DFARS Flow Down Requirements Video

DFARS Flow Down Requirements Explained

This 2m video features Kyle Lai explaining DFARS flow down requirements for DoD Prime and Subcontractors

DFARS Flow Down Requirements Video (Continued)

Recent questions about Flow Down Requirements

Let’s discuss a couple of questions related to the flow-down requirements for DFARS 252.204-7012, 7020, and 7021.  Or cybersecurity maturity model certification, or CMMC.  First question: 

Flow down our DFARS 252.204-7012 requirements

If we are a contractor with a DFARS 7012 clause, do we flow down these requirements to the subcontractors within our contract?

It depends.  DFARS 7012 clause flows down to wherever your CUI goes.  You need to flow down DFARS 7012 to subcontractors that receive your CUI.  If you do not pass your CUI to a subcontractor there are no DFARS requirements for that subcontractor.  Here’s another question: 

Flow down of CMMC / DFARS 252.204-7021

CMMC or DFARS 7021 states that a prime contractor can determine the level of CMMC certification required for their subcontractor based on the information flow down.  How do we address the flow-down requirements in combination with DFARS 7012 and 7020? 

If your subcontractor only needs Federal Contract Information or FCI, and only receives your FCI, you will flow down the CMMC level 1 requirement to them.  For your subcontractors that receive the  CUI, you will need to flow down the CMMC level 2 or level 3 requirements as well as the DFARS 7012 and 7020 requirements to them.

Commercial off the shelf COTS exception

There’s an exception:  If your subcontractor is a commercial off the shelf or COTS vendor, then they are exempt from the CMMC. 

Thank you for watching!

This is Kyle Lai, President, and Chief Information Security Officer at KLC Consulting.  If you have any additional questions, please contact us at cmmc@klcconsulting.net.  Thank you.

DFARS Flow Down Requirements.  KLC Consulting CMMC YouTube
DFARS Flow Down Requirements.  KLC Consulting CMMC LInkedIn

Check out our YouTube channel and LinkedIn pages for the latest information and education resources for Cybersecurity Maturity Model Certification.

Please visit our main page for more information about our NIST 800-171 and CMMC compliance services

Let’s Talk About NIST 800-171 and CMMC

We meet you where you’re at and bring you to ‘CMMC Assessment Ready’
with as much or as little help as you need

Scroll to Top