Two regulatory frameworks have permanently changed how security obligations move through supply chains. CMMC 2.0, the Department of Defense's Cybersecurity Maturity Model Certification, requires defense contractors and their subcontractors to meet specific cybersecurity practices. The EU Cyber Resilience Act, which entered force in 2024 and reaches full applicability in 2027, requires manufacturers of products with digital elements to manage vulnerabilities throughout the product lifecycle and ensure the same of their component suppliers. Both frameworks have flow-down requirements: the obligations do not stop with the prime contractor or the manufacturer. They flow down through every layer of the supply chain.
This is a significant operational change. Pre-CMMC and pre-CRA, security obligations were a contract negotiation between you and your vendor. The vendor's vendors were the vendor's problem. Post-CMMC and post-CRA, your contracts must require your vendors to flow down equivalent obligations to their vendors, and you have to be able to verify that the flow-down happened. Failure to flow down is failure to comply, regardless of whether the breach happened in your direct relationship or three tiers down.
What CMMC Actually Requires
CMMC 2.0 has three levels. Level one applies to contractors handling Federal Contract Information (FCI) and requires basic cyber hygiene (17 practices, mostly NIST 800-171 basics). Level two applies to contractors handling Controlled Unclassified Information (CUI) and requires the full 110 practices of NIST 800-171. Level three applies to high-priority programs and adds enhanced practices from NIST 800-172.
The flow-down rule is in DFARS 252.204-7012, the underlying clause that CMMC enforces. If a prime contractor's contract contains the clause and CUI flows to a subcontractor, the subcontractor's contract must contain the equivalent clause. This is recursive: the subcontractor's subcontractor's contract must also contain the clause if CUI flows that far. The prime is responsible for ensuring the chain is intact.
In practice, the flow-down means three things in your vendor contracts. First, the vendor must agree to comply with NIST 800-171 (or the equivalent CMMC level) for any system that processes, stores, or transmits CUI. Second, the vendor must flow the same requirement down to their subcontractors. Third, the vendor must report cyber incidents within 72 hours to the DoD via the DIBNet portal.
What The CRA Actually Requires
The CRA's flow-down model is structured differently. It is a manufacturer-centric regime. If you put a product with digital elements on the EU market, you are the manufacturer for CRA purposes. You are responsible for the cybersecurity of the entire product, including components you did not write. The CRA requires you to identify and document all components (Article 13), perform a cybersecurity risk assessment (Article 13), apply security-by-design principles, and maintain a vulnerability handling process throughout the support period (Article 13).
The component identification requirement is what makes the SBOM not optional. You cannot perform a cybersecurity risk assessment of components you have not enumerated. You cannot maintain a vulnerability handling process for components whose existence you have not catalogued. The SBOM is the primary artifact that demonstrates compliance with the component-level obligations.
The flow-down to component suppliers is implicit but real. To meet your CRA obligations as a manufacturer, you have to be able to receive vulnerability disclosures from your component suppliers in a timely manner, you have to be able to verify that components you ship are not knowingly vulnerable at ship time, and you have to be able to issue updates that address component vulnerabilities throughout the support period. Each of those requires a contractual relationship with the component supplier that obligates them to support your compliance.
The Clauses That Work
A flow-down clause has four pieces that have to be present to be useful.
The substantive obligation. The vendor must comply with the named framework (CMMC level X, CRA component manufacturer obligations, or equivalent). The clause should specify which scope: all systems, only systems handling specific data types, or only specific products.
The flow-down requirement. The vendor must include equivalent obligations in their contracts with their own vendors and subcontractors who would have access to the regulated data or whose components are part of the regulated product. The clause should be explicit that this is a binding requirement, not best effort.
The evidence and audit clause. The vendor must, on request, provide evidence of compliance (their own compliance and the flow-down to their vendors) within a specified timeframe (typically 30 to 60 days). Evidence may include attestations, certifications (CMMC certification, CRA conformity assessment), SBOMs, and audit reports. You should reserve a right to audit, exercised reasonably, with cost allocation specified.
The remediation and termination clause. If the vendor fails to comply or fails to flow down, what happens. Typically there is a cure period (30 to 90 days) followed by termination rights and indemnification for losses caused by the failure. This is the clause that gives the obligation teeth.
Verifying The Flow-Down
A clause that requires flow-down does not produce flow-down automatically. Vendors will often sign the clause and then not implement it because nobody asks. Verification is what closes the loop.
The verification mechanisms that work in practice are tiered. For tier zero and tier one vendors, you should require annual attestations that include the names of the vendor's subcontractors who handle the regulated data or whose components are in the regulated product, with evidence that those subcontractors have been brought under equivalent obligations. For tier two and below, an annual self-attestation with spot audits is usually sufficient.
The verification work is heavy if it is manual. SBOM ingest changes the economics. When you have the vendor's SBOM, you can see their components directly. You can identify which subcomponents are themselves third-party software, which means you can identify which fourth parties exist in the chain. The SBOM does not by itself prove flow-down compliance, but it gives you the map of the chain that the flow-down is supposed to cover. Without the map, you are auditing in the dark.
How Safeguard's TPRM Module Supports This
Safeguard's TPRM module includes a regulatory mapping layer. When you onboard a vendor, you tag the relationship with applicable frameworks (CMMC level, CRA scope, NIS2, FedRAMP, or others). The module surfaces the flow-down evidence requirements for each framework and tracks them against the vendor's submitted artifacts.
The SBOM ingest feeds into this directly. For CRA scope vendors, the module compares the submitted SBOM against the vendor's last SBOM and flags new components, retired components, and version changes. New components trigger a flow-down audit prompt: who is the new component's supplier, are they covered by your flow-down clause, and has the vendor confirmed the equivalent obligations. This catches the most common failure mode of flow-down compliance, which is that the vendor adds a new component without updating their compliance posture or notifying you.
For CMMC scope vendors, the module tracks the C3PAO assessment status, the certification expiration date, and the scope of certified systems. When a certification is approaching expiration, the module alerts the responsible reviewer 90 days in advance, which is enough lead time to require renewal evidence before the gap opens.
The Practical Reality
Flow-down compliance is a long game. The clauses go into new contracts now and into existing contracts at renewal. Verification matures over years as the program gets better at running attestation cycles and SBOM comparisons. The vendors who are best at this will tell you their compliance story without prompting; they have invested in the program and want you to know it. The vendors who are worst at this will avoid the topic, miss attestation deadlines, and answer audit questions with attorneys.
Pay attention to which vendors fall into which category. The ones who avoid the topic are not just bad at compliance. They are signaling that their flow-down chain is not under control, which means the regulated data flowing through them is not protected at the levels your contract requires. The signal is reliable. Use it.