CMMC Flowdown


In the CMMC world, when your organization is entrusted with CUI or FCI, you must exercise care in who you pass it on to. It makes no sense to have you jump through all the hoops of CMMC, but then to allow you to hand your CUI over to organizations without proper controls. So, part of your certification is to ensure that your sub-contractors have their appropriate certification before you can provide them with any controlled data.

This could prove to be a major CMMC stumbling block for many organizations.

In 32 CFR 170.23 (Final Version 2024), the CMMC rule describes how the CMMC requirements apply to “prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit FCI or CUI on contractor information systems in the performance of the contract or subcontract.” The various circumstances resulting in which certification processes are outlined in the standard’s Table 2:
While the newest version of the standard does not burden the organization with assessing their subcontractors, there is a clear flowdown mandate. The standard says that the CMMC organization “shall require subcontractors to comply with and to flow down CMMC requirements.” Before providing any controlled data (FCI or CUI) to a subcontractor, that subcontractor must provide documentation of their appropriate certification.

This will be a huge bottleneck for many CMMC implementations. They will go through the effort and expense required to earn their certification only to find key subcontractors do not have their certification. When moving down the supply chain, it is common for the organizations to be smaller and have fewer technical resources, making CMMC even more difficult. Your subcontractors’ difficulty in achieving certification becomes your barrier to conducting business in compliance with the CMMC legal requirements.

How can this challenge be reduced?
  1. Identify all of your existing subcontractors likely to be provided with FCI or CUI in the future.
  2. Contact the subcontractor to inform them of the CMMC requirement and explain how future business with your organization will depend on their certification. Keep in mind that they may not even know what CMMC is, so provide resources so they can understand what is required.
  3. Ask them if they intend to seek the required certification. If they are going to seek certification, determine a CMMC POC and an understanding of their CMMC timeline.
  4. If the existing subcontractors are not going to seek certification, then new subcontractors will have to be found.
  5. Plan on frequent communication with the CMMC POC at each organization.
  6. Provide the subcontractor with helpful information to assist their CMMC journey. Be an advocate, willing to provide guidance and answer questions.
To help your subcontractors achieve certification, you can see if they would be interested in some assistance from you. If so, you might assume a high-level project management role, to help nudge them along. CMMC is probably not the main business of your subcontractors, so your involvement can help elevate CMMC to a priority. Consider scheduling a monthly call or meeting to learn what they have accomplished and see if your experience can help with any of their challenges. While you do not have a responsibility or right to participate in their CMMC process, making yourself available could be mutually beneficial. This form of partnering on their CMMC process requires both parties to agree to it. Because you are the customer, most subcontractors will agree to your involvement, even if they secretly view it as meddling.

CMMC is hard. It is generally harder in small organizations. The more useful tools and information you can provide your subcontractors, the easier their road to certification.

One such useful tool is DIY CMMC For Small Business by Richard McInteer, CCP. This is a book that guides a small business along their CMMC journey. This book shows businesses how to create an effective CMMC implementation, with a deep understanding of the challenges of small business. Bulk pricing of the book is available.
Bulk pricing of DIY CMMC for Small Business
10 Pack of Books
$799.90 ($79.99/copy)
cards
Powered by paypal
See our partner site https://cmmcgear.com for CMMC promotional goods to motivate and celebrate CMMC!
Copyright 2024, Crossways Concepts, LLC