A free, client-side wizard that generates a DFARS/CMMC flow-down notice letter in under five minutes, exported as a ready-to-send Word (.docx) file or PDF.
Try it live: https://flow-down-letter.aptsecuritymanagement.com/
Walk through a 5-step wizard that collects your role, prime contractor details, subcontractor details, and contract configuration. The tool then generates:
- A formal flow-down notice letter addressed to the subcontractor, with the correct DFARS and FAR clauses auto-selected based on whether the sub will handle CUI or FCI only
- Exported as a Word document (
.docx) for editing and wet-signature workflows, or as a PDF for immediate delivery
The generated letter includes:
- Prime and subcontractor contact blocks and addresses
- Contract number(s) and applicable contract action type (new award, modification, renewal, or option period)
- Auto-selected clause citations: FAR 52.204-21 for all FCI work; DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-7020 for CUI/CDI work
- CMMC Level 1 or Level 2 requirement, with assessment path (self-assessment or C3PAO) at Level 2
- Subcontractor compliance deadline
- Optional sub-tier flow-down checklist reminding the subcontractor of their obligation to pass requirements further down their supply chain
- Optional custom paragraph for contract-specific language
Both prime contractors sending to a first-tier sub and mid-tier subs re-flowing to their own subs are supported.
- Not a legal opinion or contract instrument — have your contracts team review before sending
- Not a complete CMMC compliance program — the letter triggers an obligation, it does not satisfy one
- Not a gap assessment, SPRS score calculation, or C3PAO assessment
- No data is transmitted off your device, generation is 100% client-side
- No accounts, no logins, no telemetry
This tool generates a notice letter. Actual CMMC implementation, evidence collection, and assessment readiness must be handled by qualified personnel.
git clone https://github.com/Apt-Security-Management/apt-flow-down-letter.git
cd apt-flow-down-letter
npm install
npm run dev
Open http://localhost:5173.
npm run build
Serve the dist/ folder with any static file server. No internet required after build.
npm test
Unit tests cover:
dfars-clauses.jsondata integrity (required fields, flow-down flags, clause IDs)- Letter content generation (correct clauses selected per data type and CMMC level, party info rendered correctly)
- Zustand store behavior (setters, step navigation, reset)
- Export utilities (DOCX and PDF output structure)
| Layer | Library |
|---|---|
| Build | Vite 8 + @cloudflare/vite-plugin |
| UI | React 19 + TypeScript 6 |
| Styling | Tailwind CSS 4 (@tailwindcss/vite) |
| State | Zustand 5 (with persist to localStorage) |
| DOCX export | docx ^9 (client-side, no server) |
| PDF export | jsPDF 4 + jspdf-autotable |
| Tests | Vitest 3 |
| Deploy | Cloudflare Pages via Wrangler |
Source-available under FSL-1.1-Apache-2.0. Free to use, fork, modify, and run for any purpose other than offering this software as a competing hosted or embedded service. Converts to Apache 2.0 two years after release. See LICENSE.
A flow-down letter starts the clock — your subcontractors still need to implement CMMC controls and get assessed. APT Security Management provides CMMC gap assessments, SSP development, supply chain scoping, and C3PAO assessment prep for both primes and subs. Contact us at sales@aptsecuritymanagement.com or +1 844 554 2458.