Most organizations in the Defense Industrial Base (DIB) know that contractual enforcement of CMMC, including third-party assessment requirements, is already underway. What some may not realize is that the pressure isn't primarily coming from the Department of Defense. It's coming from primes themselves. 

Boeing, Lockheed Martin, Raytheon, Northrop Grumman, and other major prime contractors are actively assessing, tracking, and in some cases gatekeeping their supply chains based on CMMC compliance status. 

This post explains how and why prime contractors are taking CMMC enforcement into their own hands ahead of the DoD rollout, and then walks through a specific example of how Boeing is assessing its suppliers through the Enterprise Supplier Lifecycle (ESLC) portal.

Why primes are now the primary enforcement arm of CMMC

Under DFARS 7012 and other regulations, cybersecurity compliance followed a “trust but verify later” model, in which defense contractors would self-attest their compliance. While the DoD had the discretion to assess and validate that compliance, it simply cannot assess hundreds of thousands of suppliers across the DIB on its own. 

As a result, DoD-mandated cybersecurity requirements were implemented inconsistently and sensitive government information remained at risk due to critical vulnerabilities and gaps across the defense supply chain.

CMMC sought to address this issue. Under the 48 CFR rule, effective November 10, 2025, prime contractors are now legally required to flow CMMC requirements down to every subcontractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on their behalf.

That means primes must:

• Include CMMC requirements as a non-negotiable condition in subcontracts
• Verify that subcontractors have a current CMMC status at the required level before award
• Match the CMMC level to the type of data being shared (Level 1 for FCI, Level 2 for CUI)
• Ensure subcontractors affirm continuous compliance at least annually
• Stop sharing FCI/CUI with any subcontractor that can't demonstrate the required CMMC level

The consequences for primes who fail to enforce these flowdown requirements are serious and include False Claims Act exposure, contract termination, audits, and reputational damage as a defense partner.

The challenge primes face in enforcing CMMC and meeting flowdown requirements 

To verify that contractors have a current CMMC status at the required level, DoD contracting officers can look in the Supplier Performance Risk System (SPRS), the DoD’s database for all supplier risk assessments, performance data, and cyber reports.

However, SPRS only allows the DoD and the organization itself to see its own CMMC certificate or CMMC self-assessment information. Prime contractors don’t have that access.

That means primes have to put their own process and/or database in place to monitor and verify CMMC compliance among their subcontractors.

Here’s exactly what the DoD said in response to public feedback during the 48 CFR rulemaking about this:

“DoD does not have a tool that would allow sharing of subcontractor information with prime contractors electronically. Prime contractors are expected to work with their suppliers to conduct verifications as they would for any other clause requirement that flows down to subcontractors.”

That verification process could involve subcontractors printing or taking a screenshot of their own CMMC status and affirmation information in SPRS and sharing it with their primes. As an example, here's what Secureframe's report in SPRS looks like, which shows details of our latest assessment and current CMMC status:

However, most primes have a more streamlined process involving a similar tool to the DoD’s SPRS, rather than asking suppliers to submit screenshots or PDF printouts on an ad-hoc, manual basis through disparate channels (email, Teams, etc).

To better understand how subcontractors may be expected to demonstrate CMMC compliance, we’ll quickly cover subcontractor requirements for some of the largest primes then deep dive into the process and tool that Boeing uses.

How major primes have already started enforcing CMMC

Supplier notices and questionnaires asking about CMMC certification or readiness began rolling out months ahead of the DoD rollout.

Here's an overview of how the biggest primes in the industry have approached it:

• Raytheon (RTX) moved first, updating their Annual Supplier Registration form in February 2025 to require disclosure of current and intended CMMC status. Their message was clear: self-attestation under the old DFARS 7012 model is no longer sufficient. Suppliers are now expected to fill out or update this registration form with their current CMMC status.
• Lockheed Martin began reaching out in June 2025 to suppliers whose SPRS scores indicated unmet cybersecurity controls. They required suppliers to complete a Cybersecurity Compliance and Risk Assessment (CCRA) through the Exostar platform and began pushing hard for Level 2 (C3PAO) readiness, not just self-assessments.
• Elbit Systems issued a notice in November 2025 calling for "urgent action," requiring all non-COTS suppliers to immediately complete a CMMC Level 1 self-assessment and affirmation in SPRS and document it in Exostar as the minimum bar to continue doing business with Elbit.
• Boeing issued a supplier notice in September 2025 announcing that their team was actively assessing supplier cybersecurity practices for CMMC gaps and encouraging suppliers to begin proactive preparation for Level 2 (C3PAO) certification. They’ve since updated their supplier resources with directions for using a dedicated portal infrastructure to collect, organize, and track compliance evidence from suppliers. That portal is called ESLC, and it's what we're going to walk through in detail below.

How is Boeing tracking supplier CMMC compliance? A Guide to the ESLC Portal

Boeing implemented the Enterprise Supplier Lifecycle (ESLC) tool to serve as an intake hub for supplier profile data. Once existing and prospective suppliers register and fill out a supplier profile and supplier capability assessment within the portal, Boeing can then search in ESLC for suppliers whose qualifications match potential bid opportunities.

Developed by CERTA, this tool is designed to replace manual PDF forms and other workflows to improve delivery predictability, accelerate delivery, strengthen collaboration, and ensure consistent quality, cybersecurity, and risk management across their supply base.

Is ESLC a replacement for CMMC?

ESLC does not replace CMMC, nor can the acronym be used interchangeably. Here's the key distinction to understand before you register or log in:

• CMMC defines the requirements. The Cybersecurity Maturity Model Certification framework defines the cybersecurity practices and maturity levels required to protect sensitive government information called CUI and FCI.
• ESLC is where you prove compliance. ESLC is the secure portal Boeing uses to collect, organize, and review supplier compliance evidence, similar to how the DoD uses SPRS. 

What CMMC proof is Boeing actually looking for?

Boeing requires suppliers to complete a CMMC questionnaire as part of ESLC registration and provide a copy of their certification if they have completed an assessment. But what certification are they looking for exactly?

The baseline answer is straightforward: it depends on the level specified in the solicitation. Level 1 for contracts involving Federal Contract Information (FCI), and Level 2 or higher for contracts involving Controlled Unclassified Information (CUI). Meaning, if a solicitation specifies Level 1, you need to demonstrate Level 1 compliance at the minimum for Boeing to award you the work.

But Boeing's September 2025 supplier notice made clear that meeting the minimum isn't the same as being well-positioned. Even before Phase 1 of DoD enforcement had begun, Boeing was already pushing suppliers handling CUI to proactively pursue Level 2 (C3PAO) certification, rather than relying on self-assessments alone.

Image source: Boeing's supplier letter urging CMMC Level 2 readiness sent in September 2025

Boeing framed this not just as a contract requirement but as a national security imperative, stating that achieving it is "critical for our collective ability to protect sensitive information from unauthorized access or compromise."

Under CMMC requirements on their Supplier website, Boeing specifically says suppliers are expected to “submit progress and evidence of their CMMC level” in ESLC. In practice, that means Boeing is likely looking for one of three things when they review your CMMC section in ESLC:

• A completed C3PAO assessment with your certificate uploaded and the Assessment date 
• A screenshot or printout of a CMMC Level 2 (C3PAO) Conditional Assessment status in SPRS likely with gaps documented in a POA&M and a clear remediation timeline (or proof of an active engagement with a C3PAO)
• A completed Level 1 self-assessment affirmed in SPRS and the Assessment date

What Boeing does not want to see is nothing. Suppliers who have not started the certification or readiness process are the ones at risk of being cut from programs, bids, or the supply chain entirely as Boeing continues to tighten its requirements in step with the DoD's phased rollout.

The flip side is that suppliers who have already achieved Level 2 (C3PAO) certification have a meaningful competitive advantage heading into Phase 2. Boeing searches ESLC for suppliers whose qualifications match bid opportunities, and cybersecurity posture is part of that picture. A supplier with a final Level 2 certification on file is a lower-risk, lower-friction partner for any contract that touches CUI. As more solicitations begin specifying Level 2 (C3PAO) as a condition of award, that distinction will only matter more.

How to access the ESLC portal

If you are an existing supplier, you can access ESLC through the Supplier Portal. 

If you are a prospective supplier, you must:

• Send an email request to boeingassessment@boeing.com. This is the Globalization Supplier Development (GSD) group mailbox. A GSD representative will then initiate a request in ESLC Portal
• Wait for an invitation email with a link to the ESLC portal. Boeing recommends checking your spam/junk email if you don’t see it in your inbox. Also, ensure the Boeing requestor is copied on the email. 
• Click on that link to complete a Supplier Capability Assessment in the portal

Image source: Boeing Enterprise Supplier Lifecycle (ESLC) Portal User Guide For Suppliers

Walkthrough: How to fill out supplier information in ESLC

Once you access the ESLC Portal through your invitation email, a series of guided workflow sections will walk you through your profile setup in order. Below is a step-by-step breakdown of what to expect in each section.

One important note before you start: work through required fields in order. The portal uses conditional logic throughout so selecting a country, for example, will cause a state/province field to appear, and answering certain yes/no questions will unlock additional fields. If you skip around, you may miss required inputs.

Step 1: Company Identification

1. Enter your company's Primary/DBA (Doing Business As) Name. Indicate whether your legal name is different from your DBA name. If it is, enter both.

2. Search the Dun & Bradstreet (DUNS) database to verify your company details. You can enter either your DUNS number (if you have one) or company name and address, then click “D-U-N-S Search.”

3. Review search results. 

• If your company appears and the details are correct, click "Select" to pull that information into your profile.
• If your company appears but details are wrong, contact Dun & Bradstreet directly to correct the record first. Do not select it, and then contact Dun & Bradstreet to correct it. Once this section is submitted, it cannot be edited.
• If your company doesn't appear, double-check what you entered for errors and try again.
• If it still doesn't show, contact Dun & Bradstreet to get a DUNS number.

4. Here’s how to proceed if search results aren’t correct or don’t appear. 

• Answer "Yes" to the prompt asking whether you'd like to proceed without a match if your company doesn’t appear correctly or at all in the Dun & Bradstreet results and you’d still like to continue filling out your profile in ESCL.
• Answer “Yes” to the prompt asking whether you want to pre-populate your Primary/Manufacturing Address with the information you used for the DUNS search only if you entered it correctly. Otherwise, you can wait to enter the information manually in the next section. This section will be locked for editing once submitted.
• Answer "No" to the prompt asking whether you'd like to proceed without a match if you prefer to wait until Dun & Bradstreet corrects your company’s information or registers your company in their database. You must also inform the Boeing procurement agent that you would not like to proceed at this time.

Step 2: Supplier Profile Business Information

5. Enter your Primary/Manufacturing Address if you didn't pre-populate from the DUNS search. For manufacturing companies, this is the facility where your end item deliverable is fabricated, assembled, and accepted. For service companies, this is your primary place of business.

6. Fill out Company Representative with the contact info for the person completing the profile. This auto-populates based on the Boeing requestor's information but can be edited. After submission, this person is automatically assigned to multiple contact types and gains access to complete subsequent sections.

7. Enter your CAGE code, UEI, and DUNS number if you have it. Not all are required. A DUNS is a nine-digit unique identifier for your businesses that is helpful, but not required to do business with Boeing. A CAGE code is your five-character Federal Government identifier. A UEI is your Unique Entity Identifier from SAM.gov. You can also fill out the Congressional District field with a unique 2-digit code that identifies the electoral district within the United States of where the business partner is located, if you know it.

8. Enter your Company Web Address and answer these Yes/No questions:

• Incorporated to do Business in the U.S.? This is required for US entities. Mark “Yes” if your business is organized under US law.
• Foreign-Owned Located and Operating in U.S.? If yes, you'll need to indicate whether you're a small or large business.
• Would you like to provide Banking Information at this time? If Boeing will be making payments to you, answer "Yes" here to activate the banking table. If you're not ready to provide banking details yet, you can answer "No" and add it later through an Update Profile request.

9. Review the Global Ultimate Parent. This section auto-populates from your Dun & Bradstreet profile if that information is filled out and you selected a match during the DUNS search step earlier. If this information is not listed as part of your profile or you did not select a match earlier, then this section will be automatically marked as “Yes” for Same as Business Profile Information.

If your company does have a parent entity that isn't showing up in this section, contact Dun & Bradstreet to update your profile there. Boeing cannot add or edit this section manually.

10. Confirm whether you meet Quality Standards required by Boeing. Indicate whether your company holds AS9100, AS9110, or AS9120 certifications. If yes, you'll be asked for your certification number. Note: existing suppliers will see these questions defaulted to "No" even if certifications are on file elsewhere in Boeing's systems. In that case, you can disregard this default setting.

Step 3: Additional Contacts

11. Add additional contacts to provide certain individuals access to profile sections that align with their role at the company. For example, you may add a Cyber POC to ensure they have access and receive automated requests annually to update the CMMC section of the Supplier Profile.

12. Update any additional contacts if their name or email address has changed, or they no longer work at the company.

13. Click “Submit” at the bottom of the main page once you’ve made all updates. A green check mark will populate on the left menu to show the section has been submitted successfully.

Step 4: Tax and Banking Information

14. Enter Tax Information if you expect Boeing to make payments to your company (otherwise, skip this section). This includes your company name, Tax ID Number, Tax Reporting Country (auto-populated), Tax Type, and Business Entity Type. Tax information must be completed before bank accounts can be added.

15. Click "Add" and fill in the following to add a bank account.

• Business Unit: Defaults to "Boeing" unless you're working with a specific Boeing business unit with distinct banking requirements (like Boeing Defense United Kingdom).
• Bank name, address, and country: Currency auto-fills based on bank country.
• Payment method: Also dependent on the bank country.
• Account Beneficiary Name, Account Number, and ABA/Transit/Sort/IFS Code: Required regardless of country. Some countries will also require SWIFT code and/or IBAN. Account numbers are masked after submission; only the last four digits remain visible.
• Default: If you have multiple accounts, you must designate one as the default per currency type.

16. Click “Submit” once information is complete and accurate. If your Tax Representative and Banking Contact are different people, do not hit Submit until both have completed their respective portions. Submitting prematurely will require an admin unlock and will delay processing.

Step 5: Additional Address Information

17. Click on the hyperlinked name in the Additional Address table. If Boeing awards you contracts across multiple business units, you'll see multiple entries/rows in the table. Each needs to be completed separately following the steps below.

18. Review Details and click “Next.”

19. Review Ordering Address to confirm whether this additional address (like a ship-from location, for example) is the same as your Primary/Manufacturing Address. If it is, select "Yes" and submit. If it's different, select "No" and enter the Purchase Contract Name and Address to perform another DUNS search. Select the correct result or enter the information manually if the search result isn’t correct or doesn’t appear, then click “Submit.”

20. Complete Invoicing Address following the same steps as Ordering Address.

21. Complete Goods Supplier Address following the same steps as Ordering Address. Select “N/A” if the company does not have a goods supplier.

22. Click your company name in the upper-left corner to return to the main workflow once all address sub-sections show a lock icon and this section is complete. You will still see the Additional Address Information section but the status of the Additional Address table should now say Complete.

23. Enter an Alternate Payee only if a third-party entity (not your invoicing address) will be receiving check payments on your behalf, then click “Submit.”

Step 6: Business Courtesies Questionnaire

24. Add this questionnaire, answer all required fields, and click "Submit." You must complete and renew this form about what types of courtesies (meals, gifts, entertainment, lodging, etc.) your company permits its representatives to accept from Boeing every two years for anti-corruption compliance purposes.

Step 7: Representations & Certifications (SP1)

25. Fill out the Representations and Certifications (SP1) questionnaire. This questionnaire will auto-populate if Boeing's procurement agent (the one who initiated the New Supplier Profile Request) has identified you as doing government work. This includes the Business Size, Ownership & NAICS questionnaire that auto-populates for commercial suppliers. It must be renewed annually.

26. Click “Add” to review sections A&B in the Special Provisions (SP1) form, then click “Submit” to proceed with the Business Size, Ownership & NAICS questionnaire.

27. Answer Yes/No if you are a non-US supplier. 

28. Select the size of your company from the drop down menu and answer additional questions that appear based on your selection. If answer “Yes” to these questions, then supporting documentation will likely be required. For example, if you select “Yes” that you are a SBA Certified HUBZone Small Business, then you must enter the date and upload a printout of your HUBZone certification. A similar process applies if you select that you’re a Service-Disabled Veteran Owned Small Business or Women-Owned. Without documentation, Boeing cannot apply those designations to your profile.

29. Click "Add NAICS" if you have a North American Industry Classification System (NAICS) code. Select whether it's primary or secondary, choose the correct six-digit code and description, and run "Get Duplicates" to check for conflicts before submitting.

30. Fill out your name, title, email, and phone number to certify this section, then click “Submit.” The person who fills out and certifies this section will be automatically added as your SP1 Contact and will receive future annual recertification reminders by email.

Step 8: Supplier Code of Conduct

31. Click "Add" to review and acknowledge Boeing’s Supplier Code of Conduct (SCoC). 

32. Click the hyperlinked “HERE” in the first question to open the SCoC, then answer “Yes” to confirm you’ve reviewed it and select one of four acknowledgment options. If you answer “No,” then you have to select one of only two of those acknowledgements: either declining to review the SCoC because your company has its own policies in place, or refusing to acknowledge the expectations set forth in the SCoC.

32. Answer Yes/No/Don’t Know if your company has its own employee code of conduct and supplier code of conduct in place. If either answer is “No,” then additional questions will appear asking if you intend to create an employee or supplier code of conduct in the future.

33. Fill out the date, your name, title, email, and phone number to certify this section, then click “Submit.” The person who completes and certifies this section becomes the Supplier Code of Conduct Contact and will receive annual renewal reminders.

34. Click “Submit” at the bottom of the main Supplier Code of Section screen to complete this section.

Step 9: Cyber Maturity Model Certification (CMMC)

35. Fill out the CMMC questionnaire. The section header notes that it requires input from your Cyber/IT Team or Cyber POC. If you're not that designated contact, go back to the Additional Contacts step and make sure the right person is assigned before this section is completed.

36. Answer Yes/No if your work for Boeing involves a U.S. Department of Defense contract or other work requiring CMMC compliance.

37. Answer Yes/No whether your organization has completed a successful self-assessment, a DCMA/DIBCAC assessment, or a C3PAO assessment. If “Yes,” select the option that specifies whether that applies to your entire organization (Enterprise) or just a specific enclave where the work for Boeing will be performed.

38. Provide a copy of your CMMC certificate and relevant dates if you select “YES Enterprise” or “YES Enclave” that an assessment has been completed.

39. Fill out your name, title, email, phone number, and date to certify this section, then click “Submit.” The person submitting this section represents and warrants that the information is accurate and legally binding. Boeing will rely on it when making contracting decisions.

Step 10: Supplier Submittal and Certification

40. Click "Add," fill in your name, title, email address, and phone number, then click “Submit.” This is your digital signature step. By completing this step, you're legally attesting that all information submitted through the ESLC Portal is true, accurate, and binding.

Once submitted, Boeing's requestor and their manager will review your profile. When all reviews are complete and data has been entered into Boeing's internal system, your profile status will update to Onboarded.

Other profile statuses you may see are:

• Onboarding: One or more sections have not yet been submitted by the supplier
• Pending Requestor Review: Supplier has submitted and profile is under review with Boeing's requestor
• Pending Manager Review: Requestor has reviewed and profile is now under review with Boeing management
• Onboarded / Onboarded – Reviews Complete: Profile is fully completed and all Boeing-side reviews are done

Step 11: Supplier Capability Assessment (Optional)

41. Complete a Supplier Capability Assessment. This is technically optional since your profile will be submitted and processed regardless. But companies that wish to become Boeing suppliers should fill it out. This will register them in the Boeing Supplier Capability Assessment Database, a separate tool Boeing uses to match suppliers to bid opportunities based on manufacturing capabilities, equipment, certifications, and more. If you're interested in being considered for new work, it's worth completing.

42. Provide as much detail as possible in all assessment sections, then click “Submit.” These sections may ask about your company history, financial performance, business tools and processes, certifications and accounts, capabilities and core competencies, and internal support capabilities. 

Note that some suppliers will be asked to register its capabilities only, not to submit information for a new profile. In that case, they’ll only have to complete the Company Identification and Supplier Business Profile Information sections of the step-by-step process above before filling out the Supplier Capability Assessment. 

Once submitted, you may be contacted by a Boeing representative if a bid opportunity arises and your products or services match the requirements, you

Boeing official sources:

• ESLC User Guide for Suppliers
• ESLC Video for Suppliers - Overview
• ESLC Video for Suppliers - Capability Assessment
• Boeing Suppliers website

The bottom line for subcontractors

If you're waiting for a DoD assessor to knock on your door, you've misread the situation. The enforcement pressure is coming from your primes and it's already happening. Boeing, Lockheed, Raytheon, Northrop, and Elbit have all issued formal notices. They've built compliance portals, updated supplier questionnaires, and tied CMMC status directly to contract award eligibility.

The question isn't whether you'll need to demonstrate CMMC compliance to your primes. You will. The real question is whether you'll be ready when they ask, or whether a competitor will be.

If you're unsure where you stand or need help preparing for a CMMC assessment, contact our team to talk through your options or visit secureframe.com/cmmc to learn how you can get assessment-ready in as little as 4 weeks.