top of page

CMMC Flow Down Requirements Are About to Reshape the Defense Supply Chain

  • Jul 7
  • 6 min read

For years, much of the discussion surrounding Cybersecurity Maturity Model Certification (CMMC) has focused on assessment preparation, documentation, and implementing the technical safeguards required by NIST SP 800-171. Those remain essential components of compliance, but another challenge is quickly emerging that could have an even greater impact on the Defense Industrial Base. As CMMC requirements begin appearing in contracts, organizations will not only need to demonstrate their own compliance, they will also need to ensure the companies they do business with are equally prepared.


That was one of the central themes of a recent Bytes & Brew podcast hosted by Cape Endeavors CEO Terry McGraw featuring Steve Hicks, Senior Director of Government Accounts at Johnson Controls. Drawing from his experience overseeing one of the world's largest government contracting organizations, Hicks offered practical insight into how CMMC flow down requirements are likely to change federal procurement, why many contractors are underestimating the challenge, and what organizations should be doing now to prepare.


CMMC Flow Down Extends Beyond Prime Contractors


Many organizations still associate CMMC exclusively with Department of Defense prime contractors. In reality, the compliance obligations extend much further throughout the supply chain. Every organization that stores, processes, or transmits Controlled Unclassified Information (CUI) must meet the appropriate certification requirements, regardless of whether they are the prime contractor or a subcontractor.

Johnson Controls provides an interesting example of why this matters. Although it is one of the largest companies serving the federal government, the company often finds itself operating as a subcontractor because of federal small business set-aside programs. Hicks referred to this dynamic as "flow up," highlighting that compliance responsibilities move in both directions throughout the supply chain.


"We're a prime contractor in a lot of situations where we have to be concerned about our subs," Hicks explained. "But we're also a subcontractor to small businesses because of the way federal procurement works. We have to make sure they're qualified to pass that information to us, just as we have to make sure our subcontractors are qualified to receive it."


This distinction is significant because many contractors continue to view CMMC as a problem that belongs exclusively to large defense companies. In reality, organizations of every size may soon find themselves responsible for validating the cybersecurity posture of both upstream and downstream partners before CUI can be exchanged.


Enterprise Scale Does Not Eliminate the Challenge


Johnson Controls operates more than 140 offices and employs thousands of professionals supporting federal agencies through building automation, HVAC systems, physical security, fire protection, and other critical infrastructure solutions. Implementing CMMC across an organization of that scale presented an enormous challenge, particularly when determining where CUI actually existed throughout the enterprise. "We needed to reverse engineer the business basically to back into this thing in regards to where the CUI could live within the organization," Hicks said.


Rather than attempting to bring its entire global enterprise into CMMC scope, Johnson Controls adopted a secure enclave strategy. Hicks described the approach as both the least disruptive and the most cost-effective option available. By isolating the systems responsible for handling CUI, the company significantly reduced the complexity of implementation while limiting operational disruption to the broader business. The approach also reduced licensing costs, minimized changes to existing workflows, and allowed employees who never handled CUI to continue operating outside the assessment boundary.


For organizations evaluating their own CMMC strategy, Johnson Controls' experience reinforces an important lesson. Proper scoping is often the single most effective way to reduce both implementation costs and long-term compliance burden.


Accurate CUI Discovery Prevents Scope Creep


One of the most valuable lessons shared during the discussion centered on CUI discovery. Like many organizations beginning their CMMC journey, Johnson Controls initially believed it had substantially more CUI scattered throughout its environment than it actually did. Early discovery tools generated enormous numbers of false positives, creating the impression that millions of files required manual review.


"We'd have millions of documents," Hicks recalled. "What are we going to do with those millions of documents to verify? That's going to take a huge labor force."


The company ultimately adopted Teramis to improve the accuracy of its CUI discovery process. According to Hicks, increasing discovery accuracy to more than 99 percent transformed what had appeared to be an overwhelming challenge into a manageable process. More importantly, it fundamentally changed the organization's understanding of its assessment scope.


"I was pleasantly surprised that we didn't have as much as initially was estimated," Hicks said. "It's really a needle in the haystack compared to how many files this organization has."


That experience mirrors what many contractors discover after conducting a thorough CUI assessment. Organizations frequently assume CUI exists everywhere, causing them to overestimate the size of their assessment boundary and dramatically increase compliance costs. Accurate CUI discovery allows organizations to protect the information that actually requires safeguarding while avoiding unnecessary controls across systems that never belonged in scope.


Why CMMC Flow Down Could Delay Contract Awards


Perhaps the most important takeaway from the discussion involved the practical impact of CMMC flow down requirements on federal procurement. Hicks believes many contractors underestimate how agencies are likely to verify compliance once CMMC becomes part of the acquisition process.

Historically, agencies complete much of their due diligence after selecting an apparent awardee. Financial standing, tax compliance, and other eligibility requirements are verified before the contract is finalized. Hicks expects CMMC certification to become another critical checkpoint during that process.


"They're going to check that CMMC component," Hicks explained. "If the small business cannot deliver it, or the large business can't deliver it on their subs, now those awards are going to be canceled and reprocured."


If that prediction proves accurate, the consequences will extend far beyond individual contractors. Agencies may face delayed procurements, primes could lose contract awards because of unprepared subcontractors, and projects involving dozens of suppliers could experience significant schedule disruptions while replacement vendors are identified.


The challenge becomes even more apparent on large federal construction projects where dozens of subcontractors may participate. A single organization lacking the appropriate certification could delay an entire project if it cannot legally receive or handle CUI associated with designs, specifications, or construction documentation.


Small Businesses May Be the Most Vulnerable


Throughout the conversation, Hicks emphasized that many small businesses still believe CMMC either does not apply to them or will be delayed long enough that preparation can wait. Unfortunately, that assumption may leave many organizations unprepared once flow-down requirements begin appearing consistently in contracts.


"Usually they're not aware," Hicks said. "Or they've heard of it, but they don't think it applies to them."


Many of these businesses support agencies outside the Department of Defense and mistakenly assume they fall outside CMMC's reach. However, Hicks noted that he is already seeing broader adoption of CUI marking practices across multiple federal agencies. As more organizations begin handling CUI, flow-down obligations will naturally extend beyond traditional defense contractors and into much larger portions of the federal contracting ecosystem.


Organizations that prepare early are likely to gain a competitive advantage while others scramble to meet certification requirements. As Hicks observed, certification has the potential to become a meaningful differentiator when contractors evaluate prospective teaming partners and subcontractors.


The Growing Cost of Over-Marking CUI


Another issue receiving increasing attention is the tendency for government agencies to broadly mark documents and emails as CUI, even when the information itself may not warrant that designation. Hicks described situations where routine email correspondence, including signature blocks, arrived marked as CUI.


While contractors have little choice but to treat marked information accordingly, widespread over-marking creates significant operational consequences. Every document designated as CUI must be stored, transmitted, and processed within compliant environments, increasing storage requirements, administrative overhead, and licensing costs. Those expenses may represent only a modest operational cost for very large organizations, but they can become a substantial financial burden for small businesses with limited resources.


As Terry McGraw observed during the discussion, if everything becomes CUI, the distinction between sensitive information and routine business communications begins to lose its value. Addressing over-marking will require greater consistency across federal agencies so contractors can focus compliance efforts where they provide the greatest security benefit.


Preparing for CMMC Flow Down Starts Today


As organizations continue preparing for CMMC Level 2, it is becoming increasingly clear that compliance is no longer solely an internal cybersecurity initiative. It is rapidly becoming a supply chain management issue that will influence vendor selection, contract awards, project scheduling, and long-term business relationships throughout the Defense Industrial Base.


Hicks closed the discussion with advice that applies equally to organizations of every size.

"Start early and get this handled."


Even companies that complete implementation must still schedule assessments with authorized C3PAOs, and assessor availability will become increasingly constrained as demand grows. Waiting until CMMC appears in a solicitation may leave organizations competing for limited assessment resources while simultaneously trying to implement technical controls and complete required documentation.


The companies that succeed under CMMC flow-down requirements will not necessarily be the largest organizations or those with the biggest cybersecurity budgets. They will be the organizations that understand where their CUI resides, accurately define their assessment scope, prepare their supply chains, and begin the certification process before compliance becomes a condition of contract award.


Contact Us to learn how Cape Endeavors can help you comply with CMMC Flow-Down Requirements.

Recent Posts

See All
bottom of page