CMMC Flowdown Requirements and Your CRM: What Primes Owe Subcontractors (and Vice Versa)

When a prime contractor shares CUI with a subcontractor via CRM -- contact data for DoD program managers, technical requirements from a performance work statement, proposal details with controlled specifications, subcontract delivery schedules tied to classified program timelines -- the subcontractor's CRM must also meet CMMC requirements. Most primes do not verify this. Most subs do not realize it applies. And the CRM systems on both sides of the relationship are almost never architected to handle CUI transfers with the auditability and access controls that CMMC demands.

The flowdown problem in defense contracting is not new. FAR and DFARS have imposed supply chain compliance obligations for decades. But CMMC adds a dimension that changes the calculus for every CRM deployment across the Defense Industrial Base: before a prime can share CUI with a subcontractor, the sub must hold a verified CMMC certification at the appropriate level, and every system the sub uses to process that CUI -- including its CRM -- must be within its assessed boundary. That is not an aspiration. It is a regulatory requirement codified in 32 CFR Part 170 and enforced through DFARS 252.204-7021.

This guide breaks down the flowdown requirements from both sides of the prime-sub relationship, explains how CUI actually moves through CRM systems during teaming and subcontract performance, identifies the most common compliance failures, and provides a practical architecture for compliant CUI sharing. Whether you are a prime contractor managing a supply chain of 50 subcontractors or a 15-person sub trying to figure out which systems need to be in scope, this is the guide that connects the regulatory language to the CRM reality.

For the foundational framework on building a CUI-safe CRM environment, start with our CUI-safe CRM guide.

---

---

What CMMC Flowdown Actually Requires

The regulatory foundation for CMMC flowdown sits in two documents: the CMMC program rule at 32 CFR Part 170 and the contract clause at DFARS 252.204-7021. Together, they create a cascading obligation that extends CMMC requirements from the prime contractor through every tier of the supply chain.

32 CFR 170.23: Application to Subcontractors

Section 170.23 is the core flowdown provision. It states that prime contractors "shall require subcontractors to comply with and to flow down CMMC requirements, such that compliance will be required throughout the supply chain at all tiers." This is not discretionary language. The word "shall" makes it a binding obligation.

The section establishes a tiered framework for determining which CMMC level applies to each subcontractor:

The critical implication for CRM: the determination of which level applies depends on what information the sub will process, store, or transmit on its own systems. When a prime shares opportunity data, contact records for DoD personnel, technical requirements, or proposal information with a sub via CRM, and any of that data qualifies as CUI, the sub's CRM is an in-scope system that must meet the corresponding CMMC level.

DFARS 252.204-7021: The Contract Clause

The DFARS clause translates the CMMC program rule into enforceable contract language. It imposes three specific obligations on prime contractors with respect to subcontractors:

1. Pre-award verification. Prior to awarding a subcontract or other contractual instrument, the prime must ensure that the subcontractor has a current CMMC certificate or CMMC status at the appropriate level for the information being flowed down, per 32 CFR 170.23.
2. Clause flowdown. The prime must insert the substance of the clause -- including the flowdown requirements themselves -- in all subcontracts and contractual instruments, including those for commercial products and commercial services. Only commercially available off-the-shelf (COTS) items are excluded.
3. Affirmation requirement. The prime must ensure that all subcontractors and suppliers complete, prior to subcontract award, and maintain on an annual basis, an affirmation in SPRS confirming continuous compliance with CMMC requirements.

For contractors already navigating the broader regulatory landscape, our FAR and DFARS quick reference provides essential context on how these cybersecurity clauses fit within the larger acquisition framework.

What "Flowdown" Means for CRM, Specifically

The regulatory language refers to "information systems" -- any system that processes, stores, or transmits FCI or CUI. A CRM system that holds opportunity records with contract numbers, contact records for DoD program managers, teaming partner data, subcontract details, or any communications related to controlled programs is, by definition, an information system processing CUI.

This means:

• A sub's CRM is part of its CMMC assessment boundary
• Every NIST 800-171 control applies to that CRM
• The prime has an obligation to verify the sub's CRM is within an assessed boundary before sharing CUI through it
• Both parties need audit trails proving compliant handling at every transfer point

---

How CUI Flows Through CRM in Prime-Sub Relationships

Understanding where CUI enters and exits CRM systems across the prime-sub boundary is essential for both compliance scoping and architectural design. The data flows are more extensive than most organizations realize.

Opportunity and Pipeline Data

When a prime identifies a subcontracting opportunity and shares it with a potential sub, the opportunity record typically contains:

• Contract and solicitation numbers that may be tied to controlled programs
• Government point-of-contact information -- names, titles, organizations, and contact details of DoD personnel
• Program names and descriptions that reveal the nature of controlled work
• Period of performance, contract values, and NAICS codes associated with sensitive programs
• CAGE codes and DUNS/UEI numbers linking to the defense supply chain

This data enters the sub's CRM the moment the prime shares the opportunity -- whether via email that gets logged to the CRM, a direct data export, or a shared CRM portal. The sub's sales team adds it to their pipeline, associates it with contacts, and begins tracking it alongside their commercial opportunities. The CUI is now in the sub's CRM, and every control in NIST SP 800-171 applies to how it is stored, accessed, and protected.

Teaming Agreements and Partner Data

During the teaming and capture phase, primes and subs exchange significant controlled data through CRM and adjacent systems. Our teaming agreement guide covers the legal framework, but the CRM implications are equally important:

• Teaming partner profiles stored in CRM include company capabilities, facility clearance levels, key personnel with clearances, and past performance summaries -- all potentially CUI
• Work share allocations and technical responsibility matrices attached to opportunity records
• Competitive intelligence about incumbent contractors and government evaluation criteria
• Draft proposal sections circulated between partners for review and integration

Each of these data points typically lives in a CRM record -- attached to an opportunity, linked to a contact, or stored as a document within the CRM's file system. The moment CUI enters these records, both the prime's and the sub's CRM instances are in scope.

Technical Data Packages

When a prime shares technical requirements with a subcontractor to support proposal development or contract performance, the data often flows through or is referenced in CRM systems:

• Statements of Work (SOW) and Performance Work Statements (PWS) attached to opportunity records
• Technical specifications and drawings linked to subcontract records
• Export-controlled data (ITAR/EAR) shared as part of the technical evaluation
• Engineering change proposals and modification requests tracked in CRM

Technical data packages represent some of the most sensitive CUI categories. When this data is stored in a CRM that lacks encryption at rest, proper access controls, or audit logging, both the prime and sub are in violation of multiple NIST 800-171 control families simultaneously.

Subcontract Management

After contract award, ongoing subcontract management generates a continuous stream of CUI through CRM systems:

• Delivery schedules and milestones tied to controlled programs
• Invoice and payment data associated with defense contracts
• Performance metrics and quality reports referencing controlled deliverables
• Contract modifications and change orders that alter the scope of controlled work
• Correspondence between prime and sub program managers discussing controlled technical matters

This is the phase where CUI exposure is most sustained and least monitored. The initial teaming phase gets compliance attention because it is associated with a discrete event -- the subcontract award. But the ongoing management phase generates CUI data flows for months or years, typically with no structured compliance review.

---

The Prime's Verification Obligation

Prime contractors bear the primary regulatory burden for ensuring subcontractor CMMC compliance. This obligation is not passive -- it requires affirmative verification before CUI is shared.

Pre-Award CMMC Status Confirmation

Before awarding a subcontract that involves CUI, the prime must verify that the sub holds a current CMMC certificate or self-assessment at the required level. The verification process involves:

1. Determine the required CMMC level based on the type of information to be shared and the prime contract's CMMC requirements (per the 32 CFR 170.23 matrix above)
2. Request CMMC status documentation from the subcontractor -- either a CMMC certificate issued by a C3PAO or a self-assessment score
3. Verify SPRS affirmation -- the sub must have a current affirmation by an authorized official confirming continuous compliance

The SPRS Verification Challenge

Here is where the process gets operationally difficult. DoD does not currently provide a mechanism for prime contractors to directly look up subcontractor CMMC status in SPRS. Primes can only access their own CMMC information. To verify a subcontractor's status, primes must request that the sub provide documentation -- typically a screenshot or printout of their SPRS entry showing their CMMC status.

This means the verification process is largely manual and trust-based. Primes must:

• Request SPRS documentation from the sub
• Validate that the documentation is current (not older than three years for self-assessments)
• Confirm the CMMC level matches or exceeds the requirement for the data being shared
• Document the verification in their own records as evidence for their assessment

For primes managing dozens or hundreds of subcontractor relationships through CRM, this creates a significant data management challenge. Every subcontractor record in the CRM needs associated CMMC verification documentation, expiration tracking, and re-verification workflows.

Annual Affirmation Monitoring

The obligation does not end at subcontract award. Primes must ensure that subs maintain annual affirmations in SPRS confirming continuous compliance. This creates a recurring compliance cycle:

Without a CRM system designed to track these compliance milestones, primes rely on spreadsheets, calendar reminders, and institutional memory -- none of which will satisfy an assessor's evidence requirements.

---

The Subcontractor's CRM Compliance Burden

For subcontractors -- especially small businesses that make up roughly 73% of the Defense Industrial Base -- the CRM compliance burden can feel overwhelming. But it is also more bounded than many assume, provided the sub takes a disciplined approach to scoping.

What Small Subs Need When They Receive CUI via CRM

When a prime shares CUI with a subcontractor, every system the sub uses to process that information falls within the CMMC assessment boundary. For CRM specifically, this means:

If the sub stores opportunity data, contact records, proposal artifacts, or subcontract management data related to CUI programs in a CRM, that CRM must meet all 110 NIST 800-171 controls required for CMMC Level 2.

The practical requirements include:

• Multi-factor authentication for all CRM users
• Role-based access control with least privilege enforcement
• Encryption at rest (AES-256 or equivalent) for all stored data
• TLS 1.2+ encryption for all data in transit
• Immutable audit logging of all create, read, update, and delete actions
• Network segmentation isolating the CRM from non-CUI systems
• Vulnerability scanning on CRM infrastructure
• Incident response procedures covering the CRM environment
• Media sanitization procedures for decommissioned CRM data

Our CMMC compliant CRM checklist maps all 25 specific CRM requirements to their corresponding NIST 800-171 controls.

Minimum Viable CRM Compliance for Small Subs

Small subcontractors receiving CUI from primes do not need to replicate the enterprise security infrastructure of a large prime. But they do need to make intentional architectural choices. The minimum viable approach for CRM compliance involves:

1. Scope reduction. Keep CUI out of as many systems as possible. If the sub can process CUI-related data in a single, purpose-built CRM rather than across CRM, email, file shares, and spreadsheets, the assessment boundary shrinks dramatically.
2. Platform selection. Choose a CRM that meets CMMC requirements by design, rather than one that requires extensive configuration and add-ons. A purpose-built platform eliminates the compliance retrofit that costs small businesses tens of thousands of dollars. For context on the broader small business compliance challenge, see our CMMC for small business guide.
3. Boundary enforcement. Implement clear rules about what data enters the CRM and what stays outside it. If the sub only tracks CUI-related opportunities in their compliant CRM and keeps commercial pipeline in a separate, non-CUI system, the boundary is clean and defensible.
4. Evidence automation. The ongoing cost of CMMC compliance is not the technology -- it is the evidence collection. A CRM that automatically generates audit logs, access reports, and configuration documentation reduces the annual compliance maintenance burden from weeks to hours.

The Cost Reality for Subs

Small subcontractors face a specific cost calculus when it comes to CRM compliance:

The counterintuitive finding: purpose-built platforms are often cheaper than retrofitting commercial CRM because they eliminate consulting, configuration, and ongoing remediation costs.

---

Common Flowdown Failures

The gap between regulatory requirements and operational reality is wide. These are the most frequent flowdown failures that auditors identify, nearly all of which involve CRM systems or the data that flows through them.

CUI Shared via Unencrypted Email to Non-Compliant CRM

This is the most pervasive failure mode. A prime's program manager emails a subcontractor with opportunity details, technical requirements, or contract information containing CUI. The sub's email system automatically logs the message to their CRM via BCC logging, sidebar plugin, or API integration. The CUI is now in a CRM that:

• May not have encryption at rest
• May not enforce MFA
• Has no CUI classification or tagging
• Provides no audit trail of who accessed the data
• Is not within any CMMC assessment boundary

The prime never verified the sub's CMMC status before sharing the data. The sub never classified the data as CUI before it entered the CRM. Neither party has an audit trail of the transfer. For a deeper examination of this vector, see our analysis of the email ingestion CUI compliance blind spot.

Primes Assuming Subs "Handle It"

A disturbingly common approach among prime contractors is to include CMMC flowdown language in the subcontract -- satisfying the clause insertion requirement of DFARS 7021 -- without actually verifying the sub's compliance status or monitoring ongoing adherence. The prime's contracts team inserts the clause. The prime's supply chain team never follows up. The prime's CRM has no field tracking the sub's CMMC status, no workflow triggering annual re-verification, and no alert when a sub's assessment expires.

This creates a false sense of compliance. The clause is flowed down on paper, but the verification obligation is unmet. When the prime's own assessor asks for evidence of subcontractor CMMC verification, the prime has nothing but a contract clause -- which is necessary but not sufficient.

No Audit Trail of CUI Transfers

Even when both the prime and sub have reasonably compliant CRM systems, the transfer of CUI between those systems typically has no audit trail. Data moves via:

• Email attachments with no logging of what was sent or received
• File shares with no access tracking
• Portal downloads with no record of who downloaded what
• Manual data entry from one CRM to another with no link between records

An assessor evaluating either party's CMMC compliance will ask: "How do you know what CUI was shared with this subcontractor, when it was shared, who authorized the sharing, and how it was transmitted?" Without a CRM architecture designed to answer those questions, neither party can produce compliant evidence.

Spreadsheet-Based Subcontractor Tracking

Many primes track subcontractor CMMC status in spreadsheets -- a practice that fails on multiple levels:

• No access control. Anyone with access to the shared drive can view or modify the spreadsheet.
• No audit trail. There is no immutable record of when entries were created, modified, or deleted.
• No workflow automation. Expiration dates pass without notification. Annual re-verification is forgotten.
• No integration. The spreadsheet is disconnected from the CRM, so subcontractor records in the CRM have no linked compliance status.

This is not a compliant approach to managing the verification obligation. The data belongs in a CRM system with proper access controls, audit logging, and automated compliance workflows.

Scope Creep After Initial Verification

A sub is verified at CMMC Level 1 because the initial subcontract only involves FCI. Six months into performance, the prime's program manager starts sharing CUI with the sub via CRM -- technical data, personnel details, or program-specific information that exceeds FCI. The sub's CMMC level no longer matches the data it is receiving, but no one re-evaluates the scope because the initial verification is "done."

This failure is particularly dangerous because it looks compliant on paper. The initial verification was legitimate. The flowdown clause is in the subcontract. But the operational reality has drifted beyond the original compliance scope, and neither party's CRM has any mechanism to detect or flag the drift.

---

Architecture for Compliant CUI Sharing

Solving the flowdown problem at the CRM level requires architectural thinking, not just policy. Both the prime's and sub's CRM environments need specific capabilities to support compliant CUI sharing across organizational boundaries.

CUI-Safe CRM with Controlled External Sharing

The foundation is a CRM architecture that treats external data sharing as a first-class compliance function, not an afterthought bolted onto a commercial platform. The key architectural components:

Data classification at the point of entry. Every record entering the CRM must be evaluated for CUI status before it is stored. This means the CRM needs classification workflows -- either automated (based on rules like contract number patterns, program name matching, or source identification) or user-assisted (prompting the user to classify data as CUI or non-CUI before saving).

Controlled sharing boundaries. The CRM must enforce rules about what data can be shared externally, with whom, and through what channels. This is not just access control within the CRM -- it is boundary enforcement that prevents CUI from leaving the system via unauthorized channels (email export, CSV download, API extraction) without appropriate controls.

Access logging at the transfer point. Every instance of CUI being shared with an external party must generate an immutable audit record that captures: what data was shared, with whom, when, by whom, through what channel, and under what authorization. This is the evidence both primes and subs need for their respective assessments.

Recipient verification. Before CUI can be shared with a subcontractor through the CRM, the system should verify that the recipient organization has a current, valid CMMC status at the appropriate level. This can be implemented as a lookup against stored verification records, preventing CUI sharing with non-compliant entities.

The Compliant Data Flow Architecture

A properly architected prime-sub CUI sharing workflow through CRM looks like this:

Prime CRM (CUI-Safe)
  │
  ├─ Step 1: Data classified as CUI at entry
  ├─ Step 2: Sub's CMMC status verified (pre-award)
  ├─ Step 3: Sharing authorization recorded
  ├─ Step 4: CUI transmitted via encrypted channel
  ├─ Step 5: Transfer logged with immutable audit trail
  │
  ▼
Sub CRM (CUI-Safe)
  │
  ├─ Step 6: Data classified as CUI at ingestion
  ├─ Step 7: Stored within CMMC assessment boundary
  ├─ Step 8: Access restricted to authorized personnel
  ├─ Step 9: All access logged and auditable
  └─ Step 10: Retention and disposal per policy

Every step generates evidence. Every step is auditable. Every step maps to specific NIST 800-171 controls. This is the standard that assessors expect, and it is achievable only with CRM architecture designed for this purpose.

Integration with Existing Security Infrastructure

The CRM does not exist in isolation. Compliant CUI sharing requires integration with:

• Identity and access management (IAM) systems that enforce MFA and role-based access
• Security information and event management (SIEM) platforms that aggregate CRM audit logs with broader security monitoring
• Data loss prevention (DLP) tools that prevent CUI from leaving the CRM through unauthorized channels
• Encryption infrastructure that manages keys for data at rest and in transit
• Incident response workflows that include CRM-specific playbooks for CUI exposure events

For organizations evaluating how zero-trust CRM architecture addresses these integration requirements, the key insight is that zero trust eliminates the assumption that any user, device, or network segment is inherently trusted -- which is exactly the posture needed for cross-organizational CUI sharing.

---

The 300,000-Company Supply Chain Problem

The Defense Industrial Base encompasses between 220,000 and 300,000 contractors and subcontractors. Approximately 118,000 of those companies need CMMC Level 2 certification. Small businesses account for roughly 73% of the DIB. And here is the uncomfortable reality: the vast majority of these companies are running CRM systems that cannot meet CMMC requirements, and most do not have the budget, expertise, or time to retrofit them.

Why the Problem Is Structural

The defense supply chain's CRM compliance problem is not a knowledge gap that training can fix. It is a structural problem rooted in the economics of commercial CRM platforms:

Commercial CRM was not designed for CUI. Salesforce, HubSpot, Microsoft Dynamics, and their competitors were built to maximize sales productivity in unregulated environments. The features that make them powerful -- open APIs, broad integrations, cloud-based accessibility, minimal access friction -- are the same features that create CMMC compliance failures. Retrofitting these platforms for CUI handling is possible for large enterprises with dedicated compliance teams, but it is not viable for a 15-person machine shop that subcontracts to three primes.

The cost of retrofitting is prohibitive at scale. Configuring a commercial CRM for CMMC compliance typically costs $25,000-$75,000 in the first year -- consulting fees, add-on licensing, custom configuration, documentation, and assessment preparation. Multiply that across 118,000 companies, and the aggregate cost to the DIB is staggering. Most small businesses will not spend it. Industry projections suggest that between 33,000 and 44,000 companies -- 15-20% of the DIB -- will exit the defense market between 2025 and 2027 rather than bear the compliance cost.

Primes cannot enforce what subs cannot afford. Even when primes take their verification obligations seriously, they face a supply chain where the majority of small subs are not equipped to demonstrate CRM compliance. The prime's options are limited: restrict CUI sharing to only compliant subs (reducing the available supply base), accept the risk of sharing with non-compliant subs (violating DFARS 7021), or help subs achieve compliance (an unfunded mandate that few primes are willing to absorb).

Why Purpose-Built CRM Is the Answer

The structural solution is not to make commercial CRM compliant -- it is to give the defense supply chain CRM that is compliant by design. Purpose-built CUI-safe CRM eliminates the retrofit problem by embedding CMMC requirements into the platform's architecture from the ground up:

• Encryption, access control, and audit logging are default, not add-ons. Every record is encrypted at rest. Every access event is logged. Every user authenticates through MFA. These are not configurations to be enabled -- they are foundational platform behaviors that cannot be disabled.
• CUI classification and boundary enforcement are native workflows. The platform understands what CUI is and enforces handling rules automatically. Data entering the system is classified. Sharing requires authorization. Export is controlled. Retention and disposal follow policy.
• Evidence generation is automatic. The platform continuously produces the documentation assessors require -- access logs, configuration baselines, change records, encryption status -- without manual collection or spreadsheet management.
• Cost is accessible to small businesses. Because the compliance infrastructure is built into the platform rather than layered on top of a commercial product, the total cost of ownership is a fraction of the retrofit approach.

Cabrillo Club was designed for exactly this problem. When both the prime and the sub operate on a CUI-safe CRM platform, compliant data sharing is a built-in capability -- not a compliance project that consumes months and tens of thousands of dollars.

---

Decision Matrix: When Subs Need Their Own CUI-Safe CRM

Not every subcontractor needs to deploy a standalone CUI-safe CRM. The decision depends on the nature of the prime-sub relationship, the type of data being shared, and the sub's existing infrastructure. Use this matrix to evaluate your situation:

When to use the prime's systems

If the sub works exclusively for one prime, the prime provides a compliant portal or shared CRM environment, and the sub's scope of CUI handling is limited to what the prime's systems facilitate, the sub may not need independent CUI-safe CRM. However, the sub should verify in writing that:

• The prime's system is within the prime's CMMC assessment boundary
• The sub's access to the system is properly scoped and logged
• The sub retains no CUI data on its own systems (or, if it does, those systems are also in scope)

When the sub needs its own CRM

If the sub works with multiple primes, maintains its own business development pipeline, stores CUI-related data in its own systems, or plans to pursue prime contracts independently, a standalone CUI-safe CRM is not optional -- it is a regulatory requirement. The sub's CRM will be in its CMMC assessment boundary, and every control must be met.

For small subs evaluating their options, our CMMC for small business guide provides the broader compliance framework, including cost benchmarks and phased implementation strategies.

---

Implementation Roadmap: Getting Both Sides Compliant

Whether you are a prime needing to verify and manage subcontractor compliance, or a sub needing to stand up CUI-safe CRM for the first time, the implementation follows a structured sequence.

For Prime Contractors

Phase 1: Inventory and classification (Weeks 1-4)

• Identify all subcontractors who receive CUI through any channel
• Classify CUI data flows by type, volume, and sensitivity
• Map which CRM records contain subcontractor-related CUI
• Document current sharing mechanisms (email, portal, direct CRM access, file transfer)

Phase 2: Verification infrastructure (Weeks 5-8)

• Add CMMC status fields to subcontractor records in CRM
• Collect current CMMC certificates or self-assessment documentation from all subs
• Verify SPRS affirmation status for each sub
• Establish re-verification workflows with automated expiration alerts

Phase 3: Controlled sharing implementation (Weeks 9-16)

• Implement CUI classification at point of entry for subcontractor-related data
• Deploy controlled sharing mechanisms with audit logging
• Establish data boundary enforcement preventing CUI sharing with non-verified subs
• Create evidence packages documenting the verification process

Phase 4: Ongoing monitoring (Continuous)

• Track annual affirmation renewals for all subs
• Monitor assessment expiration dates (3-year cycle)
• Conduct periodic audits of CUI sharing logs
• Re-evaluate CMMC level requirements when subcontract scope changes

For Subcontractors

Phase 1: Scoping (Weeks 1-2)

• Identify all prime relationships that involve CUI
• Catalog CUI data types received from each prime
• Map which internal systems (especially CRM) process this data
• Determine required CMMC level based on 32 CFR 170.23

Phase 2: Platform decision (Weeks 3-4)

• Evaluate current CRM against CMMC requirements (use our checklist)
• Decide whether to retrofit, replace, or adopt purpose-built CUI-safe CRM
• If replacing, select platform and plan migration

Phase 3: Implementation (Weeks 5-12)

• Deploy CUI-safe CRM with all required controls enabled
• Migrate relevant data from legacy systems
• Configure access controls, MFA, encryption, and audit logging
• Train users on CUI handling procedures within the CRM

Phase 4: Certification and maintenance (Weeks 13+)

• Conduct self-assessment or prepare for C3PAO assessment
• Submit SPRS score and complete affirmation
• Share CMMC status documentation with prime contractors
• Establish annual re-affirmation workflow

---

Frequently Asked Questions

Does CMMC flowdown apply if my sub only receives FCI, not CUI?

Yes, but at a lower level. Under 32 CFR 170.23, subcontractors that process only FCI (not CUI) need CMMC Level 1, which requires a self-assessment against 17 basic practices from FAR 52.204-21. Level 1 is significantly less burdensome than Level 2, but it still means the sub's CRM (if it processes FCI) must meet those 17 controls. The key determination is whether the data flowing through the CRM qualifies as CUI or only as FCI -- a classification that depends on the program, the data type, and the CUI marking authority's determination.

Can a prime contractor access a sub's SPRS score directly?

No. As of February 2026, DoD does not provide a mechanism for prime contractors to look up subcontractor CMMC status directly in SPRS. Primes can only access their own records. To verify a sub's status, primes must request that the sub provide documentation -- typically a screenshot or printout of their SPRS entry. This manual process is a known limitation, and DoD has acknowledged the need for an improved verification mechanism. In the meantime, primes should formalize the documentation request in their subcontract administration procedures and store the evidence in their CRM.

What happens if a prime shares CUI with a sub that does not have the required CMMC level?

This is a contract compliance violation under DFARS 252.204-7021 and potentially a False Claims Act issue if the prime has affirmed its own compliance, which includes the obligation to verify subcontractors. The prime could face contract termination, suspension, debarment, or civil liability. The sub, meanwhile, is processing CUI without adequate security -- a violation of DFARS 252.204-7012 that also triggers 72-hour cyber incident reporting obligations if the data is compromised. Both parties are exposed, which is why pre-award verification is not optional.

If my sub uses my CRM portal, does the sub still need its own CMMC certification?

It depends on whether the sub retains CUI on its own systems. If the sub accesses the prime's CRM portal, performs work within that environment, and retains no CUI on its own infrastructure (no local files, no email copies, no CRM records on its own systems), then the CUI processing may be scoped under the prime's assessment boundary rather than the sub's. However, this requires careful documentation, and the sub's endpoint devices (laptops, phones) used to access the portal may still be in scope. Consult with your C3PAO or CMMC assessor to determine the correct boundary.

How does the Phase 2 timeline (November 2026) affect subcontractor CRM compliance?

Phase 2 of the CMMC rollout, beginning November 2026, is when contracting officers will start requiring C3PAO-assessed Level 2 CMMC status in solicitations. For subcontractors, this means that primes bidding on Phase 2 contracts will need to verify that their subs hold C3PAO-assessed Level 2 status -- not just self-assessments. If a sub's CRM is in its assessment boundary (which it likely is, if CUI flows through it), that CRM must pass the C3PAO assessment. Subs should be working toward this standard now, not waiting until Phase 2 contracts start appearing. The C3PAO assessment backlog is growing, and small businesses that wait will face longer scheduling delays and higher costs.

---

Moving Forward: The Flowdown Problem Is a CRM Problem

CMMC flowdown is ultimately about one thing: ensuring that CUI is protected at every point in the supply chain where it is processed, stored, or transmitted. For the defense industrial base, CRM is one of the primary systems where this data lives. Opportunity records, contact data, proposal artifacts, subcontract management data, and communications all flow through CRM on both sides of the prime-sub relationship.

The regulatory framework is clear. 32 CFR 170.23 mandates flowdown. DFARS 252.204-7021 enforces verification. NIST SP 800-171 defines the controls. The only question is whether your CRM architecture can meet these requirements -- or whether you are building compliance on a foundation that was never designed to support it.

For primes, the mandate is to verify before you share, track what you share, and monitor your supply chain's compliance status continuously. For subs, the mandate is to know what CUI you receive, process it only in compliant systems, and maintain your CMMC status with annual affirmations.

For both sides, the most efficient path is a CRM platform built for this purpose -- one where compliance is the architecture, not an afterthought.

Start with our CUI-safe CRM guide for the foundational architecture. Use our CMMC compliant CRM checklist to evaluate your current platform. And if you are a small business navigating these requirements for the first time, our CMMC for small business guide provides the cost benchmarks and implementation strategies you need to get started without overspending.

The flowdown clock is running. Your CRM either meets the standard or it does not. And when your prime -- or your assessor -- asks for evidence, "we're working on it" is not a compliant answer.