Some prime contractors believe they can remove CUI markings from data packages — or pass work to subcontractors as "FCI only" — to avoid flowing CMMC Level 2 requirements downstream. The regulations say otherwise. Primes are not data owners. They are authorized holders. Only the originating government agency can decontrol the information. Attempting to sanitize data creates unauthorized disclosure, derivative CUI violations, and the exact FCA exposure primes were trying to avoid.
Executive Summary
CMMC compliance obligations in the defense supply chain are driven by contractual flow-down clauses, not by what data format a subcontractor receives on a given day. A prime contractor cannot eliminate a sub's compliance requirements by stripping markings, editing documents, or extracting components from a larger data package. The government — specifically the originating program office or command — is the only entity legally authorized to decontrol CUI. When a prime strips markings on their own authority, they are not reducing the sub's exposure. They are distributing unmarked CUI in violation of DFARS 252.204-7012 and creating a false representation in their supply chain compliance record.
This brief explains why the "data stripping" workaround fails under the regulatory framework, what primes are actually responsible for when a sub is not in compliance, and what a sound supply chain program looks like when the goal is contract protection rather than liability transfer.
The compliance framework
The appeal of the data-stripping approach is logical on its surface: if the sub never receives CUI, then CUI-level requirements don't apply, and the prime avoids the friction of flowing down a Level 2 obligation. The problem is that this reasoning misunderstands two foundational points — what generates the compliance obligation, and who has authority over the data.
The obligation comes from the contract clause, not the data format. CMMC requirements are embedded in the prime contract through DFARS 252.204-7021. That clause requires the prime to flow down the appropriate CMMC level to subcontractors based on the nature of the work, not based on what documents were included in a particular task order package. The prime's contractual obligation to manage sub compliance exists independent of any individual data exchange.
FCI cannot be stripped out. Even when a prime successfully removes CUI — classified technical drawings, engineering specifications, program-sensitive data — the subcontract relationship itself generates Federal Contract Information. The purchase order is FCI. The project schedule is FCI. The email chain about delivery requirements is FCI. Under 48 CFR 52.204-21, any non-public information provided by or generated for the government under a contract to develop or deliver a product or service is FCI. A sub performing work under a defense subcontract is, by definition, handling FCI. That triggers Level 1 at minimum — with no workaround available.
⚠ What is FCI — and why it always flows down
Federal Contract Information (FCI) is defined under 48 CFR 52.204-21 as information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government. Every subcontractor performing on a defense contract generates FCI — through the subcontract itself, through project communications, through scheduling and delivery coordination. The only exception is a subcontractor supplying strictly Commercial Off-the-Shelf (COTS) items with no custom modification or contract-specific configuration. If the sub is custom-manufacturing, modifying specifications, or coordinating project performance, they are not COTS and Level 1 applies.
Legal framework
This is the legal distinction that makes the data-stripping approach not just ineffective, but a compliance violation in its own right. Under 32 CFR Part 2002 and DoDI 5200.48, defense contractors who receive CUI are designated as authorized holders. The designation is precise in what it allows and what it prohibits.
An authorized holder is legally permitted to safeguard the information according to the contract's parameters and to disseminate it to further the government mission — for example, sharing it with a sub whose work requires it. What an authorized holder cannot do is decontrol the information. They do not own it. They did not create the sensitivity designation. They cannot determine that it no longer requires protection. That authority belongs exclusively to the originating government agency — the DoD program office, command, or federal agency that first designated the information as sensitive and would be listed in the applicable Security Classification Guide or program designation record.
The derivative information problem
Prime contractors often believe that if they create a new document derived from CUI — a simplified spec sheet, a dimensional summary, a set of installation instructions — they have produced something clean. In the defense compliance framework, this is the doctrine of derivative CUI. If a new document is derived from, paraphrases, or rests upon government-provided CUI, that document inherits the CUI designation of its source material. Removing the "CUI" banner from a document header does not change the nature of the information. It removes the marking without removing the requirement — and in doing so, distributes unmarked CUI, which is itself a violation of DFARS 252.204-7012.
The risk to the prime is not abstract. When a contracting officer audit or DoJ investigation traces a compliance failure back through the supply chain, the question they are asking is not whether the prime removed the CUI header from a PDF. The question is whether the prime fulfilled their contractual obligation to manage their sub's access to sensitive information responsibly. A prime who stripped markings and passed data to a non-compliant sub, while affirming in SPRS that their supply chain compliance program is current, has created a documented false certification on their government contract.
The chain of decontrol authority
Decontrolling CUI requires a documented decision by the government — typically referencing a Security Classification Guide (SCG), a formal program office instruction, or an authorized decontrol determination. This process is deliberate: the DoD marks information CUI because of its sensitivity in context, including compilation risk, where individual pieces of data may appear harmless but together reveal a critical capability or vulnerability. A prime contractor cannot replicate this analysis. Attempting to do so bypasses the government's risk assessment and breaks the legal chain of custody that the compliance framework is designed to maintain.
Compliance decision matrix
The compliance level required for a subcontractor is determined by the nature of the information they access and the work they perform — not by what the prime chose to include in a particular package. The following scenarios cover the full range of sub relationships on a defense contract.
| Sub receives / performs | Information type | Required level | Prime obligation |
|---|---|---|---|
| Standard catalog items — no customization, no contract-specific configuration | None — purely commercial transaction | COTS Exempt | Confirm sub qualifies as COTS. No flow-down required. Document the determination. |
| Subcontract work on a DoD project — receives POs, schedules, project communications, attends job site meetings | FCI — Federal Contract Information generated by the subcontract relationship itself | Level 1 Required | Flow down FAR 52.204-21. Verify SPRS score. Collect documentation. Re-verify annually. |
| Receives technical data packages, engineering drawings, specifications, program-sensitive design data | CUI — Controlled Unclassified Information | Level 2 Required | Flow down DFARS 252.204-7021. Verify C3PAO assessment or valid self-assessment. Prime cannot reduce this obligation by modifying data packages. |
| Receives "stripped" data — markings removed by prime, instructions derived from CUI source material | Derivative CUI — inherits sensitivity from source regardless of marking | Level 2 Required | Prime has distributed unmarked CUI — DFARS 252.204-7012 violation. Compliance obligation unchanged. Prime has added a separate exposure. |
The matrix clarifies the only genuine path to reducing a sub's compliance level: confirming that the sub's work qualifies as COTS and documenting that determination in the contract file. Everything else — custom work, project performance, contract-specific coordination — triggers at minimum a Level 1 obligation, with Level 2 required wherever the work involves CUI access regardless of what the prime does to the documents before transmittal.
Prime contractor liability
The government does not have a direct contractual relationship with subcontractors. It has a contract with the prime. This means that the prime — not the sub — is the entity responsible for supply chain compliance posture in the government's view. A non-compliant sub is not the sub's problem to solve after the fact. It is the prime's documented gap at the moment of award.
The flow-down mechanism reflects this. DFARS 252.204-7021 does not create a parallel obligation for subs to self-police — it creates an obligation for primes to verify. When a prime awards work to a sub without confirming a current SPRS score, they have violated their own prime contract before the sub has performed a single task. The subsequent work may generate invoices. Those invoices may carry implicit certifications that the supply chain compliance posture is current. If the posture was never established, those certifications are false.
⚠ Three-tier liability cascade
Operational consequences: A non-compliant sub discovered during performance can trigger stop-work orders on the affected portion of the contract. If the sub is a critical path vendor, the disruption extends across the entire program. Progress payments may be withheld until the compliance gap is remediated. In severe cases, the government can terminate the prime contract for default — which carries both immediate financial loss and a past-performance record that follows the prime into future competitions.
FCA consequences: If the prime's authorized company official signed an annual executive affirmation in SPRS certifying that the company is properly managing and flowing down CMMC requirements — while knowing or recklessly disregarding that a sub is non-compliant — that affirmation is a false statement. Every invoice submitted while the sub was performing non-compliantly becomes a potentially false claim. Under the FCA, the exposure is treble damages plus per-claim penalties for each invoice in the period.
Breach liability: If a non-compliant sub experiences a cyber incident and defense data is exfiltrated, the government traces the chain of custody. A prime who failed to verify the sub's compliance posture, or who stripped CUI and transmitted it to a sub without appropriate controls, bears joint liability for the breach — absorbing investigative costs, remediation expenses, and potential debarment proceedings in addition to the FCA exposure.
The pattern that creates the most exposure is not deliberate fraud. It is a prime who assumed that because they have not been asked about sub compliance, the requirement is not being enforced — and who subsequently affirms compliance annually based on that assumption. The Civil Cyber-Fraud Initiative's enforcement record makes clear that this posture is no longer defensible. The question is not whether enforcement is active. It is whether the prime's documentation would hold up if it were.
Building a defensible program
The prime's obligation is not to audit every sub or guarantee that every sub's self-assessment is perfect. It is to operate a documented, good-faith compliance program that establishes the sub's obligation, verifies their posture at award, collects supporting documentation, and re-verifies annually. A prime who does this has a credible FCA defense if a sub's compliance turns out to be imperfect. A prime who does not has no equivalent defense.
The Pacific trade sub context
The typical Level 1 sub on a NAVFAC Pacific or MILCON project — electrical, HVAC, mechanical, welding, roofing, fencing — is a 10-to-15-person operation with no dedicated IT staff and no prior experience with federal compliance documentation. They are not trying to circumvent the standard. They have never been given a plain-English explanation of what the standard requires or a structured tool for meeting it. The quality of what comes back to the prime depends entirely on what the prime sends out. A structured intake packet — self-assessment workbook, plain-English guide, confirmation form, and submission instructions — produces a documentable compliance record. An email asking the sub if they are "CMMC compliant" produces a yes or no with no underlying basis.
Action items
Pacific Cyber Compliance gives prime contractors a ready-to-run sub compliance documentation program — structured intake packet, self-assessment workbook, confirmation form, sub compliance tracker, and annual re-verification workflow. Flat fee. Unlimited subs. Pacific-based. The file that constitutes your FCA defense, ready to distribute.