Loading...
When primes share CUI with subcontractors via CRM, the sub's CRM must also meet CMMC requirements. This guide covers 32 CFR 170.23 flowdown rules, how CUI flows through CRM in prime-sub relationships, verification obligations, common failures, and why purpose-built CRM solves the 300,000-company supply chain compliance problem.
Cabrillo Club
Editorial Team · February 25, 2026 · 22 min read
When a prime contractor shares CUI with a subcontractor via CRM -- contact data for DoD program managers, technical requirements from a performance work statement, proposal details with controlled specifications, subcontract delivery schedules tied to classified program timelines -- the subcontractor's CRM must also meet CMMC requirements. Most primes do not verify this. Most subs do not realize it applies. And the CRM systems on both sides of the relationship are almost never architected to handle CUI transfers with the auditability and access controls that CMMC demands.
The flowdown problem in defense contracting is not new. FAR and DFARS have imposed supply chain compliance obligations for decades. But CMMC adds a dimension that changes the calculus for every CRM deployment across the Defense Industrial Base: before a prime can share CUI with a subcontractor, the sub must hold a verified CMMC certification at the appropriate level, and every system the sub uses to process that CUI -- including its CRM -- must be within its assessed boundary. That is not an aspiration. It is a regulatory requirement codified in 32 CFR Part 170 and enforced through DFARS 252.204-7021.
This guide breaks down the flowdown requirements from both sides of the prime-sub relationship, explains how CUI actually moves through CRM systems during teaming and subcontract performance, identifies the most common compliance failures, and provides a practical architecture for compliant CUI sharing. Whether you are a prime contractor managing a supply chain of 50 subcontractors or a 15-person sub trying to figure out which systems need to be in scope, this is the guide that connects the regulatory language to the CRM reality.
For the foundational framework on building a CUI-safe CRM environment, start with our CUI-safe CRM guide.
---
---
The regulatory foundation for CMMC flowdown sits in two documents: the CMMC program rule at 32 CFR Part 170 and the contract clause at DFARS 252.204-7021. Together, they create a cascading obligation that extends CMMC requirements from the prime contractor through every tier of the supply chain.
Section 170.23 is the core flowdown provision. It states that prime contractors "shall require subcontractors to comply with and to flow down CMMC requirements, such that compliance will be required throughout the supply chain at all tiers." This is not discretionary language. The word "shall" makes it a binding obligation.
The section establishes a tiered framework for determining which CMMC level applies to each subcontractor:
| Scenario | Required CMMC Level for Sub |
|---|---|
| Sub processes only FCI (not CUI) | Level 1 (Self-Assessment) |
| Sub processes CUI | Level 2 (Self-Assessment), minimum |
| Sub processes CUI and prime contract requires Level 2 (C3PAO) | Level 2 (C3PAO Assessment) |
| Sub processes CUI and prime contract requires Level 3 (DIBCAC) | Level 2 (C3PAO Assessment), minimum |
The critical implication for CRM: the determination of which level applies depends on what information the sub will process, store, or transmit on its own systems. When a prime shares opportunity data, contact records for DoD personnel, technical requirements, or proposal information with a sub via CRM, and any of that data qualifies as CUI, the sub's CRM is an in-scope system that must meet the corresponding CMMC level.
The DFARS clause translates the CMMC program rule into enforceable contract language. It imposes three specific obligations on prime contractors with respect to subcontractors:
For contractors already navigating the broader regulatory landscape, our FAR and DFARS quick reference provides essential context on how these cybersecurity clauses fit within the larger acquisition framework.
The regulatory language refers to "information systems" -- any system that processes, stores, or transmits FCI or CUI. A CRM system that holds opportunity records with contract numbers, contact records for DoD program managers, teaming partner data, subcontract details, or any communications related to controlled programs is, by definition, an information system processing CUI.
This means:
---
Understanding where CUI enters and exits CRM systems across the prime-sub boundary is essential for both compliance scoping and architectural design. The data flows are more extensive than most organizations realize.
When a prime identifies a subcontracting opportunity and shares it with a potential sub, the opportunity record typically contains:
This data enters the sub's CRM the moment the prime shares the opportunity -- whether via email that gets logged to the CRM, a direct data export, or a shared CRM portal. The sub's sales team adds it to their pipeline, associates it with contacts, and begins tracking it alongside their commercial opportunities. The CUI is now in the sub's CRM, and every control in NIST SP 800-171 applies to how it is stored, accessed, and protected.
During the teaming and capture phase, primes and subs exchange significant controlled data through CRM and adjacent systems. Our teaming agreement guide covers the legal framework, but the CRM implications are equally important:
Each of these data points typically lives in a CRM record -- attached to an opportunity, linked to a contact, or stored as a document within the CRM's file system. The moment CUI enters these records, both the prime's and the sub's CRM instances are in scope.
When a prime shares technical requirements with a subcontractor to support proposal development or contract performance, the data often flows through or is referenced in CRM systems:
Technical data packages represent some of the most sensitive CUI categories. When this data is stored in a CRM that lacks encryption at rest, proper access controls, or audit logging, both the prime and sub are in violation of multiple NIST 800-171 control families simultaneously.
After contract award, ongoing subcontract management generates a continuous stream of CUI through CRM systems:
This is the phase where CUI exposure is most sustained and least monitored. The initial teaming phase gets compliance attention because it is associated with a discrete event -- the subcontract award. But the ongoing management phase generates CUI data flows for months or years, typically with no structured compliance review.
---
Prime contractors bear the primary regulatory burden for ensuring subcontractor CMMC compliance. This obligation is not passive -- it requires affirmative verification before CUI is shared.
Before awarding a subcontract that involves CUI, the prime must verify that the sub holds a current CMMC certificate or self-assessment at the required level. The verification process involves:
Here is where the process gets operationally difficult. DoD does not currently provide a mechanism for prime contractors to directly look up subcontractor CMMC status in SPRS. Primes can only access their own CMMC information. To verify a subcontractor's status, primes must request that the sub provide documentation -- typically a screenshot or printout of their SPRS entry showing their CMMC status.
This means the verification process is largely manual and trust-based. Primes must:
For primes managing dozens or hundreds of subcontractor relationships through CRM, this creates a significant data management challenge. Every subcontractor record in the CRM needs associated CMMC verification documentation, expiration tracking, and re-verification workflows.
The obligation does not end at subcontract award. Primes must ensure that subs maintain annual affirmations in SPRS confirming continuous compliance. This creates a recurring compliance cycle:
| Activity | Frequency | Prime Responsibility |
|---|---|---|
| Initial CMMC status verification | Pre-award | Confirm status, document evidence |
| SPRS affirmation check | Annual | Verify sub's annual affirmation is current |
| Re-assessment tracking | Every 3 years | Confirm sub's assessment has not expired |
| Scope change review | As needed | Re-evaluate CMMC level if sub's work scope changes |
| Incident notification | As occurs | Ensure sub reports cyber incidents per DFARS 7012 |
Without a CRM system designed to track these compliance milestones, primes rely on spreadsheets, calendar reminders, and institutional memory -- none of which will satisfy an assessor's evidence requirements.
---
For subcontractors -- especially small businesses that make up roughly 73% of the Defense Industrial Base -- the CRM compliance burden can feel overwhelming. But it is also more bounded than many assume, provided the sub takes a disciplined approach to scoping.
When a prime shares CUI with a subcontractor, every system the sub uses to process that information falls within the CMMC assessment boundary. For CRM specifically, this means:
If the sub stores opportunity data, contact records, proposal artifacts, or subcontract management data related to CUI programs in a CRM, that CRM must meet all 110 NIST 800-171 controls required for CMMC Level 2.
The practical requirements include:
Our CMMC compliant CRM checklist maps all 25 specific CRM requirements to their corresponding NIST 800-171 controls.
Small subcontractors receiving CUI from primes do not need to replicate the enterprise security infrastructure of a large prime. But they do need to make intentional architectural choices. The minimum viable approach for CRM compliance involves:
Small subcontractors face a specific cost calculus when it comes to CRM compliance:
Most defense contractors use commercial CRMs never built for controlled data. See how a CUI-safe CRM changes the equation.
Explore CUI-Safe CRM| Approach | Estimated Annual Cost | Risk Level |
|---|---|---|
| Retrofit commercial CRM (Salesforce/HubSpot) | $25,000-$75,000 | High — many gaps cannot be closed |
| Dedicated GovCon CRM with CMMC features | $5,000-$15,000 | Medium — depends on vendor's actual compliance |
| Purpose-built CUI-safe CRM platform | $3,000-$10,000 | Low — designed for compliance from day one |
| Use prime's systems only (no own CRM) | $0 (direct) | Variable — see decision matrix below |
The counterintuitive finding: purpose-built platforms are often cheaper than retrofitting commercial CRM because they eliminate consulting, configuration, and ongoing remediation costs.
---
The gap between regulatory requirements and operational reality is wide. These are the most frequent flowdown failures that auditors identify, nearly all of which involve CRM systems or the data that flows through them.
This is the most pervasive failure mode. A prime's program manager emails a subcontractor with opportunity details, technical requirements, or contract information containing CUI. The sub's email system automatically logs the message to their CRM via BCC logging, sidebar plugin, or API integration. The CUI is now in a CRM that:
The prime never verified the sub's CMMC status before sharing the data. The sub never classified the data as CUI before it entered the CRM. Neither party has an audit trail of the transfer. For a deeper examination of this vector, see our analysis of the email ingestion CUI compliance blind spot.
A disturbingly common approach among prime contractors is to include CMMC flowdown language in the subcontract -- satisfying the clause insertion requirement of DFARS 7021 -- without actually verifying the sub's compliance status or monitoring ongoing adherence. The prime's contracts team inserts the clause. The prime's supply chain team never follows up. The prime's CRM has no field tracking the sub's CMMC status, no workflow triggering annual re-verification, and no alert when a sub's assessment expires.
This creates a false sense of compliance. The clause is flowed down on paper, but the verification obligation is unmet. When the prime's own assessor asks for evidence of subcontractor CMMC verification, the prime has nothing but a contract clause -- which is necessary but not sufficient.
Even when both the prime and sub have reasonably compliant CRM systems, the transfer of CUI between those systems typically has no audit trail. Data moves via:
An assessor evaluating either party's CMMC compliance will ask: "How do you know what CUI was shared with this subcontractor, when it was shared, who authorized the sharing, and how it was transmitted?" Without a CRM architecture designed to answer those questions, neither party can produce compliant evidence.
Many primes track subcontractor CMMC status in spreadsheets -- a practice that fails on multiple levels:
This is not a compliant approach to managing the verification obligation. The data belongs in a CRM system with proper access controls, audit logging, and automated compliance workflows.
A sub is verified at CMMC Level 1 because the initial subcontract only involves FCI. Six months into performance, the prime's program manager starts sharing CUI with the sub via CRM -- technical data, personnel details, or program-specific information that exceeds FCI. The sub's CMMC level no longer matches the data it is receiving, but no one re-evaluates the scope because the initial verification is "done."
This failure is particularly dangerous because it looks compliant on paper. The initial verification was legitimate. The flowdown clause is in the subcontract. But the operational reality has drifted beyond the original compliance scope, and neither party's CRM has any mechanism to detect or flag the drift.
---
Solving the flowdown problem at the CRM level requires architectural thinking, not just policy. Both the prime's and sub's CRM environments need specific capabilities to support compliant CUI sharing across organizational boundaries.
The foundation is a CRM architecture that treats external data sharing as a first-class compliance function, not an afterthought bolted onto a commercial platform. The key architectural components:
Data classification at the point of entry. Every record entering the CRM must be evaluated for CUI status before it is stored. This means the CRM needs classification workflows -- either automated (based on rules like contract number patterns, program name matching, or source identification) or user-assisted (prompting the user to classify data as CUI or non-CUI before saving).
Controlled sharing boundaries. The CRM must enforce rules about what data can be shared externally, with whom, and through what channels. This is not just access control within the CRM -- it is boundary enforcement that prevents CUI from leaving the system via unauthorized channels (email export, CSV download, API extraction) without appropriate controls.
Access logging at the transfer point. Every instance of CUI being shared with an external party must generate an immutable audit record that captures: what data was shared, with whom, when, by whom, through what channel, and under what authorization. This is the evidence both primes and subs need for their respective assessments.
Recipient verification. Before CUI can be shared with a subcontractor through the CRM, the system should verify that the recipient organization has a current, valid CMMC status at the appropriate level. This can be implemented as a lookup against stored verification records, preventing CUI sharing with non-compliant entities.
A properly architected prime-sub CUI sharing workflow through CRM looks like this:
Prime CRM (CUI-Safe)
│
├─ Step 1: Data classified as CUI at entry
├─ Step 2: Sub's CMMC status verified (pre-award)
├─ Step 3: Sharing authorization recorded
├─ Step 4: CUI transmitted via encrypted channel
├─ Step 5: Transfer logged with immutable audit trail
│
▼
Sub CRM (CUI-Safe)
│
├─ Step 6: Data classified as CUI at ingestion
├─ Step 7: Stored within CMMC assessment boundary
├─ Step 8: Access restricted to authorized personnel
├─ Step 9: All access logged and auditable
└─ Step 10: Retention and disposal per policyEvery step generates evidence. Every step is auditable. Every step maps to specific NIST 800-171 controls. This is the standard that assessors expect, and it is achievable only with CRM architecture designed for this purpose.
The CRM does not exist in isolation. Compliant CUI sharing requires integration with:
For organizations evaluating how zero-trust CRM architecture addresses these integration requirements, the key insight is that zero trust eliminates the assumption that any user, device, or network segment is inherently trusted -- which is exactly the posture needed for cross-organizational CUI sharing.
---
The Defense Industrial Base encompasses between 220,000 and 300,000 contractors and subcontractors. Approximately 118,000 of those companies need CMMC Level 2 certification. Small businesses account for roughly 73% of the DIB. And here is the uncomfortable reality: the vast majority of these companies are running CRM systems that cannot meet CMMC requirements, and most do not have the budget, expertise, or time to retrofit them.
The defense supply chain's CRM compliance problem is not a knowledge gap that training can fix. It is a structural problem rooted in the economics of commercial CRM platforms:
Commercial CRM was not designed for CUI. Salesforce, HubSpot, Microsoft Dynamics, and their competitors were built to maximize sales productivity in unregulated environments. The features that make them powerful -- open APIs, broad integrations, cloud-based accessibility, minimal access friction -- are the same features that create CMMC compliance failures. Retrofitting these platforms for CUI handling is possible for large enterprises with dedicated compliance teams, but it is not viable for a 15-person machine shop that subcontracts to three primes.
The cost of retrofitting is prohibitive at scale. Configuring a commercial CRM for CMMC compliance typically costs $25,000-$75,000 in the first year -- consulting fees, add-on licensing, custom configuration, documentation, and assessment preparation. Multiply that across 118,000 companies, and the aggregate cost to the DIB is staggering. Most small businesses will not spend it. Industry projections suggest that between 33,000 and 44,000 companies -- 15-20% of the DIB -- will exit the defense market between 2025 and 2027 rather than bear the compliance cost.
Primes cannot enforce what subs cannot afford. Even when primes take their verification obligations seriously, they face a supply chain where the majority of small subs are not equipped to demonstrate CRM compliance. The prime's options are limited: restrict CUI sharing to only compliant subs (reducing the available supply base), accept the risk of sharing with non-compliant subs (violating DFARS 7021), or help subs achieve compliance (an unfunded mandate that few primes are willing to absorb).
The structural solution is not to make commercial CRM compliant -- it is to give the defense supply chain CRM that is compliant by design. Purpose-built CUI-safe CRM eliminates the retrofit problem by embedding CMMC requirements into the platform's architecture from the ground up:
Cabrillo Club was designed for exactly this problem. When both the prime and the sub operate on a CUI-safe CRM platform, compliant data sharing is a built-in capability -- not a compliance project that consumes months and tens of thousands of dollars.
---
Not every subcontractor needs to deploy a standalone CUI-safe CRM. The decision depends on the nature of the prime-sub relationship, the type of data being shared, and the sub's existing infrastructure. Use this matrix to evaluate your situation:
| Factor | Own CUI-Safe CRM Needed | Prime's Systems May Suffice |
|---|---|---|
| Number of prime relationships | Multiple primes sharing CUI | Single prime, exclusive relationship |
| CUI volume | Regular, ongoing CUI data flows | Occasional, limited CUI exposure |
| Data types | Contact records, pipeline, proposals, subcontract data | Only technical documents (not CRM data) |
| Sub's independent BD | Sub actively pursues own prime contracts | Sub only works as sub, no independent pipeline |
| Duration | Multi-year contracts with ongoing data flows | Short-term, project-specific engagements |
| Prime's system access | Prime does not provide compliant portal | Prime provides sub portal with CUI controls |
| Sub's team size | 5+ people needing CRM access | 1-2 people; manual tracking is feasible |
| Assessment approach | Sub pursuing own CMMC certification | Sub's work is scoped under prime's boundary |
If the sub works exclusively for one prime, the prime provides a compliant portal or shared CRM environment, and the sub's scope of CUI handling is limited to what the prime's systems facilitate, the sub may not need independent CUI-safe CRM. However, the sub should verify in writing that:
If the sub works with multiple primes, maintains its own business development pipeline, stores CUI-related data in its own systems, or plans to pursue prime contracts independently, a standalone CUI-safe CRM is not optional -- it is a regulatory requirement. The sub's CRM will be in its CMMC assessment boundary, and every control must be met.
For small subs evaluating their options, our CMMC for small business guide provides the broader compliance framework, including cost benchmarks and phased implementation strategies.
---
Whether you are a prime needing to verify and manage subcontractor compliance, or a sub needing to stand up CUI-safe CRM for the first time, the implementation follows a structured sequence.
Phase 1: Inventory and classification (Weeks 1-4)
Phase 2: Verification infrastructure (Weeks 5-8)
Phase 3: Controlled sharing implementation (Weeks 9-16)
Phase 4: Ongoing monitoring (Continuous)
Phase 1: Scoping (Weeks 1-2)
Phase 2: Platform decision (Weeks 3-4)
Phase 3: Implementation (Weeks 5-12)
Phase 4: Certification and maintenance (Weeks 13+)
---
Yes, but at a lower level. Under 32 CFR 170.23, subcontractors that process only FCI (not CUI) need CMMC Level 1, which requires a self-assessment against 17 basic practices from FAR 52.204-21. Level 1 is significantly less burdensome than Level 2, but it still means the sub's CRM (if it processes FCI) must meet those 17 controls. The key determination is whether the data flowing through the CRM qualifies as CUI or only as FCI -- a classification that depends on the program, the data type, and the CUI marking authority's determination.
No. As of February 2026, DoD does not provide a mechanism for prime contractors to look up subcontractor CMMC status directly in SPRS. Primes can only access their own records. To verify a sub's status, primes must request that the sub provide documentation -- typically a screenshot or printout of their SPRS entry. This manual process is a known limitation, and DoD has acknowledged the need for an improved verification mechanism. In the meantime, primes should formalize the documentation request in their subcontract administration procedures and store the evidence in their CRM.
This is a contract compliance violation under DFARS 252.204-7021 and potentially a False Claims Act issue if the prime has affirmed its own compliance, which includes the obligation to verify subcontractors. The prime could face contract termination, suspension, debarment, or civil liability. The sub, meanwhile, is processing CUI without adequate security -- a violation of DFARS 252.204-7012 that also triggers 72-hour cyber incident reporting obligations if the data is compromised. Both parties are exposed, which is why pre-award verification is not optional.
It depends on whether the sub retains CUI on its own systems. If the sub accesses the prime's CRM portal, performs work within that environment, and retains no CUI on its own infrastructure (no local files, no email copies, no CRM records on its own systems), then the CUI processing may be scoped under the prime's assessment boundary rather than the sub's. However, this requires careful documentation, and the sub's endpoint devices (laptops, phones) used to access the portal may still be in scope. Consult with your C3PAO or CMMC assessor to determine the correct boundary.
Phase 2 of the CMMC rollout, beginning November 2026, is when contracting officers will start requiring C3PAO-assessed Level 2 CMMC status in solicitations. For subcontractors, this means that primes bidding on Phase 2 contracts will need to verify that their subs hold C3PAO-assessed Level 2 status -- not just self-assessments. If a sub's CRM is in its assessment boundary (which it likely is, if CUI flows through it), that CRM must pass the C3PAO assessment. Subs should be working toward this standard now, not waiting until Phase 2 contracts start appearing. The C3PAO assessment backlog is growing, and small businesses that wait will face longer scheduling delays and higher costs.
---
CMMC flowdown is ultimately about one thing: ensuring that CUI is protected at every point in the supply chain where it is processed, stored, or transmitted. For the defense industrial base, CRM is one of the primary systems where this data lives. Opportunity records, contact data, proposal artifacts, subcontract management data, and communications all flow through CRM on both sides of the prime-sub relationship.
The regulatory framework is clear. 32 CFR 170.23 mandates flowdown. DFARS 252.204-7021 enforces verification. NIST SP 800-171 defines the controls. The only question is whether your CRM architecture can meet these requirements -- or whether you are building compliance on a foundation that was never designed to support it.
For primes, the mandate is to verify before you share, track what you share, and monitor your supply chain's compliance status continuously. For subs, the mandate is to know what CUI you receive, process it only in compliant systems, and maintain your CMMC status with annual affirmations.
For both sides, the most efficient path is a CRM platform built for this purpose -- one where compliance is the architecture, not an afterthought.
Start with our CUI-safe CRM guide for the foundational architecture. Use our CMMC compliant CRM checklist to evaluate your current platform. And if you are a small business navigating these requirements for the first time, our CMMC for small business guide provides the cost benchmarks and implementation strategies you need to get started without overspending.
The flowdown clock is running. Your CRM either meets the standard or it does not. And when your prime -- or your assessor -- asks for evidence, "we're working on it" is not a compliant answer.
Most defense contractors use commercial CRMs never built for controlled data. See how a CUI-safe CRM changes the equation.
Explore CUI-Safe CRM
Cabrillo Club
Editorial Team
Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.
Most defense contractors use commercial CRMs never built for controlled data. See how a CUI-safe CRM changes the equation.
Explore CUI-Safe CRM
CUI spillage in CRM systems is one of the most common and underreported compliance failures in defense contracting. This guide covers spillage vectors, detection methods, the DFARS 7012 72-hour reporting requirement, a 6-phase incident response playbook, and how CUI-safe CRM architecture prevents spillage by design.
Many contractors secure enclaves but overlook where CUI travels in CRM workflows. Learn how one firm mapped CUI data flow and closed key gaps in 12 weeks.
The compliance blind spot most defense contractors miss: email ingestion into non-compliant CRMs. Covers how CUI enters email, what happens when it hits a non-compliant database, NIST 800-171 controls violated, and architecture for CUI-safe email capture.