Can I refuse the flow-down?

Not on an active subcontract that involves CUI. Refusing typically means losing the work or being held in default. You can, however, negotiate scope and timeline.

What if I don't actually handle CUI?

Reply in writing stating that your scope of work does not include CUI and ask the prime to confirm. Keep that exchange on file — it protects you in an audit.

Do I have to share my SSP with the prime?

DFARS 7012 does not require it. Most primes accept a summary attestation. Hand over the full SSP only under NDA and only if contractually required.

What if I get flow-downs from multiple primes with conflicting requirements?

Build to the strictest common denominator (typically CMMC Level 2 + FIPS-validated encryption + 72-hour reporting). One compliant environment serves all primes.

Responding to a Prime's CMMC Flow-Down Letter (Template Inside)

Short answer: A "flow-down letter" is a prime contractor's notice that they are obligating you, as a subcontractor, to comply with DFARS 252.204-7012 and (eventually) CMMC Level 2 because they've decided you handle CUI. You generally cannot refuse the flow-down on an active contract — but you can: (1) ask for the specific CUI you'll handle and how, (2) negotiate a realistic compliance timeline tied to contract milestones, (3) limit scope to a defined enclave, and (4) get the prime to fund or share security costs. Respond in writing within 10 business days with a posture statement and a plan.

What a flow-down letter is

Under DFARS 252.204-7012(m), primes must flow down the clause to any subcontractor whose work involves covered defense information. The letter is the prime's way of saying: "We've decided your scope of work touches CUI; here is what we expect." Common attached requirements: a posted SPRS score within 30 days, MFA enforcement, FIPS-validated encryption, 72-hour incident reporting to both DoD and the prime, and a path to CMMC Level 2 certification.

What is actually negotiable

Scope: Confirm exactly which deliverables involve CUI. If it's only a single drawing package, push for an enclave-scoped solution rather than enterprise-wide compliance.
Timeline: Full CMMC Level 2 in 60 days is unrealistic and primes know it. 6–12 months tied to milestones is reasonable.
Cost sharing: On larger awards, primes sometimes fund a portion of subcontractor security uplift via an ACO modification. Always ask.
SSP exchange: Push back if the prime demands your full SSP. A summary attestation plus shared control matrix usually suffices.

Not negotiable: the existence of the requirement, 72-hour reporting, FIPS-validated encryption for CUI, and the SPRS score itself.

Response template

[Date]

[Prime POC Name]
[Prime Company]
Re: DFARS 252.204-7012 Flow-Down — Subcontract #[XXXXX]

Dear [Name],

Thank you for the flow-down notice dated [date]. [Your Company] acknowledges the DFARS 252.204-7012 obligations associated with this subcontract and is committed to safeguarding any covered defense information we receive.

To align our compliance plan with the actual scope of work, please confirm:

The specific CUI categories and deliverables we will handle.
Whether CUI will reside in our environment, the prime's environment, or both.
Required transmission and storage standards beyond FIPS 140-3 validated cryptography.

Current posture: NIST 800-171 self-assessment is posted in SPRS (score [X], dated [date]). MFA, FIPS-validated encryption, and centralized audit logging are operational. Outstanding controls are tracked in our POA&M with target closure of [date].

Path to CMMC Level 2: we plan a C3PAO assessment in [Quarter, Year]. We propose interim risk acceptance via a defined enclave (described in attached scoping memo) until certification.

Please advise on cost-share or schedule accommodation available under this subcontract.

Regards,
[Name, Title]

What to do after you send it

Log the letter and your response in your compliance file — primes audit this.
Update your SPRS score within 30 days if it's older than 12 months.
Carve out the enclave you described in the response and document it in your SSP.
Set a quarterly check-in with the prime's security POC.

Mentioned in this guide

Frequently asked questions

Can I refuse the flow-down?: Not on an active subcontract that involves CUI. Refusing typically means losing the work or being held in default. You can, however, negotiate scope and timeline.
What if I don't actually handle CUI?: Reply in writing stating that your scope of work does not include CUI and ask the prime to confirm. Keep that exchange on file — it protects you in an audit.
Do I have to share my SSP with the prime?: DFARS 7012 does not require it. Most primes accept a summary attestation. Hand over the full SSP only under NDA and only if contractually required.
What if I get flow-downs from multiple primes with conflicting requirements?: Build to the strictest common denominator (typically CMMC Level 2 + FIPS-validated encryption + 72-hour reporting). One compliant environment serves all primes.

Related guides

DFARS 252.204-7012: A Plain-English Guide for Small Contractors
DFARS · 9 min read
CMMC Level 1 vs Level 2: Which Do You Actually Need?
CMMC Basics · 7 min read
CUI Marking Guide: Banners, Portion Marks, and What DoD Actually Checks
CUI · 9 min read
NIST 800-171: All 110 Controls in Plain English
Controls · 12 min read