontractors will receive from the prime:

  • Subcontractors that only handle FCI need only meet CMMC Level 1 requirements.
  • Subcontractors that handle CUI must meet the stringent CMMC Level 2 requirements. At CMMC Level 2, subcontractors will be held to the same assessment regime as the prime contractor (self-assessment or third-party assessment).
  • Subcontractors that handle highly sensitive CUI on a contract where the prime contractor needs to meet CMMC Level 3 must meet CMMC Level 2 at a minimum. Further clarification is required on when subcontractors would need to achieve CMMC Level 3.

CMMC 2.0 now also states that primes will be responsible for ensuring that subcontractors maintain up-to-date CMMC certificates or self-assessments at the appropriate level before awarding contracts. Further, contracts must clearly state CMMC requirements.

These new requirements go a long way toward improving security across the US defense industrial base (DIB). But they add significant new responsibilities and complexities to a contractor’s cybersecurity compliance program.

 

Who must comply with CMMC flowdown requirements?

The flowdown requirements in the CMMC proposed rule will apply to all DoD contracts and subcontracts where the contractor will store, process, and/or transmit FCI and/or CUI on its own systems in performance of the contract or subcontract. The DoD estimates that CMMC will impact about 220,000 companies “throughout the supply chain at all tiers,” which is nearly the entire DIB.

If contractors and their subcontractors are handling the same type of FCI and/or CUI, the same CMMC requirements will apply to both. When the contractor shares only certain less sensitive information, a lower CMMC level may apply.

For example, if your business receives both FCI and CUI but some of your vendors only receive FCI, you must flow down the CMMC Level 1 certification requirement to those vendors. But for your vendors that you share CUI with, you must flow down the CMMC Level 2 certification requirement, along with applicable DFARS requirements (e.g., DFARS 7012 or DFARS 7020).

Suppliers of commercial off-the-shelf (COTS) items are an exception to the above. These organizations are exempt from CMMC compliance.

 

Why is a supply chain approach to safeguarding CUI so critical?

By charging DIB companies with ensuring that their vendors also meet CMMC requirements, the DoD has added significant compliance steps for thousands of organizations. Contractors that fail to achieve compliance risk losing contracts, being rendered ineligible for future contracts, and/or facing False Claims Act litigation.

Why is CMMC flowdown across the DIB so important to cybersecurity? Because failure to protect CUI can compromise national security, personal privacy, and the US economy.

The DoD’s worldwide supply chain is becoming increasingly complex, with more and more sensitive data flowing down to suppliers. Further, much of this data ends up in the cloud, which compounds cybersecurity risk.

Safeguarding CUI thus requires every organization that handles it to uphold an adequate cybersecurity posture. By taking a supply chain approach to cybersecurity, CMMC aims to ensure that CUI remains secure wherever it flows across the DIB.

 

What’s next?

The DoD’s supply chain approach to cyber compliance makes it imperative for DIB leaders to read contracts carefully and make sure that all requirements are understood, agreed, and reflected in your CUI protection program. Assessing vendors’ cybersecurity requirements often requires significant resources and could shift the balance between pursuing a contract or not.

To connect with an expert about CMMC requirements flowdown and other defense cybersecurity issues, contact CBIZ Pivot Point Security.