Do subcontractors need CMMC certification?

Yes, if the subcontract involves Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC requirements flow down from the prime contractor through DFARS clauses, so a subcontractor handling protected information must meet the applicable CMMC level even though it does not contract directly with the Department of War.

Does a subcontractor need the same CMMC level as the prime?

Not necessarily. The required level depends on the sensitivity of the information that actually flows down to the subcontractor. If only FCI flows down, the subcontractor needs CMMC Level 1; if CUI flows down, it needs Level 2. A subcontractor can require a lower level than the prime if less sensitive information is shared with it.

What is CMMC flow-down?

Flow-down is the contractual requirement for a prime contractor to pass cybersecurity obligations — including DFARS 252.204-7012 and the CMMC clause 252.204-7021 — to subcontractors when performance involves FCI or CUI. The prime is responsible for ensuring its subcontractors meet the required level before sharing protected information.

Are commercial off-the-shelf (COTS) suppliers exempt from CMMC?

Generally yes. Suppliers that provide only commercial off-the-shelf products and do not receive or generate FCI or CUI are typically not subject to CMMC flow-down, because no protected information is involved in the transaction.

SubcontractorsFlow-DownCMMC Level 2

Do Subcontractors Need CMMC? How Flow-Down Actually Works

By Glenn Ballard·CMMC Registered Practitioner·June 19, 2026·8 min read

One of the most common — and most expensive — misconceptions in the defense supply chain is this: “We're just a subcontractor. We don't deal with the government directly, so CMMC isn't our problem.” It is. CMMC obligations flow downfrom primes to subs through the contract, and a subcontractor that handles protected information has to meet the applicable level — or it doesn't get the work. Here is exactly how flow-down works and what it means for you.

How Flow-Down Works

When a prime contractor wins a DoW contract involving protected information, it is required to pass the relevant cybersecurity clauses down to its subcontractors. The key clauses:

DFARS 252.204-7012 — safeguarding covered defense information and reporting incidents; flows down when CUI is involved.
DFARS 252.204-7021 — the CMMC clause; requires the subcontractor to hold the appropriate CMMC level before protected information is shared.

The prime is responsiblefor ensuring its subs meet the required level. In practice, that means primes are increasingly unwilling to share CUI — or award the subcontract at all — to a supplier that can't demonstrate compliance. Flow-down isn't just a legal formality; it's a gate on whether you win the business.

Which Level Does a Subcontractor Need?

Here is the part that surprises people: a subcontractor does not automatically need the same level as the prime. The required level depends on the sensitivity of the information that actually flows down to you:

Only FCI flows down → you need CMMC Level 1.
CUI flows down → you need CMMC Level 2.

So a prime certified at Level 2 might pass only FCI to a particular sub — meaning that sub needs only Level 1. The flip side is just as true: if CUI reaches you, you need Level 2 regardless of how small your piece of the work is. (Not sure which kind of information you handle? Start with what CUI is and how to tell.)

Don't let a prime over- or under-state your obligation by guesswork. The level is driven by what information genuinely flows to you. Getting it wrong in either direction is costly — an unnecessary Level 2 build-out, or a compliance failure that loses the contract and can carry False Claims Act exposure.

The COTS Exception

There is a meaningful carve-out. Suppliers that provide only commercial off-the-shelf (COTS)products — and never receive or generate FCI or CUI — are generally not subject to CMMC flow-down, because no protected information changes hands. If you sell a standard catalog product and no controlled information touches your systems, CMMC likely doesn't reach you. The moment that changes — a drawing, a spec, a controlled data file — so does your obligation.

What to Ask Your Prime

If you're a subcontractor, get clarity in writing before you accept the work:

Will any FCI or CUI flow down to us under this subcontract?
What CMMC level does the prime require of us, and by when?
Which DFARS clauses are being flowed down?
How will controlled information be transmitted and marked, so we can scope our environment correctly?

The answers tell you precisely what you need to build — and let you start early, while competitors are still asking the question.

Find Out Where You Stand

Whether CMMC reaches you as a prime or a sub, the first move is the same: measure your posture against the requirements that apply to you. The Dragonfli Group CMMC Accelerator helps you scope what flows down, assess against the relevant NIST SP 800-171 requirements, and produce a draft SSP, POA&M, and gap plan — reviewed by a CMMC Registered Practitioner — so you can give your prime a confident, accurate answer.

FOR PRIMES AND SUBS

Know your obligation before your prime asks.

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

CMMC Level 1 vs Level 2

Which level the flowed-down info requires →

What Is CUI? CMMC Scoping

Tell whether CUI is flowing down to you →