DFARS 252.204-7012 · CMMC 2.0 · Sub-tier flowdown

Supply-chain cyber compliance — built for primes who own the sub-tier risk

Your most exposed CUI no longer lives at the prime. It lives at the sub two tiers down, on a flat network, behind a shared admin password. MacTech gives primes a defensible way to flow down DFARS, monitor sub-tier CMMC posture, and prove the supply chain is actually compliant — not just attested.

Three uncomfortable facts about supply-chain cyber today

  • Most DIB primes cannot produce a current SPRS score for every critical sub within 24 hours. The IG knows this.
  • CMMC 2.0 moves the bar from "they self-attested at award" to "you actively monitor them" — a posture upgrade most primes have not made.
  • Static-PDF attestation programs cost more, signal less, and survive fewer audits than the platform-led alternatives now available.

01 — Obligations

What a prime contractor actually owes — and what auditors look for

Four obligations show up in every DCMA review and every IG audit of supply-chain cyber. None is hard individually; the hard part is doing all four continuously across hundreds of suppliers.

01

Flow DFARS 252.204-7012 to every CUI-handling sub

The clause must be in the subcontract — at every tier — wherever CUI flows. Missing flowdowns are the #1 finding in DCMA reviews of supply-chain cyber posture.

02

Maintain a current sub-tier register

Who handles CUI, what their current SPRS score is, when their CMMC certificate was issued, and what the next renewal date is. This register is what an IG asks for first.

03

Notify DoD of CUI-impacting cyber incidents within 72 hours

The clock starts when the incident is discovered — at the prime, sub-tier, or any layer where CUI may have been touched. The prime owns the notification regardless of where the breach happened.

04

Demonstrate continuous monitoring, not point-in-time attestation

The CMMC 2.0 rule moves the bar from "they had a certificate when they signed" to "you actively monitor their posture." Static binders no longer satisfy the obligation.

02 — The MacTech model

The platform-led supply-chain compliance model

Move sub-tier compliance off email-and-spreadsheets and onto a shared platform. Primes get continuous visibility, subs get a faster path to certification, and the relationship strengthens because the cost is shared.

Sub-tier registry as a live system

Every sub that touches CUI is in the registry. SPRS scores, CMMC certificate status, next-renewal dates, and the flowdown clauses they signed are all tracked in one place. No more reconciling across procurement, legal, and security spreadsheets.

Continuous posture monitoring

Sub posture changes are surfaced as events, not annual binders. A C3PAO certificate expiring in 60 days, a SPRS score that dropped, a missed POAM milestone — all visible to the prime's compliance team without an email chain.

Shared CUI enclave for critical subs

For the suppliers you cannot afford to lose to compliance cost, MacTech's shared enclave gives the prime a defined CUI boundary that the sub inherits. Each side keeps its own assessment, but the technical controls and the evidence library are platform-provided.

Incident-response coordination built in

The 72-hour DFARS notification clock runs at the prime regardless of where the breach happened. MacTech's IR tabletop kit and notification workflow keep the prime in control of the clock and the messaging.

03 — Related

Where supply-chain cyber connects

CMMC Level 2

What every CUI-handling sub in the supply chain must achieve.

NIST 800-171 compliance

The 110-control catalog underneath every flowdown.

Platform & services

The MacTech platform that powers prime-sub shared enclaves.

04 — Questions

Supply-chain cyber compliance — frequently asked

Why is the supply chain the new attack surface?

Adversaries do not target the prime contractor with the SOC and the 24/7 incident response team. They target the small machine-shop sub two tiers down with a flat network and a shared admin password. Every major DIB breach in the last five years has touched the supply chain, and every prime contract clause now treats sub-tier security as the prime's problem.

What does DFARS 252.204-7012 require primes to flow down?

The clause requires primes to flow DFARS 252.204-7012 (and therefore NIST 800-171 implementation) to all subcontractors that handle CUI. The clause survives the entire subcontract chain — Tier 1 to Tier 2 to Tier 3 — wherever CUI flows. The prime is responsible for ensuring the flowdown is in every subcontract.

How does a prime verify a sub is actually compliant?

Three signals matter: (1) the sub's current SPRS score posted to the DoD, (2) a current CMMC Level 2 certificate from a C3PAO when the contract requires one, and (3) a signed attestation that the sub continues to meet 800-171. The challenge is freshness: a static PDF attestation from 18 months ago tells you nothing about today. MacTech's sub-tier dashboard tracks all three signals continuously.

What happens when a sub fails to meet flowdown requirements?

The prime is exposed. Contractually, the prime is on the hook for sub-tier compliance — DoD does not chase the sub. Practically, that exposure becomes real during a breach investigation, an IG audit, or a DCMA review. The defensible move is to monitor sub posture continuously and act on slipping scores before they become incidents.

How do small subs respond to flowdown demands?

Three patterns: (1) the sub already runs a compliant program and shares evidence on request, (2) the sub asks the prime for technology or process help to get there, or (3) the sub disengages because the cost is too high. The third pattern is the most dangerous to the prime — it shrinks the supplier pool and pushes work to less-prepared suppliers downstream. Primes that pair flowdown with platform support keep more of their supplier base.

Can primes share a compliance platform with their subs?

Yes — and the math is compelling. A prime that gives selected critical subs access to a shared CUI enclave gets a documented, inheritable control set across the relationships that matter most. Each sub still owns its own SSP and assessment, but the boundary, the technical controls, and the evidence library are shared infrastructure. This is exactly what MacTech's prime-sub deployment model supports.

How do I prove supply-chain compliance to the contracting officer?

Three artifacts: a sub-tier attestation register (who flows down what, to whom), a continuous monitoring dashboard (current SPRS / CMMC status for each critical sub), and an incident-response runbook that includes sub-tier notification SLAs. MacTech generates the first two automatically from the sub-tier registry; the third is built into the IR tabletop kit.

How does the new CMMC rule change primes' obligations?

The CMMC 2.0 final rule makes flowdown verifiable and auditable. Where DFARS 252.204-7012 was a self-attested promise, CMMC is a third-party certificate the prime can demand and DoD can validate via eMASS. Primes that built sub-tier compliance programs on the old DFARS-only model need to upgrade to evidence-based monitoring under CMMC.

Show me a defensible sub-tier program

A 30-minute working session with MacTech: walk your current sub-tier register, identify the gaps an IG would find, and leave with a sequenced plan to close them.

Talk to MacTechRun a readiness scan