DFARS Flow Down Requirements Video

This 2m video features Kyle Lai explaining DFARS flow down requirements for DoD Prime and Subcontractors

DFARS Flow Down Requirements Video (Continued)

Recent questions about Flow Down Requirements

Let’s discuss a couple of questions related to the flow-down requirements for DFARS 252.204-7012, 7020, and 7021.  Or cybersecurity maturity model certification, or CMMC.  First question: 

Flow down our DFARS 252.204-7012 requirements

If we are a contractor with a DFARS 7012 clause, do we flow down these requirements to the subcontractors within our contract?

It depends.  DFARS 7012 clause flows down to wherever your CUI goes.  You need to flow down DFARS 7012 to subcontractors that receive your CUI.  If you do not pass your CUI to a subcontractor there are no DFARS requirements for that subcontractor.  Here’s another question: 

Flow down of CMMC / DFARS 252.204-7021

CMMC or DFARS 7021 states that a prime contractor can determine the level of CMMC certification required for their subcontractor based on the information flow down.  How do we address the flow-down requirements in combination with DFARS 7012 and 7020? 

If your subcontractor only needs Federal Contract Information or FCI, and only receives your FCI, you will flow down the CMMC level 1 requirement to them.  For your subcontractors that receive the  CUI, you will need to flow down the CMMC level 2 or level 3 requirements as well as the DFARS 7012 and 7020 requirements to them.

Commercial off the shelf COTS exception

There’s an exception:  If your subcontractor is a commercial off the shelf or COTS vendor, then they are exempt from the CMMC. 

Thank you for watching!

This is Kyle Lai, President, and Chief Information Security Officer at KLC Consulting.  If you have any additional questions, please contact us at cmmc@klcconsulting.net.  Thank you.