SR-3(3): Sub-tier Flow Down

To meet the sr-3(3): sub-tier flow down requirement, you must ensure that every security and supply chain control you place in a prime contractor’s contract is also included, unchanged and enforceable, in that prime’s subcontractor contracts for the applicable scope. Operationalize this by standardizing flow-down clauses, tying them to procurement gates, and retaining signed contract evidence and subcontractor compliance artifacts. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Key takeaways:

• Flow-down is a contracting control: if it is not in subcontracts, it is not flowed down. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Scope matters: flow down the controls that apply to the work, data, and system boundary the subcontractor touches. (NIST SP 800-53 Rev. 5)
• Audit readiness depends on traceability from prime contract controls → subcontract clauses → subcontractor evidence. (NIST SP 800-53 Rev. 5 OSCAL JSON)

SR-3(3) is a supply chain requirement disguised as a contracting detail. It forces discipline across procurement, legal, security, and program delivery by making your security controls “portable” across tiers. If your organization relies on prime contractors (or you are the prime) and those primes delegate work to subcontractors that touch your systems, environments, or federal data, you need a repeatable mechanism to flow the same control obligations down the chain.

For a CCO or GRC lead, the fast path is to treat SR-3(3) as a clause library plus a workflow problem. You define which controls are mandatory in prime contracts, define how they map to subcontract scope, and then enforce a procurement gate that blocks onboarding or payment until the subcontract includes the required language. The other half is evidence: examiners will ask you to prove that flow-down occurred and that subcontractors are actually bound to the same obligations.

This page gives requirement-level implementation guidance you can put into your third-party contracting process quickly, without turning it into a year-long rewrite of your supplier program. (NIST SP 800-53 Rev. 5)

sr-3(3): sub-tier flow down requirement — what it is

Requirement statement: ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors. (NIST SP 800-53 Rev. 5 OSCAL JSON)

This is a “no gaps in the chain” rule. If your prime contractor is obligated to follow specific security, privacy, incident reporting, access control, or audit rights clauses, their subcontractors must accept those same obligations when they support the prime’s delivery of your scoped work.

Regulatory text

“Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.” (NIST SP 800-53 Rev. 5 OSCAL JSON)

What the operator must do:

• Identify which controls are contractually imposed on prime contractors for the relevant engagement.
• Require primes to include those controls in their subcontract agreements for any subcontractor performing in-scope work.
• Maintain evidence that flow-down language exists and is executed (signed), and that your organization can enforce the obligations through the prime-sub relationship if needed. (NIST SP 800-53 Rev. 5)

Plain-English interpretation

If you require a prime contractor to meet security requirements, you cannot allow them to push work to a subcontractor who is not bound to the same requirements. “Flow down” means the subcontract contains contract terms that carry forward the same control obligations, not a vague promise that “we’ll manage our subs.”

Practically, SR-3(3) is satisfied when you can show:

1. the prime contract includes defined controls,
2. the subcontract includes the corresponding controls (or equivalent language that preserves your intent and enforceability), and
3. the subcontractor relationship is tracked so you know which subs are in scope. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Who it applies to

Entity types and context:

• Organizations operating federal information systems or contractor systems handling federal data. (NIST SP 800-53 Rev. 5)
• Any program where a prime contractor performs work and delegates any portion to subcontractors (including cloud hosting providers, MSPs, call centers, software developers, data processors, or specialized consultants).
• Common triggers: subcontractors with access to your networks, environments, code repositories, production support channels, sensitive datasets, or operational technology pathways. (NIST SP 800-53 Rev. 5)

Important scoping point: flow down applies to subcontractors supporting the prime’s in-scope obligations. You do not need to force irrelevant clauses onto out-of-scope subcontractors, but you must have a defensible way to determine “in scope.” (NIST SP 800-53 Rev. 5)

What you actually need to do (step-by-step)

1) Establish the “flow-down control set”

• Pull the control obligations that appear in your prime contract templates (security addendum, data handling exhibits, incident reporting, audit rights, breach notice, encryption, access, logging, etc.).
• Convert them into a “must-flow” list with plain titles and clause references so legal and procurement can apply them consistently.
• Assign an owner (often Procurement + Security + Legal) for maintaining the list. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Output: Flow-Down Control Matrix (prime clause → subcontract clause).

2) Define subcontractor scoping rules

Create a short decision rubric that determines when a subcontractor is in scope for flow-down, based on the subcontractor’s:

• data access (types of federal or sensitive data)
• system access (network, admin, remote support)
• operational criticality (ability to affect availability or integrity)
• physical access (facilities, hardware handling) (NIST SP 800-53 Rev. 5)

Output: “Subcontractor in-scope criteria” standard.

3) Standardize flow-down language (and ban “handshake flow-down”)

• Maintain pre-approved subcontract clause language that mirrors the prime contract obligations.
• Require primes to use your approved flow-down exhibit or to submit their subcontract templates for review.
• If primes insist on “equivalent” language, require a documented equivalency mapping approved by Legal/Security. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Output: Flow-down clause library + equivalency approval record.

4) Build procurement gates that force execution

Your control fails if it depends on someone remembering. Put SR-3(3) into your workflow:

• Before subcontract execution: require a subcontractor list and scope statement from the prime.
• Contract review gate: block signature until the flow-down exhibit is included (or equivalency approved).
• Onboarding gate: block access provisioning until the signed subcontract with required clauses is stored.
• Ongoing change gate: require review when the prime adds a new subcontractor or expands scope. (NIST SP 800-53 Rev. 5)

Output: procurement checklist items + system controls (e-sign + repository requirement).

5) Monitor and test that flow-down is real

SR-3(3) is easiest to audit if you run periodic checks:

• Sample prime engagements and request the executed subcontracts for in-scope subs.
• Validate the presence of required clauses (audit rights, incident notice, security requirements).
• Track exceptions and require remediation or formal risk acceptance. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Output: periodic subcontract flow-down test results + exception log.

6) Operationalize evidence collection (don’t make it a scramble)

You need repeatable evidence. Many teams solve this by integrating contract management with third-party risk workflows. Daydream is often used here to map SR-3(3) to a named control owner, define the procedure, and track recurring evidence artifacts so the contract trail is always assessment-ready. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Required evidence and artifacts to retain

Keep these in a contract repository with clear naming and retrieval:

• Executed prime contract (including security exhibits / addenda).
• List of in-scope subcontractors per prime engagement (with scope notes).
• Executed subcontracts (or subcontract flow-down exhibits) showing required clauses.
• Clause mapping: prime obligation → subcontract clause reference (or documented equivalency).
• Exception log and approvals for any non-standard flow-down, including compensating controls.
• Proof of workflow gates (screenshots, ticket records, procurement checklist sign-offs). (NIST SP 800-53 Rev. 5 OSCAL JSON)

Common exam/audit questions and hangups

Expect variations of:

• “Show me a prime contract control and where it appears in the subcontract.”
• “How do you know the prime didn’t add subcontractors later?”
• “What is your process for approving alternate language?”
• “Can you produce executed subcontracts quickly?”
• “Who owns this control and how is it tested?” (NIST SP 800-53 Rev. 5)

Hangups that slow teams down:

• Contracts stored in email or shared drives with inconsistent names.
• Primes claiming subcontract terms are “confidential” without a negotiated right to review or attest.
• No defined scoping logic, so you either over-flow (creates friction) or under-flow (creates risk). (NIST SP 800-53 Rev. 5 OSCAL JSON)

Frequent implementation mistakes (and how to avoid them)

1. Relying on a prime’s policy instead of contract language
   Fix: require the subcontract to contain the control obligations or an approved equivalent mapping. (NIST SP 800-53 Rev. 5 OSCAL JSON)

2. Flowing down everything to everyone
   Fix: create scoping criteria and apply it consistently; document why a subcontractor is out of scope. (NIST SP 800-53 Rev. 5)

3. No mechanism to detect new subcontractors
   Fix: add contract terms that require the prime to notify you and obtain approval before adding in-scope subcontractors, then tie it to your intake workflow. (NIST SP 800-53 Rev. 5)

4. Weak evidence retrieval
   Fix: require executed subcontracts (or exhibits) in a central repository as an onboarding condition. (NIST SP 800-53 Rev. 5 OSCAL JSON)

5. Treating “equivalent language” as informal
   Fix: require an equivalency memo with explicit mapping and approvals. (NIST SP 800-53 Rev. 5)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for SR-3(3), so you should treat this as an assessment and assurance requirement rather than a penalty-driven one. (NIST SP 800-53 Rev. 5)

Operational risk is still concrete:

• A subcontractor incident can become your incident if the subcontractor touches your data or systems and the prime cannot contractually compel response, cooperation, or evidence production.
• Audit rights and notification timelines often fail at the sub-tier unless they are expressly flowed down.
• You can lose visibility into where work is performed, which breaks incident response and system boundary assurance. (NIST SP 800-53 Rev. 5)

Practical 30/60/90-day execution plan

First 30 days (Immediate)

• Assign control ownership across Legal, Procurement, Security, and the program office. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Inventory current prime contracts that allow subcontracting and identify active subcontractors.
• Draft the flow-down control matrix and a standard exhibit with pre-approved language.

Days 31–60 (Near-term)

• Add procurement gates: no subcontractor onboarding without executed flow-down terms on file. (NIST SP 800-53 Rev. 5)
• Implement the scoping rubric and train contract managers and program leads on “in scope” determinations.
• Establish an equivalency review path with required documentation.

Days 61–90 (Operationalize)

• Run a sampling review across active prime engagements: collect subcontracts, confirm clause presence, log exceptions, and drive remediation. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Implement recurring testing and reporting (exception trends, missing artifacts, primes with frequent deviations).
• If you use Daydream, map SR-3(3) to the control owner, write the procedure, and schedule recurring evidence collection so audits become retrieval work, not forensic work. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Frequently Asked Questions

Do we need to flow down every clause from the prime contract?

No. Flow down the controls included in the prime contract that apply to the subcontractor’s scope of work and access. You need documented scoping criteria to show why certain controls did or did not apply. (NIST SP 800-53 Rev. 5)

What counts as proof that flow-down occurred?

The strongest proof is an executed subcontract (or flow-down exhibit) that contains the required control language and is traceable back to the prime contract obligations. Keep the mapping record so an auditor can follow the chain quickly. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Our prime says subcontracts are confidential. How do we handle that?

Negotiate rights up front: require the prime to provide executed flow-down exhibits, attestations with clause references, or redacted copies that still show the required control language. Put the requirement in the prime contract so it is enforceable. (NIST SP 800-53 Rev. 5)

Can we accept “equivalent” subcontract language?

Yes, if you document equivalency in a mapping and have Legal/Security approve it before execution. Treat equivalency as an exception workflow, not an informal agreement. (NIST SP 800-53 Rev. 5 OSCAL JSON)

What if a subcontractor is added mid-project without notice?

That is a control failure unless your prime contract requires notice and approval for in-scope subcontractors. Add a contractual change-control obligation and back it with operational monitoring through program governance. (NIST SP 800-53 Rev. 5)

How do we keep this from becoming manual busywork?

Standardize the flow-down exhibit, enforce procurement gates, and track artifacts in a single repository. Many teams use systems like Daydream to assign ownership, automate evidence requests, and maintain an audit-ready trail. (NIST SP 800-53 Rev. 5 OSCAL JSON)