If you supply parts, services, software, machining, manufacturing, or technical work to a defense prime contractor, your CMMC clock did not start on November 10, 2026. It started in late 2025 when Lockheed Martin, Boeing, Raytheon (RTX), Northrop Grumman, Elbit America, Parsons, HII, and General Dynamics began issuing supplier directives that made CMMC compliance a condition of continued business.
This is not theoretical. The directives are public. The deadlines are real. And subcontractors who are still waiting for their prime to “tell them what to do” are about to discover that the message has already been sent they just were not reading it.
This blog walks through what each major prime is actually requiring, what 32 CFR § 170.23 mandates legally, and the four specific questions every subcontractor needs to answer before their next purchase order conversation.
The legal foundation is 32 CFR § 170.23, which establishes that CMMC requirements apply to prime contractors and subcontractors throughout the supply chain at all tiers that process, store, or transmit FCI or CUI.
The flow-down logic is straightforward, and every subcontractor needs to know which category applies to them:
If you only handle FCI (Federal Contract Information not for public release, but less sensitive than CUI), the minimum requirement is Level 1 (Self) annual self-assessment against 15 FAR 52.204-21 controls, submitted to SPRS with affirmation.
If you handle CUI, the minimum requirement is Level 2 (Self) — full implementation of all 110 NIST SP 800-171 Rev 2 controls, self-assessed, scored in SPRS, with annual affirmation by an affirming official.
If you handle CUI and your prime contract requires Level 2 (C3PAO), your minimum requirement is also Level 2 (C3PAO) — third-party assessment by an authorized C3PAO. This is the category that hits hardest after November 10, 2026.
If you handle CUI and the prime contract requires Level 3 (DIBCAC), your minimum is Level 2 (C3PAO) — unless the government provides specific contractual guidance requiring higher.
Critical point most subcontractors miss: the CMMC level you need is determined by the data shared with you, not by your prime’s overall CMMC level. A prime certified at Level 2 (C3PAO) does not automatically require all its subcontractors to be Level 2 (C3PAO). It requires them to be at whatever level corresponds to the data being flowed down. This is governed entirely by what your prime is willing to share with you and primes are increasingly making the data-sharing decision based on subcontractor readiness, not the other way around.
Under DFARS 252.204-7021, primes are required to verify subcontractor CMMC status in SPRS before subcontract award and ensure subcontractors maintain annual affirmations of continuous compliance. This is not a one-time check. It is an ongoing contractual obligation that primes are now treating as audit-grade.
This is where the abstract regulation becomes a concrete business problem. Every major prime has now issued public supplier directives. Here is what they say, with the language that matters.
Lockheed Martin maintains three active supplier-facing CMMC pages. Their Upcoming CMMC Requirements page states that 32 CFR § 170.23 requires compliance from all subcontractors at every tier handling FCI or CUI, and that the DoD may implement requirements ahead of the phased rollout schedule. Their explicit warning to suppliers: “Any lapse in required CMMC status will directly impact your organization’s ability to receive DoD subcontracts.” They use a proprietary CCRA questionnaire and require attestation of 31 identified NIST 800-171 requirements as the baseline for a “green” supplier rating. All suppliers must document CMMC status in SPRS.
Boeing’s supplier directive is equally direct: “As a condition of winning a contract award, suppliers handling FCI and CUI (excluding commercial-off-the-shelf procurements) will be required to have the specified CMMC level (1-3) certification identified in the customer/Boeing solicitation.” Boeing is strongly encouraging suppliers to begin preparing for Level 2 certification immediately rather than waiting for contract requirements to appear.
Raytheon (RTX) states on their supplier cybersecurity page: “All RTX suppliers supporting DoW contracts and/or solicitations with DFARS 252.204-7021 will be required to have an active CMMC certification at the appropriate level.” In March 2026, RTX released a notice requesting suppliers complete a CMMC status survey by March 17, 2026, with weekly follow-ups for non-responders. The notice specifically called out that C3PAO availability is extremely limited and that certification in 2026 may not be achievable for suppliers who have not yet scheduled an assessment. RTX will not issue a Purchase Order or Letter of Subcontract to suppliers handling CUI without the appropriate CMMC certification level confirmed.
Northrop Grumman issued a 2025 notice stating: “Neither contracting officers nor prime contractors may waive or deviate from the CMMC cybersecurity control and assessment requirements. All suppliers on DoD programs who receive CUI at all tiers must be certified if required by the DoD prime contract, including small businesses and foreign suppliers. Certification may be needed to submit a proposal and prior to the contract award. Suppliers who do not qualify for certification at Level 2 will be precluded from the program.” Northrop gave its subcontractors an 80-day window to provide proof of CMMC L2 certification.
Elbit America released memos in late 2025 and January 2026 stating that “our buyers will not issue purchase orders to suppliers who fail to meet contractual CMMC flow-down requirements.” No purchase order without certification.
Parsons Corporation released supplier notices in November 2025 and again in March 2026 reinforcing the same flow-down requirements.
HII (Huntington Ingalls Industries) is moving the fastest. Their published timeline indicates they plan to flow down Level 2 (C3PAO) requirements by Q4 2025 and Level 3 (DIBCAC) requirements by Q4 2026 12 months ahead of the government’s phased rollout schedule. Subcontractors to HII are effectively operating on a compressed timeline.
General Dynamics operates multiple divisions (GDMS, GDLS, GDIT), each with its own supplier cybersecurity page and CMMC requirements. Across divisions, suppliers receiving, creating, processing, storing, or transmitting FCI or CUI must achieve a minimum SPRS score of 88 the threshold for Conditional Level 2 status. GDMS requires annual supplier certification of CMMC compliance as a condition of future purchase order or subcontract award. There are no waivers. POA&Ms must close within 180 days of assessment.
The pattern is unmistakable. Every major prime has converted the November 2026 deadline into a 2025–2026 procurement gate. They are not waiting for the DoD. They are protecting their own pipelines.
The reason is not goodwill, and it is not over-caution. It is structural risk management driven by two converging pressures.
Pressure 1: FCA exposure flows up the chain. If a prime knowingly awards work to a non-compliant subcontractor and misrepresents supply chain compliance in its own SPRS affirmation, the prime faces False Claims Act liability treble damages plus penalties per claim. In FY2025, the DOJ recovered more than $52 million across nine cybersecurity-related FCA settlements, and December 2025 produced the first DOJ settlement specifically targeting the subcontractor tier (an Illinois precision machining supplier, ~$421,000, initiated by a qui tam action from a former quality control manager). Primes have no incentive to absorb that risk on behalf of a subcontractor that has not invested in certification.
Pressure 2: Bid eligibility depends on a fully certified supply chain. If a prime needs a certified supply chain to win a DoD contract and one supplier is not certified, the whole bid is at risk. Primes are not going to lose a multi-million-dollar award because a tier-3 subcontractor was late on its self-assessment. They will replace the subcontractor.
This is why the directives from Lockheed, Boeing, RTX, Northrop, and others are not advisory. They are operational. The primes have already mapped their supply chains, categorized suppliers by CMMC readiness, and identified replacement candidates for non-compliant vendors. Subcontractors who are still uncertified are now competing not against the deadline but against their own replacements.
Most subcontractor conversations stall because the supplier does not know the answer to one of these four questions. Before your next call with a prime’s procurement or cybersecurity team, you need clean answers.
This is the single most important question, because it determines your required level and your entire compliance budget. Many subcontractors assume they handle only FCI when they are actually handling CUI technical drawings, specifications, performance data, export-controlled information, and “for official use only” markings all commonly qualify as CUI under 32 CFR Part 2002. The December 2025 DOJ settlement involved a subcontractor that supplied technical drawings — the kind of artifact most precision machining and manufacturing subs handle without recognizing it as CUI.
If you do not know the answer with certainty, your first call is not to a tool vendor. It is to your prime’s cybersecurity contact, asking explicitly: “What is the CUI marking status of the data you are flowing down to us on contract X?” Get the answer in writing.
Each prime has a different timeline and a different threshold. Lockheed wants SPRS documentation now. Boeing wants the certification level identified in the solicitation. HII is operating 12 months ahead of the DoD schedule. RTX expects active certification at the prime contract’s specified level. Northrop gave 80-day windows. General Dynamics requires SPRS score ≥ 88 as the baseline.
Do not guess. Pull your prime’s supplier-facing CMMC page or contact their supplier cybersecurity team. Get the level, the deadline, and the verification mechanism (SPRS, Exostar, CCRA questionnaire, or proprietary portal) in writing.
If your SPRS score is over 12 months old, primes are treating it as stale. If your score is below 88, you are below the Conditional Level 2 threshold and below what General Dynamics and most other primes will accept as a baseline. If you have not submitted a score at all, you are not even in consideration for new purchase orders from primes that verify SPRS as part of source selection.
A current, defensible SPRS score backed by a documented gap assessment is now table stakes not a competitive differentiator.
4. Do you have a documented remediation roadmap with a C3PAO conversation initiated?
The primes know full certification by November 10, 2026 is unrealistic for most subcontractors who have not started. What they will accept and what RTX explicitly acknowledged in their March 2026 notice is demonstrable progress. A documented gap assessment, a defined CUI enclave, an active remediation plan, and a scheduled or pending C3PAO conversation are the artifacts that keep you in the supplier pool.
A subcontractor with a credible 2027 certification roadmap is in a different category than a subcontractor with nothing. Primes will work with the former. They will replace the latter.
Pattern 1: Assuming “we will deal with it when our prime tells us to.” The prime has already told you. The directive is published. The deadline is set. The subcontractor who waits for an individual phone call from their prime is not going to receive a phone call they are going to receive a non-renewal notice.
Pattern 2: Confusing FCI handling with CUI handling. Technical drawings, performance specifications, export-controlled data, and operational details routinely qualify as CUI even when they are not explicitly marked. Subcontractors who self-categorize as “Level 1 only” without verifying the CUI status of the data their prime shares with them are setting up an FCA exposure that mirrors the Illinois precision machining case.
Pattern 3: Treating SPRS score inflation as harmless. A subcontractor that submits an optimistic SPRS score without underlying implementation is creating a documented false statement to the federal government. The DOJ has now demonstrated, repeatedly, that this is exactly the failure pattern qui tam whistleblowers use to initiate FCA actions. The score in SPRS is a representation. It is enforceable.
If you supply to a defense prime and you have not started CMMC preparation, the next seven days matter more than the next seven months. Three concrete actions:
Action 1: Pull your prime’s supplier-facing CMMC page. Lockheed, Boeing, RTX, Northrop, General Dynamics, and HII all have public pages outlining their requirements. Read what they say. Note the deadlines, the verification mechanisms, and the specific language they use about non-compliant suppliers.
Action 2: Confirm the data classification flowing to you. Ask your prime’s cybersecurity contact in writing: Is the data you share with us on contract X classified as FCI, CUI, or both? If CUI, what category? Get a written answer. This single artifact will define your compliance scope and your exposure under any future FCA action.
Action 3: Get a current, defensible SPRS score. Whether your score is 32 or 95, what matters is that it is current, accurate, and supported by a documented gap assessment. A scored, dated, affirmed SPRS submission backed by a remediation roadmap is the artifact that keeps you in the supplier pool while you work toward certification.
The subcontractors who survive the next 18 months will not be the ones with the highest scores today. They will be the ones who started the conversation early, documented their progress honestly, and gave their primes a defensible reason to keep them in the pipeline.
Rudram Engineering’s Registered Practitioner specializes in subcontractor scoping the specific challenge of mapping prime-flowed data to the correct CMMC level, defining your CUI enclave, and producing a defensible SPRS score and remediation roadmap that primes will accept as evidence of in-process compliance.
One 30-minute call. You will leave knowing exactly which prime directive applies to you, what your current SPRS position should be, and what artifacts to put in front of your prime’s procurement team this quarter.
Related Reading: CMMC Phase 2 Is 7 Months Away: What DoD Contractors Need to Do Now
What Does CMMC Certification Actually Cost?
The Legal Risk of CMMC Non-Compliance: False Claims Act, DOJ Enforcement
CMMC Compliance Checklist: All 110 Controls
Why 98% of Defense Contractors Are Not CMMC Ready — And What Happens Next
