Hero Background

DFARS 7012 Flow-Down Requirements Explained

What’s New (Updated DFARS & Flow-Down Enforcement)

This blog reflects current CMMC enforcement following publication of the DFARS acquisition rule in September 2025, effective November 10, 2025. DFARS 252.204-7012 flow-down obligations remain in force. The DoD is now phasing CMMC requirements into its solicitations. This post updates references to CMMC implementation. Enforcement is now active, with increased scrutiny of subcontractor compliance.

Understanding CMMC Requirements in Today’s Compliance Environment

As a result, navigating the intricate landscape of government contracting means understanding its ever-evolving regulations. Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 serves as the foundation for cybersecurity requirements in the Defense Industrial Base (DIB). Most organizations refer to it simply as DFARS 252.204-7012 or simply DFARS 7012. 

In this blog, you will learn about crucial flow-down requirements of that clause. We’ll show how these requirements bolster cybersecurity and enhance supply chain risk management. They also help protect covered defense information across a prime contractor’s supplier network. To grasp the real-world DFARS 7012 compliance implications for your organization, we’ll unpack DFARS 7012 requirements and their overarching goals.

What Is DFARS 7012?

DFARS 7012 provides a framework for protecting sensitive information known as Controlled Unclassified Information (CUI) within the DIB. As defined by the Defense Counterintelligence and Security Agency, “CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies.” As the name implies, CUI does not refer to classified information or data maintained within government agencies. The clause also requires contractors to rapidly report (within 72 hours) cyber incidents to DoD via DIBNet.

In many respects, DFARS 7012 and the DFARS clause 252.204-7021 (DFARS 7021), which implements the Cybersecurity Maturity Model Certification (CMMC) framework in DoD solicitations, are similar in their overall goal of ensuring that DIB companies are DFARS compliant and adequately protect CUI from threat actors and cyber-attacks.

However, there are several key differences regarding the specificity of scope, contractual requirements, and most notably, compliance attestation. Beginning November 10, 2025, DoD is phasing CMMC requirements into solicitations and contracts over a three-year period. Many organizations handling CUI will require a C3PAO-performed Level 2 certification; others may perform self-assessments as specified in 32 CFR Part 170

DFARS 252.204-7012 requirements mandate contractors complete a self-assessment and attest to the implementation of NIST SP 800-171 controls defined within the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). Following contract award, contractors must provide evidence showing that they and their subcontractors have implemented NIST SP 800-171 controls or documented a concrete remediation plan.

What Are DFARS 252.204-7012 Flow-Down Requirements and Who Is Subjected to Them?

The awarded (prime) contractor assumes the responsibility for ensuring that its multi-tiered supply chain of subcontractors, vendors, and partners understands and executes the various DFARS 7012 compliance requirements that apply to them. This includes placing relevant DFARS-compliant provisions in all subcontracts. Most importantly, DFARS CUI regulations require any company in the subcontractor supply chain that stores, handles, or transmits CUI to comply with NIST SP 800-171 in its entirety.

As a result, these DFARS cybersecurity requirements “flow down” from the prime contractor to its subcontractor supply chain, and the prime contractor remains responsible for enforcement. While it may seem redundant, flow-down requirements play a vital role in ensuring that CUI is protected wherever it travels and that DFARS cybersecurity requirements are consistently enforced amongst all relevant parties.

In a presentation in October 2018, the Department of Defense stated:

The contractor shall determine if the information required for subcontractor performance is, or retains its identity as, covered defense information and requires safeguarding. The contract requires primes to enforce flow-down obligations as part of their compliance responsibilities. If a subcontractor does not agree to comply with the terms of DFARS Clause 252.204–7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on its information system.

What Happens If DFARS CUI Flow-Down Requirements Are Not Fulfilled?

For this reason, when a DIB company fails to meet government-mandated flow-down requirements, the government may impose strict penalties. This includes the following:

  • Termination of contract
  • Ineligibility for future contracts
  • Legal fees, fines, and penalties, including those identified within the Department of Justice’s False Claims Act
  • Reputational harm

Safeguarding CUI

To adequately safeguard CUI, NIST SP 800-171 provides 14 unique security families, each with controls (a total of 110) that must be implemented to fully protect CUI. The top-level breakdown of families and controls looks like this:

  • Access Control (22 controls)
  • Awareness and Training (3 controls)
  • Audit and Accountability (9 controls)
  • Configuration Management (9 controls)
  • Identification and Authentication (11 controls)
  • Incident Response (3 controls)
  • Maintenance (6 controls)
  • Media Protection (9 controls)
  • Personnel Security (2 controls)
  • Physical Protection (6 controls)
  • Risk Assessment (3 controls)
  • Security Assessment (4 controls)
  • System and Communications Protection (16 controls)
  • System and Information Integrity (7 controls)

The complexities of DFARS 7012 compliance go beyond prime contractors simply adhering to set standards; they also must ensure that their entire multi-tiered network of subcontractors complies with DFARS CUI requirements. But the journey continues beyond merely understanding the 110 controls found in NIST SP 800-171; prime contractors must also have clear visibility across their entire supply chain to successfully meet DFARS 7012’s flow-down requirements.

CMMC 2.0 and the Evolving Landscape of CUI Safeguarding

The landscape will continue to evolve with the inclusion of DFARS 252.204-7021 and its CMMC 2.0 framework in DoD contract solicitations. As of late 2025, the Department of Defense finalized the acquisition rule implementing CMMC and began phasing it into new solicitations on November 10, 2025.

While DFARS 7021 may ease some of the prime contractor’s burden by mandating third-party certification for many Defense Industrial Base (DIB) companies that store, handle, or transmit CUI, it also raises the bar for evaluation, enforcement, and accountability across the supply chain.

As this transition continues, DFARS 7012 requirements remain firmly in place, and DoD enforcement of flow-down clauses is likely to intensify as prime contractors demonstrate stronger oversight of subcontractor compliance.

Every stakeholder in the DIB supply chain must remain informed, vigilant, and proactively committed to maintaining and demonstrating compliance, not just to win new contracts, but to preserve existing relationships and reduce cybersecurity risk.

If your organization lacks clear visibility into subcontractor CUI handling or DFARS 7012 compliance, now is the time to reassess. Explore structured approaches that help defense contractors manage flow-down requirements, document supplier compliance, and prepare for CMMC-driven evaluations under active enforcement.

If you need help with your CMMC 2.0 journey, and understanding what CUI is and how to handle it, reach out to us or visit our site and find out how our CMMC Ready Suite can help.

Next Steps

Prime contractors should review subcontractor agreements to confirm DFARS 7012 flow-down language is current, validate that suppliers handling CUI have implemented NIST SP 800-171 controls, and ensure SPRS scores and evidence are accurate. Identify which suppliers may now require CMMC Level 2 assessments under DFARS 7021 and establish a process for tracking compliance across tiers. Proactive flow-down management now reduces risk during contract award and audit review.

Frequently Asked Questions About DFARS 252.204-7012 Flow-Down Requirements

What is a flow-down requirement?

A flow-down requirement is a contractual obligation that a prime contractor must pass down to its subcontractors and suppliers. Under DFARS 252.204-7012, the flow-down clause requires any subcontractor that stores, handles, or transmits CUI to implement all NIST SP 800-171 security controls and report cyber incidents within 72 hours. The prime contractor must include these flow-down clauses in all relevant subcontract agreements and verify that subcontractors comply.

What is the difference between DFARS 7012 and CMMC?

DFARS 7012 requires contractors to self-assess their implementation of NIST SP 800-171 controls and attest to their compliance. CMMC, implemented through DFARS clause 252.204-7021, adds a verification layer: many contractors handling CUI must obtain a third-party certification (CMMC Level 2) from an authorized Certified Third-Party Assessment Organization (C3PAO) rather than self-attesting alone. Both frameworks use the same NIST SP 800-171 controls, but CMMC introduces independent evaluation to strengthen DFARS 7012 compliance across the defense industrial base.

Who does DFARS 7012 apply to?

DFARS 252.204-7012 requirements apply to any contractor or subcontractor that processes, stores, or transmits CUI on behalf of the Department of Defense. That includes prime contractors who receive CUI directly from the DoD and every tier of the supply chain that handles it downstream. Even small businesses operating as second- or third-tier subcontractors must meet the same DFARS cybersecurity requirements as the prime if they handle CUI.

What is an SPRS score, and how does it relate to DFARS 7012?

The Supplier Performance Risk System (SPRS) score represents a contractor’s self-assessed implementation of NIST SP 800-171 controls numerically, ranging from -203 (no controls implemented) to 110 (full implementation). Under DFARS 7012 and the companion clause DFARS 252.204-7019, contractors must submit their current SPRS score to the DoD before contract award. Prime contractors should verify that their subcontractors have submitted accurate, up-to-date SPRS scores as part of meeting their flow-down requirements.

Do cloud service providers need to comply with DFARS 7012?

Yes. DFARS 252.204-7012 explicitly states that contractors using cloud computing to store or process CUI must use services that meet FedRAMP Moderate baseline or equivalent security standards. The cloud service provider must also comply with cyber incident reporting obligations under the clause. Contractors should verify that any cloud platform used for CUI meets these standards, because a non-compliant provider can jeopardize DFARS 7012 compliance for the entire supply chain.