The Law Behind the Pressure
The cybersecurity obligations underlying CMMC are not new. DFARS 252.204-7012 has required DoD contractors to implement NIST SP 800-171 and protect Covered Defense Information since 2017. What changed in 2024 and 2025 is verification.
32 CFR Part 170 established the CMMC framework, defined the three certification levels, and set out formal assessment and flow-down requirements. It took effect December 16, 2024. Then, DFARS 252.204-7021 inserted CMMC into DoD contracts as a condition of award and continued performance. It took effect on November 10, 2025.
Flow Down
Under 32 CFR § 170.23, primes are required to identify which subcontractors handle FCI or CUI and flow the appropriate CMMC level down contractually.
| Rule | What It Does | Effective Date |
|---|---|---|
| 32 CFR Part 170 | Establishes the CMMC program, defines the three certification levels, sets assessment requirements, and codifies flow-down obligations for subcontractors | December 16, 2024 |
| DFARS 252.204-7021 | Inserts CMMC requirements into DoD contracts as a condition of award and continued performance. Once in a contract, certification is mandatory. | November 10, 2025 |
| 32 CFR § 170.23 | Defines prime contractor flow-down responsibilities. Primes must determine the correct CMMC level for each subcontractor based on the data being shared and flow that requirement down contractually. | December 16, 2024 |
| 32 CFR § 170.3(e) | Sets the four-phase implementation schedule. Phases 1 through 4 run from November 2025 to November 2028, with requirements tightening at each stage. | December 16, 2024 |
Why Primes Are Enforcing Compliance for Their Subcontractors
Primes are legally responsible for ensuring their subcontractors comply. If a prime knowingly awards work to a non-compliant subcontractor and misrepresents supply chain compliance, it faces liability under the False Claims Act. Beyond legal exposure, a non-compliant subcontractor can kill an entire contract bid. If a prime needs a certified supply chain to win a DoD contract and one supplier is not certified, the whole bid is at risk.
There is also a national security dimension. The CMMC program rule preamble cites nation-state adversaries targeting smaller, less-defended suppliers as a primary motivation for the program. A breach at a subcontractor handling CUI is effectively a breach of the prime's program data. Primes cannot harden their own environments and leave the back door open through their supply chain.
So they are not waiting for the DoD to audit their subcontractors. They are doing it themselves.
What Some Primes are Saying
The primes have moved beyond internal policy. They are publishing requirements, updating supplier registration forms, and looking at cutting non-compliant vendors from active programs.
Not all primes have published requirements with equal specificity, some have set formal thresholds and stated consequences, others have issued guidance communications without specifying detailed enforcement terms.
The direction, however, is clear, primes are de-risking their supply chains, and non-compliant suppliers are the risk they are managing.
How Primes Are Assessing Their Supply Chains Initially
Before getting into what each prime requires, it helps to understand the mechanisms they use to collect information from suppliers. Primes use multiple mechanisms to assess supplier compliance. Two of the most widely used are SPRS and the Cybersecurity Compliance and Risk Assessment (CCRA).
SPRS Portal
The DoD's Supplier Performance Risk System (SPRS) tracks each supplier's NIST SP 800-171 assessment scores by CAGE code. Prime contractors can access these scores directly. However, CMMC certification status in SPRS is only visible to the supplier and the DoD, primes cannot view it themselves. This is why primes rely on supplier self-declarations, annual registration forms, and the CCRA to verify CMMC status directly.
CCRA
Many major defense primes also assess suppliers through the CCRA, a standardized questionnaire developed by the Defense Industrial Base Sector Coordinating Council and delivered electronically through Exostar. The CCRA contains up to 60 questions drawn from NIST SP 800-171. Suppliers complete it once and share results with every prime that accepts it on a reciprocal basis, including Lockheed Martin, Boeing, RTX, Northrop Grumman and General Dynamics.
The CCRA does not replace CMMC certification. It gives primes structured, independently collected evidence of what controls are actually in place, flagging which suppliers are behind before contracts are awarded or renewed. A high SPRS score and a red CCRA rating are not mutually exclusive. Primes use both.
Boeing CMMC Supplier Requirements
Boeing has made CMMC certification a condition of contract award for all suppliers handling FCI or CUI. In its September 2025 supplier communication, Boeing confirmed it is already assessing supplier cybersecurity practices and identifying gaps ahead of formal contract requirements.
"As a condition of winning a contract award, suppliers handling FCI and CUI (excluding commercial-off-the-shelf procurements) will be required to have the specified CMMC level (1-3) certification identified in the customer/Boeing solicitation."
Boeing's Supplier Letter
Image Source: Boeing's Supplier Letter
Beyond CMMC, Boeing's Terms of Use and Cybersecurity Supplement (SP5), updated August 2025, sets out binding minimum security requirements for all suppliers under contract. Suppliers must also complete Boeing's cybersecurity questionnaire, delivered through Exostar's Partner Information Manager portal.
Suppliers should also be aware that Boeing strongly encourages Level 2 C3PAO certification now, noting it will "enhance your cybersecurity posture, safeguard your eligibility for future contracts, and ensure your sub-tier suppliers are also engaged in the process."
RTX CMMC Supplier Requirements
RTX operates through three defense divisions, Raytheon, Collins Aerospace, and Pratt and Whitney — all governed by the same Supplier Cybersecurity page and requirements.
For any contract or solicitation containing DFARS 252.204-7021, suppliers must hold an active CMMC certification at the level specified in the contract before RTX will issue a Purchase Order or Letter of Subcontract. Annual supplier registrations must reflect current CMMC status. RTX has also stated that new contract awards (or task orders and delivery orders for existing indefinite-delivery indefinite-quantity (IDIQ) contracts) issued after this rule takes effect may include a requirement for CMMC, even if solicitation or IDIQ contract award was prior to November 10.
RTX has also embedded CMMC compliance directly into its Annual Supplier Registration form (CR-003). The form requires every supplier to declare their CMMC certification status and confirm their ability to handle Covered Defense Information in compliance with DFARS 252.204-7012.
Image source: RTX Supplier Reps and Certs form updated in February 2025
RTX will not issue a Purchase Order or Letter of Subcontract to suppliers handling CUI without the appropriate CMMC certification level confirmed in this form.
Lockheed Martin CMMC Supplier Requirements
Lockheed Martin maintains three active supplier-facing CMMC pages, making them the most detailed and consistent prime on flow-down requirements.
Their Upcoming CMMC Requirements page states that 32 CFR § 170.23 requires compliance from all subcontractors at every tier handling FCI or CUI, and that the DoD may implement requirements ahead of the phased rollout schedule. Their message to suppliers is direct:
"Your proactive cooperation is essential to maintaining the security of the Defense Industrial Base and guaranteeing uninterrupted business operations with Lockheed Martin."
Their CMMC Readiness page sets the compliance floor. Lockheed uses the CCRA questionnaire. A green rating requires attestation of all 31 identified NIST 800-171 requirements. "Suppliers without a green CCRA rating create significant risk for programs anticipating CMMC requirements, and may evoke program mitigation actions to reduce or eliminate dependencies on suppliers who are under-prepared."
Image Source: Lockheed Martin's CMMC Readiness page
Northrop Grumman CMMC Supplier Requirements
Northrop Grumman maintains a Cybersecurity Resources page for suppliers and has issued supplier directives to its supply chain requiring compliance documentation ahead of the phased rollout. Suppliers are required to provide their SPRS score and answer additional cybersecurity questions when onboarding or renewing their vendor status.
Northrop Grumman was a founding member of the DIB Sector Coordinating Council working group that developed the Cybersecurity Compliance and Risk Assessment (CCRA), the standardized questionnaire now used across the defense supply chain via Exostar.
Image Source: Northrop Grumman Supplier Announcement
General Dynamics CMMC Supplier Requirements
General Dynamics operates multiple defense divisions, each with its own supplier cybersecurity page and CMMC requirements. If you supply to General Dynamics, the division matters; requirements differ across GDMS, GDLS, and GDIT.
General Dynamics Mission Systems
Suppliers receiving, creating, processing, storing, or transmitting FCI or CUI must achieve a minimum SPRS score of 88, the threshold for Conditional Level 2 status under 32 CFR § 170.21. There are no waivers. POA&Ms must close within 180 days of assessment. GDMS requires annual supplier certification of CMMC compliance as a condition of future purchase order or subcontract award, and confirms it is responsible for verifying that its supply chain complies with FAR 52.204-21 and DFARS 252.204-7012.
General Dynamics Land Systems
GDLS sets the baseline clearly but with less granularity than GDMS. Level 1 is the minimum requirement for all suppliers. Suppliers processing, storing, or transmitting CUI must hold at least Level 2 certification. For all solicitations containing a DFARS CMMC clause, certification must be in place at time of award. The responsibility for sourcing, conducting, and reporting third-party audits falls entirely on the supplier. GDLS does not publish specific score thresholds or POA&M timelines, suppliers should confirm contract-specific requirements directly with their GDLS procurement contact.
General Dynamics Information Technology
GDIT embeds CMMC flow-down clauses directly into all supplier terms and conditions. Suppliers are required to report any suspected cyber incident within 72 hours of discovery to the DC3 DCISE portal. GDIT's published guidance covers the phased rollout structure but does not publish specific score thresholds or audit timelines beyond the regulatory baseline.
BAE Systems CMMC Supplier Requirements
BAE Systems has published CMMC materials through its US supplier portal, including a CMMC 2.0 resource document and direct communication from its Supply Chain Cybersecurity Risk Manager (seen below).
BAE like many of the other primes also operates a Supplier Cybersecurity Questionnaire through Exostar.
BAE has not published explicit flow-down thresholds or stated consequences in the way Lockheed Martin or General Dynamics Mission Systems have. US-based BAE subcontractors should contact the Supply Chain Cybersecurity team directly, contact details are included in the CMMC resource document available through the US supplier portal.
Image Source: Cybersecurity Enhancement Initiative communication
Quick Reference of Prime CMMC Requirements
| Prime | Official Resources | Key Requirements |
|---|---|---|
| Boeing | Supplier Cybersecurity Page · Supplier Letter · CMMC Preparedness Document | CMMC cert is a condition of award for all FCI/CUI suppliers. Boeing is actively assessing supplier practices now. Level 2 C3PAO engagement strongly encouraged immediately. SP5 supplement sets binding minimum security controls for all suppliers under contract. |
| RTX / Raytheon | Supplier Cybersecurity Page · Annual Supplier Registration Form CR-003 | Active CMMC cert required at time of award for contracts with DFARS 252.204-7021. No POA&Ms at Level 1. POA&Ms at Levels 2 and 3 must close within 180 days. Evidence retained for 6 years. Annual registration must reflect current CMMC status. |
| Lockheed Martin | Upcoming CMMC Requirements · CMMC Readiness · Exostar CMMC Status | Full NIST SP 800-171 Rev 2 implementation required. Green CCRA rating in Exostar required as a condition of continued work. Non-green suppliers face program mitigation actions including reduction or elimination from active programs. C3PAO certification required for CUI contracts. |
| Northrop Grumman | Cybersecurity Resources Supplier Announcement |
CMMC and DFARS 252.204-7012 requirements referenced. Supplier notice issued October 2025 with CMMC 2.0 updates and expectations. |
| General Dynamics Mission Systems | Cybersecurity for Suppliers | Minimum SPRS score of 88 required. No waivers. POA&Ms must close within 180 days. Annual supplier certification of CMMC compliance required. |
| General Dynamic Information Technology | Cybersecurity for suppliers | CMMC flow-down clauses embedded in all supplier terms and conditions. Cyber incidents must be reported within 72 hours to DC3 DCISE. |
| General Dynamics Land Systems | Supplier Cybersecurity | CMMC cert required at time of award for all DFARS-clause contracts. Third-party audit responsibility falls entirely on the supplier. |
| HII (Huntington Ingalls) | Supplier Cybersecurity Page · Supplier Letter Sept 2025 · CMMC Basics Training | CMMC Level 2 C3PAO requirements flowed down for CUI. Level 3 DIBCAC requirements being enforced ahead of phased rollout schedule. 72-hour cyber incident reporting required. |
| Leidos | Cybersecurity and Doing Business with Leidos | All applicable DFARS clauses flowed down. Suppliers handling CUI advised to proactively address NIST 800-171 requirements and engage a C3PAO. SPRS scores required prior to award. |
| L3Harris | Supplier Cybersecurity page. |
CDI/CUI DFARS clauses flowed to all applicable subs. Full NIST 800-171 Rev 2 adherence required. No dedicated CMMC supplier guidance published to date. |
| BAE Systems | US Supplier Page · CMMC 2.0 Resources · Cybersecurity Enhancement Initiative | CMMC 2.0 resources published. Supplier cybersecurity questionnaire via Exostar across 22 control families. Contact Supply Chain Cybersecurity team for flow-down specifics. |
| Elbit Systems of America | Formal supplier letters issued | Early mover. Sent formal CMMC notices to supply chain ahead of Phase 1 deadline. |
*Prime contractor requirements are subject to change. Always verify current expectations directly with your prime contractor and consult official sources before making compliance decisions.
The Stakes for Subcontractors
There are two forces that can end a subcontractor's access to DoD work. Both are already active.
The first is regulatory. Since November 10, 2025, CMMC requirements have been appearing in new DoD solicitations. Without the appropriate certification, subcontractors cannot bid on new work.
The pressure increases at every phase of the CMMC rollout. From November 2026, DoD can require Level 2 C3PAO certification as a condition of award on CUI contracts. Level 2 C3PAO certification takes 6 to 12 months to achieve, suppliers who wait until November 2026 to start may not be ready in time.
From November 2027, C3PAO assessments will be mandatory for all applicable new awards and required at option exercise on contracts awarded after November 10, 2025. By November 2028, there are no exceptions. Every applicable contract is covered, including option periods on contracts awarded before the program existed.
The second force is prime enforcement, which is not waiting for the DoD schedule. Primes face False Claims Act liability if their supply chain is non-compliant and risk their own DoD contract eligibility. Lockheed Martin has warned suppliers that "any lapse in required CMMC status will directly impact your organization's ability to receive DoD subcontracts." Boeing states that "adhering to DFARS requirements currently in place will ensure your continued participation in DoD contracts."
Suppliers who delay are not just risking future bids. They may be risking the contracts they already hold.
Understanding CMMC Impact for Current and Future Contracts
| Phase | New contracts | Existing contracts — option periods | Prime enforcement |
|---|---|---|---|
| Phase 1 Nov 10, 2025 – Nov 9, 2026 Active now |
Level 1 or Level 2 self-assessment required as condition of award. DoD may require Level 2 C3PAO at its discretion. | No blanket requirement. DoD may insert Level 1 or Level 2 self-assessment at option exercise on any contract, discretionary. | Active now. Primes issuing CCRA questionnaires and assessing supply chains independently of the DoD schedule. |
| Phase 2 Nov 10, 2026 – Nov 9, 2027 |
Level 2 C3PAO begins appearing as a condition of award for CUI contracts. Self-assessment no longer sufficient for all Level 2. | DoD may require Level 2 C3PAO at option exercise on any contract. First phase where C3PAO can be formally inserted into an existing contract. | Regulatory and prime pressure align. Suppliers without C3PAO progress risk failing both option exercises and prime questionnaires. |
| Phase 3 Nov 10, 2027 – Nov 9, 2028 |
Level 2 C3PAO mandatory for all applicable awards. Level 3 DIBCAC required for highest-sensitivity programs. | Level 2 C3PAO required at option exercise for contracts awarded after Nov 10, 2025. Pre-2025 contracts not fully captured until Phase 4. | Full alignment for post-2025 contracts. Pre-2025 contracts primarily governed by prime enforcement until Phase 4. |
| Phase 4 From Nov 10, 2028 |
CMMC is mandatory across all applicable solicitations and contracts. No exceptions. | All contracts covered, including option periods on contracts awarded before Phase 4. No legacy exemptions. | Full regulatory and prime enforcement alignment. No path to continued DoD work without the appropriate CMMC certification. |
How StratoKey's Cloud Data Protection Platform Reduces CMMC Scope for Primes and Subcontractors
CMMC scope drives CMMC cost and risk exposure. The more systems that touch CUI, the more systems need to be assessed. Every additional system in scope means more controls to document, more evidence to collect, and more time in a C3PAO audit.
StratoKey's Cloud Data Protection Platform uses tokenization to shrink that scope. The platform also enforces access controls and authentication, ensuring only authorized users can reach CUI. Real-time monitoring, policy enforcement, and comprehensive audit logs provide the audit evidence and visibility needed to support SPRS submission and C3PAO assessment.
How it Works
CUI is intercepted and replaced with a non-sensitive token before it enters your cloud or SaaS platforms. The real data is stored in a controlled environment of your choice, like a FedRAMP-authorized environment. The Saas platforms never see the original data.
Learn more: CMMC Compliance with StratoKey
Benefit For Prime Contractors
Primes operate across ERPs, CRMs, supplier portals, and collaboration tools. Most were not built to hold CUI. When CUI flows into them, those systems enter the assessment boundary and every one must be hardened, documented, and assessed. Tokenizing CUI before it reaches those systems keeps them out of scope entirely. It also gives primes precise control over what data enters their environment and who can access it including offshore teams, third-party integrators, and subcontractors.
Benefit For Sub Contractors
For subcontractors, the challenge is getting through a C3PAO audit efficiently. Every system that touches CUI is a system that must be assessed. Tokenizing CUI before it enters a commercial SaaS product removes those tools from the assessment boundary entirely. Fewer systems in scope means fewer controls to document, a shorter audit, and a lower cost to certify, which matters when timelines are tight and prime pressure is immediate.
So, What Should Subcontactors Do?
If you handle FCI or CUI under a DoD subcontract, there are a few items worth looking at now as a first step.
- Audit your contracts and pipeline. Identify which contracts involve FCI and which involve CUI. This determines your CMMC level. Option periods in 2026 or 2027 are your nearest hard deadlines.
- Determine your CMMC level. FCI handling requires Level 1. CUI handling almost certainly requires Level 2. C3PAO certification takes 6 to 12 months and assessor slots are filling up.
- Check your prime's requirements. Review their supplier portal and any direct communications. Requirements differ by prime and division. If nothing is published, contact their cybersecurity team directly.
Your Prime Is Already Asking About CMMC Compliance. Are You Ready?
Boeing, Lockheed, RTX and others are assessing their supply chains now. If you handle FCI or CUI, your compliance window is already open. StratoKey helps defense contractors reduce audit scope and protect CUI across both new and existing cloud and SaaS applications.
AI Creates CMMC Compliance Risks. What Can You Do About it?
Artificial intelligence (AI) tools and features introduce compliance risks that CMMC was not designed to address. Defense contractors using AI for..
.png?width=680&name=Blog%20Featured%20Image%201.911(1).png)
Securing the Defense Manufacturing Supply Chain for CMMC Compliance
The Cybersecurity Maturity Model Certification (CMMC) does not stop at the prime contractor. It flows down through every tier of the defense supply..
CMMC Flow Down Requirements 2026: What Major Defense Primes Are Requiring From Subcontractors
Whether you currently hold a subcontract with a major defense prime or are looking to win one, it is likely that CMMC applies to you. Primes are..