Module 13: Supply Chain, Flow-Down, and Working with Service Providers

1. Why Supply Chain and Service Providers Matter for CMMC

CMMC compliance is not just about your own organization. If Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) touches a subcontractor, cloud provider, MSP/MSSP, or any external service, their security posture becomes part of your CMMC scope and risk.

Key current references (as of late 2025):

• DFARS 252.204-7012 – Safeguarding CUI & cyber incident reporting (still the core clause).
• DFARS 252.204-7019 / -7020 – NIST SP 800-171 DoD Assessment Methodology & DoD access to assessment results.
• DFARS 252.204-7021 – CMMC 2.0 requirement (phased into solicitations and contracts after the final rule in 2024–2025).
• CMMC 2.0 – Focused on NIST SP 800-171 for Level 2; primes must ensure flow-down of appropriate requirements.

Core idea:

> If your contract requires safeguarding CUI/FCI, you must ensure that anyone you share that data with (subcontractors, MSPs, MSSPs, cloud providers, SaaS vendors, etc.) is bound by equivalent or appropriate requirements, and that roles and responsibilities are clearly documented.

In this module you will:

• Trace how CMMC/DFARS obligations flow down from primes to subs and service providers.
• Analyze shared responsibility with MSPs/MSSPs and cloud providers.
• Draft contract language that allocates risk, evidence obligations, and monitoring rights.

2. Flow-Down Basics: From DoD to Prime to Subcontractors

2.1 The contractual chain

1. DoD → Prime contractor

• DoD includes DFARS cyber clauses (e.g., 252.204-7012, -7019, -7020, -7021) in prime contracts.
• The prime makes representations (e.g., SPRS score, CMMC level) and accepts obligations (e.g., incident reporting, forensic preservation, medium assurance identity).

1. Prime → Subcontractors

• When subs will process, store, or transmit CUI or FCI, the prime must flow down relevant clauses.
• Flow-down is not optional; failure can be a material breach and trigger False Claims Act exposure.

1. Subcontractors → Lower-tier subs / service providers

• The same logic applies: any lower-tier entity handling CUI/FCI must receive appropriate clauses.

2.2 What must be flowed down?

Not every DFARS clause must be flowed down to every sub. The general rule:

• If the subcontractor will handle CUI:
• Flow down DFARS 252.204-7012 at a minimum.
• Flow down 252.204-7021 when the prime contract requires a given CMMC level and the sub must meet that level.
• Ensure NIST SP 800-171 implementation (for CUI) and corresponding CMMC level.
• If the subcontractor will handle only FCI (no CUI):
• Ensure they meet CMMC Level 1 equivalent safeguards (FAR 52.204-21 baseline), and any additional requirements in the prime contract.

2.3 Edge case: No direct CUI access

A sub may claim: “We never see CUI, we just provide tooling or infrastructure.”

You must still analyze:

• Do they have logical access (e.g., admin rights, hypervisor access, backups)?
• Could they indirectly access CUI in logs, memory, or support sessions?

If yes, they are in scope for at least some CMMC/DFARS obligations, even if they never read CUI in a business sense.

3. Flow-Down Thought Exercise: Who Needs What?

Consider a prime contract that clearly involves CUI and requires CMMC Level 2.

You work for the prime. Identify which entities clearly need flowed-down cyber clauses and which might be arguable edge cases.

Entities in your ecosystem:

1. A machining subcontractor that manufactures a component using CUI-labeled technical drawings you send them.
2. A translation subcontractor that only sees redacted versions of documents (no CUI labels; sensitive details removed).
3. A cloud-based ticketing system (SaaS) your internal IT team uses to track user support requests. Users sometimes paste screenshots of CUI documents into tickets.
4. A janitorial service that cleans your offices at night with no logical access to systems.
5. An MSSP that manages your SIEM and EDR tools and has admin access to your security stack.

Your task:

For each entity, write down (on paper or mentally):

• Whether they are in scope for CMMC/DFARS flow-down.
• A short reason why.

Then compare to this reasoning:

• (1) Machining sub – Definitely in scope: direct CUI access → must receive 7012 + CMMC Level 2 requirements.
• (2) Translation sub – Depends: if truly no CUI (verified via data classification and redaction process), may be out of scope for CUI requirements but might still need basic FCI protections.
• (3) Ticketing SaaS – In scope: screenshots containing CUI → data residency, FedRAMP/FedRAMP-equivalent, and CUI handling must be addressed.
• (4) Janitorial – Normally out of cyber scope: physical access risk is handled via physical security controls, but CMMC/DFARS cyber clauses are not typically flowed down.
• (5) MSSP – In scope: powerful logical access to CUI systems; must be contractually bound and assessed for CMMC alignment.

Reflect: Which ones were less obvious to you, and why?

4. Working with MSPs/MSSPs: Shared Responsibility Models

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) are force multipliers but also risk multipliers.

4.1 Key questions under CMMC 2.0

When you outsource IT or security functions, you must answer:

1. Who owns which controls?

Map each relevant NIST SP 800-171 control (and CMMC practice) to:

• You (the OSC) – e.g., policy ownership, user training, physical security.
• The MSP/MSSP – e.g., patching, log collection, EDR management.
• Shared – e.g., incident response (you own business continuity, they own tooling and triage).

1. Can the MSP/MSSP demonstrate compliance?

• Have they undergone a CMMC assessment or at least a NIST SP 800-171 self-assessment?
• Do they have FedRAMP Moderate/High or equivalent for relevant cloud services (if they host or process CUI)?
• Do they maintain independent audits (e.g., SOC 2 Type II) relevant to your scope?

1. How is evidence produced?

• Can they provide logs, configuration baselines, and reports on demand for your CMMC assessment?
• Are they willing to allow your C3PAO or DoD assessors view-only access to necessary evidence?

4.2 Edge case: MSP not CMMC-certified

As of late 2025, many MSPs/MSSPs still do not hold formal CMMC certification, but may:

• Implement NIST SP 800-171 controls internally.
• Support multiple defense industrial base (DIB) clients.

You must then:

• Perform due diligence (detailed security questionnaire, technical review).
• Use contract language to bind them to NIST SP 800-171-equivalent safeguards.
• Be prepared to justify to an assessor why this arrangement is acceptable and how you monitor it.

5. Example: Shared Responsibility Matrix for an MSP

Below is a text-based shared responsibility matrix for a small manufacturer (OSC) using an MSP for CMMC Level 2.

| Control Area (NIST 800-171) | Example Control | OSC (You) | MSP | Notes |

|-----------------------------|-----------------|----------|-----|-------|

| Access Control | AC.1.001 – Limit system access to authorized users | Joint | Joint | You approve users and roles; MSP configures AD, MFA, and access policies. |

| Identification & Auth | IA.2.078 – Enforce MFA for network access | MSP | MSP | MSP manages IdP and MFA enforcement; you ensure all users are enrolled and use MFA. |

| Audit & Accountability | AU.2.041 – Ensure audit records are reviewed | Joint | MSP | MSP runs SIEM and alerts; you review escalations and take management action. |

| Configuration Management | CM.2.061 – Establish baseline configurations | Joint | MSP | MSP maintains baselines in tooling; you approve standards and exceptions. |

| Incident Response | IR.2.093 – Detect and report events | MSP | MSP | MSP provides 24/7 monitoring and triage; you handle business impact and reporting to DoD. |

| Media Protection | MP.1.118 – Sanitize media before disposal | OSC | – | You own physical media handling and destruction processes. |

| Personnel Security | PS.2.128 – Screen individuals prior to access | OSC | – | You handle HR screening and onboarding. |

Takeaway:

• A matrix like this becomes evidence for CMMC assessors.
• It also drives contract clauses: each line implies obligations, SLAs, and reporting requirements.

6. Cloud & FedRAMP: When and How It Matters

6.1 FedRAMP and CUI

For DoD workloads involving CUI:

• DoD and other federal guidance strongly favor using FedRAMP Moderate or High authorized cloud services for storing/processing CUI.
• Some DoD components explicitly require DoD IL4/IL5 capabilities for certain data types (beyond classic CUI).

In practice for CMMC Level 2:

• If your cloud provider is FedRAMP Moderate (or equivalent) and your system boundary is well-defined, this is a strong positive during assessment.
• If not FedRAMP, you must show that:
• The provider implements controls substantially equivalent to NIST SP 800-171.
• You have contractual and technical assurance (e.g., data residency in U.S., U.S. citizens only support, encryption with customer-managed keys, etc.).

6.2 Shared responsibility in the cloud

Cloud providers often publish Shared Responsibility Models:

• They secure the cloud infrastructure (hypervisors, physical data centers, core networking).
• You (and your MSP/MSSP) secure what is in the cloud (OS hardening, IAM, logging, app security).

For CMMC:

• You must map each relevant NIST SP 800-171 control to:
• Cloud provider (backed by FedRAMP package / security documentation).
• You/your MSP.
• You must maintain documentation showing how you rely on the provider’s controls (e.g., FedRAMP System Security Plan, customer responsibility matrix).

6.3 Edge case: SaaS with mixed data

If you use a general-purpose SaaS (e.g., collaboration tools) and some CUI might end up there:

• Either formally include it in your CUI environment and treat it accordingly (including FedRAMP-equivalent expectation),
• Or implement technical and procedural controls to prevent CUI from entering (DLP rules, user training, labeling) and be prepared to prove that to assessors.

7. Drafting Contract Expectations: Mini-Workshop

You are negotiating with a new MSSP that will monitor your CUI environment and support your CMMC Level 2 obligations.

Task: Draft 3–5 bullet points you would insist on including in the MSSP’s contract, focusing on:

• CMMC/NIST 800-171 alignment
• Evidence and audit support
• Incident reporting and cooperation
• Subcontracting restrictions

Write your bullets first, then compare to the sample below.

---

Sample bullets (for comparison):

• MSSP shall implement and maintain security controls equivalent to NIST SP 800-171 for all systems used to provide services related to the Client’s CUI environment.
• MSSP shall provide timely access to logs, configurations, and security reports necessary for the Client’s CMMC assessments, including cooperation with DoD-authorized assessors and C3PAOs.
• MSSP shall notify the Client of any suspected or confirmed cyber incident affecting the Client’s environment within X hours and shall support the Client’s DFARS 252.204-7012 incident reporting and forensic preservation obligations.
• MSSP may not subcontract any portion of the services involving access to CUI without the Client’s prior written consent and must flow down equivalent security and reporting requirements to any approved subcontractors.
• Upon termination of the agreement, MSSP shall securely delete or return all Client data (including logs and backups) and certify completion of this process in writing.

Reflect: Which of your bullets covered similar ground? Which areas did you miss (if any)?

8. Sample Flow-Down Clause Language (for Study Only)

Below is illustrative pseudo-contract language you can study and adapt in a legal drafting exercise (in practice, always involve a contracts attorney).

9. Check Understanding: Flow-Down and Service Providers

Answer this question to test your understanding of flow-down and shared responsibility.

10. Review Terms

Flip the cards (mentally) to review key terms from this module.