Subcontractor Flow-Down
Also known as: Flow-down, Flowdown
Subcontractor flow-down is the contractual mechanism by which a prime contractor passes federal cybersecurity requirements (FAR 52.204-21, DFARS 252.204-7012/7019/7020/7021) to its subcontractors. CMMC requirements flow down to any subcontractor that will process, store, or transmit FCI or CUI in performance of the contract.
Related terms
- Prime Contractor
A prime contractor is the entity that holds the direct contract with the federal government. The prime is responsible for flowing down applicable CMMC requirements to its subcontractors and for assessing whether each subcontractor's required CMMC level matches the type of information being shared.
- FAR 52.204-21
FAR 52.204-21 is the Federal Acquisition Regulation clause that requires federal contractors to apply 15 basic safeguarding requirements to systems that process, store, or transmit Federal Contract Information (FCI). It is the regulatory basis for CMMC Level 1 — the 15 Level 1 practices are drawn directly from paragraph (b)(1) of this clause.
- DFARS 252.204-7021
DFARS 252.204-7021 is the contract clause that makes a CMMC certification or self-assessment a material condition of award and continued performance on covered DoD contracts. It took effect November 10, 2025 as part of the 48 CFR final rule, and triggers the annual senior-official affirmation requirement under 32 CFR 170.22.