October 26, 2022

Last Updated on January 12, 2024

DIB Orgs: Here’s What’s Up with CMMC “Flowdown” and New Pressures from Primes

As the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) v2 ramps up towards a mid-2023 “go-live,” orgs in the US defense industrial base (DIB) are feeling more compliance pressure from prime contractors. A top example is a mandate to “flow down” cybersecurity requirements (e.g., NIST 800-171 compliance) to your subcontractors and their subcontractors. Another is contract language mandating additional cybersecurity controls beyond NIST 800-171/CMMC, such as DISA STIG compliance or achieving an ISO 27001 certification.

To address these and other common concerns across the DIB, CMMC expert and Pivot Point Security NIST/CMMC practice lead George Perezdiaz joined a recent episode of The Virtual CISO Podcast. The show is hosted by John Verry, Pivot Point Security CISO and Managing Partner.

 

Are primes “allowed” to demand additional security controls?

If one of your primes is demanding that you implement security controls beyond NIST 800-171 (aka CMMC Level 2), you have three choices:

  1. Sign the contract and do what you just agreed to
  2. Decide it’s not worth it and don’t participate in the contract
  3. Negotiate for a different outcome, such as the prime paying for your security upgrades to meet their add-on requirements

Why would a prime request additional controls? Most likely their needs relate to the specific CUI you’ll need to protect. If you can convince them that you’re ready to safeguard their information without making some or all those additional changes, great. Just make sure you’re well informed and equipped before you have that conversation.

 

Will CMMC assessors be looking at flowdown of CMMC requirements to subcontractors and vendors?

While NIST 800-171 and CMMC v2 don’t include vendor due diligence guidance, the DFARS 7012 clause included in many DoD contracts does. The DoD has added specific guidance into the CMMC assessment process that directs third-party assessors (C3PAOs) to validate flowdown of cybersecurity requirements per the DFARS.

So, as a contract requirement and to pass your CMMC audit, you’re obligated to mandate and validate that your vendors that handle CUI are CMMC Level 2 compliant. Likewise, your SaaS providers need to have FedRAMP Moderate ATOs if their software stores, processes or transmits CUI.

“That’s why we always emphasize: Read the contract,” says George. “Read those clauses and provisions and make sure you understand and you agree, and that you’re going to implement your CUI program in accordance with all those different caveats.”

 

What’s next?

To catch the complete CMMC Q&A with George Perezdiaz, click here.

How come NIST 800-171 or CMMC don’t address “flowdown” and supply chain risk? This post tells all: Why Don’t NIST 800-171 or CMMC Cover Supply Chain Risk Management?