To remain eligible for defense contracts, prime contractors must do more than just meet the Cybersecurity Maturity Model Certification (CMMC) requirements in their own contracts. Under the DoD DFARS final rule implementing CMMC (48 CFR/DFARS), prime contractor CMMC compliance now legally requires "flowing down" these requirements to every subcontractor handling FCI and/or CUI on their behalf.

For most of the Defense Industrial Base (DIB), this means the pressure is coming from primes—not the government itself. The Department of Defense (DoD or Department) isn't just assessing primes; they are contractually deputizing primes to police their own supply chains.

If you are a subcontractor, you may be waiting for a future phase of the CMMC rollout. However, that’s a mistake that could cost you your contracts. Major aerospace and defense primes are already issuing notices and questionnaires, updating supplier portals, and setting hard deadlines for CMMC compliance.

Here is a breakdown of why primes are enforcing CMMC, what the requirements look like, and a list of the actual notices and questionnaires major primes have sent to their suppliers.

Why are primes required to flow down CMMC requirements?

The DoD recognizes that it cannot verify the security and compliance posture of the hundreds of thousands of organizations across the defense ecosystem itself. Instead, the Department is relying on prime contractors to take on the responsibility of their own supply chains to improve the security and resilience of the entire defense sector and nation.

By forcing primes to enforce standards, the Department ensures that CMMC requirements are applied uniformly to all organizations that process, store, or transmit sensitive unclassified information on its behalf (including FCI, CUI, SPD, ECI, and ITAR)—regardless of company size.

What are CMMC flowdown requirements for primes?

The responsibilities for primes are legally codified in 32 CFR §170.23 and enforced by the final 48 CFR rule, which went into effect on November 10, 2025.

Meeting these flowdown requirements is not a simple or one-time activity. Primes must actively:

• Contractualize compliance: Include specific CMMC requirements in subcontract language, making compliance a non-negotiable condition of doing business.
• Verify Status: Ensure subcontractors have a current CMMC status at the required level (e.g., via SPRS status/printout for self-assessments or proof of certification status where applicable). 
• Match the CMMC level to the data: Primes cannot simply blanket flow down their own CMMC level requirement. They must determine the appropriate level based on the type of data being shared with the subcontractor (e.g., Level 1 for FCI, Level 2 for CUI, Level 3 when required by the prime contract/solicitation).
• Annual affirmation: Ensure subcontractors affirm continuous compliance with the required level at least annually.
• Restrict data flowdown: Refrain from sharing FCI and/or CUI  with any subcontractor that has not verified they meet the required CMMC level.

If you’re new to CMMC 2.0, check out our on-demand webinar that explains what this framework requires, who it applies to, and how to get certified.

What happens if primes don’t comply with CMMC flowdown requirements?

The stakes for meeting these CMMC compliance requirements are high for prime contractors. Failure to flow down requirements or verify subcontractor status can lead to:

• Sanctions and penalties: Including potential False Claims Act settlements or contract termination.
• Award/eligibility impacts: Failure to validate subcontractor status can affect eligibility, evaluations, and award decisions under the DFARS CMMC clause.  
• Audits and investigations: Increased scrutiny from contracting officers, including additional assessments.
• Reputational damage: Loss of standing as a reliable defense partner.

When do primes need to comply with CMMC flowdown requirements?

The short answer: now.

While enforcement for Phase 1 (focusing largely on CMMC self-assessments) officially began on November 10, 2025, the industry did not wait for this deadline to begin putting pressure on subcontractors to get CMMC ready.

During the lead-up to the final rule, primes began demanding proof of CMMC compliance, or at least preparation, from subcontractors months in advance of the deadline. Primes with sprawling supply chains, like Lockheed Martin and Raytheon, were among the first in the industry to take steps early to de-risk their programs and many others have since followed suit.

Mariano Ospina, a CMMC Solutions Advisor at Secureframe, explained there’s been a shift in how prime contractors are enforcing CMMC over the last year:

“Early on, primes like Boeing, Lockheed Martin, Northrop Grumman, and Elbit Systems sent formal letters putting suppliers on notice that CMMC requirements were coming and expectations were changing. That warning phase has now moved into execution. Over the last two weeks in particular, enforcement has accelerated, with multiple primes sending formal cybersecurity questionnaires starting in the final week of November. Primes like Raytheon as well as smaller contractors are now using these supplier questionnaires to validate real CMMC readiness, not just stated intent, across their supply chain. If you are a subcontractor, your primes are actively assessing you and weighing future contract decisions against how long you delay compliance.”

Redspin’s second annual report on the state of DIB readiness confirms that CMMC enforcement is already happening “organically” because of primes. In a survey conducted in August and September 2025, almost half (47%) of the surveyed subcontractors said they had already received a CMMC flow-down request from a prime. 

The bottom line for subcontractors: Enforcement of CMMC contractual requirements is being spearheaded by the industry. So if you’re still waiting for a public DoD demo or a later phase of the rollout to get CMMC ready, your contracts and place in the defense supply chain are already at risk. 

A List of Prime Contractors that Have Begun Enforcing CMMC in Supply Chains + When

The following table tracks which major prime contractors issued supplier notices and questionnaires about CMMC requirements, starting back in February 2025 all the way to the end of the year.

1. Raytheon (RTX)

• Date Issued: February 2025 
• Update: All suppliers wishing to support USG contracts must disclose their current or intended CMMC status during annual registration.
• Minimum requirement: Active CMMC certification at the appropriate level required in defense contracts and solicitations

Verdict: The self-attestation model of security under DFARS 7012 will not be enough to stay in supply chain

Closely following the publication of the 32 CFR rule, RTX (including Collins Aerospace, Pratt & Whitney, and Raytheon) released a significant update to their Annual Supplier Registration Data, Representations And Certification form to include a question about their organization’s current and intended CMMC status. They effectively closed the door on the previous self-attestation model of security under DFARS 7012, in which many subcontractors only promised to comply but didn’t actually.

RTX also updated their Supplier Cybersecurity web page to specify that all suppliers supporting defense contracts must have “an active CMMC certification at the appropriate level, as defined within the Prime Contract or Solicitation." Must immediately take steps to ensure their Annual Supplier Registration Data, Representations and Certifications remains current on CMMC status

Why it matters

RTX’s early action in updating the supplier questionnaire and language on their website ("We are steadfast in our commitment...") signals that they are viewing non-compliant suppliers not just as a regulatory burden, but as a direct threat to national and global security.

Image source: RTX Supplier Reps and Certs form updated in February 2025

2. Lockheed Martin

• Date Issued: June 30, 2025 
• Update: Lockheed began reaching out to suppliers whose SPRS scores indicate unmet cyber requirements, including unimplemented CMMC controls.
• Minimum requirement: Full implementation of NIST 800-171 requirements (mandated by existing regulations) and CMMC Level 2 (C3PAO) readiness

Verdict: Level 2 (C3PAO) readiness is now a gatekeeper to its supply chain

Before the 48 CFR rule was even finalized, Lockheed Martin’s Supply Chain Cybersecurity team began actively reaching out to suppliers whose latest self-assessments indicated unmet cyber requirements, “including unimplemented CMMC controls.” They reminded the supply chain that under DFARS 252.204-7012 and DFARS 252.204-7020, NIST 800-171 compliance is already mandatory, not optional, and required them to complete the Cybersecurity Compliance and Risk Assessment (CCRA) via the Exostar Onboarding Module to validate their latest status.

At that time, Lockheed also began pushing heavily for Level 2 (C3PAO) assessment readiness, which would require a third-party to attest to the organization’s complete implementation of NIST 800-171 Revision 2 rather than relying on self-assessments alone.

Why it matters

Lockheed began effectively retroactively enforcing DIB cybersecurity standards, like DFARS 7012 which had been in effect for years, to clean up their supply chain ahead of the CMMC rollout. By framing "unimplemented CMMC controls" as a current breach of contract, they are forcing suppliers to engage third-party assessors (C3PAOs) immediately rather than waiting for a specific CMMC contract clause or phase of the CMMC rollout. 

Image source: Lockheed's supplier update on CMMC Rulemaking Progress sent June 2025

3. Boeing

• Date Issued: September 2025 
• Update: Boeing started gap assessments across its supply base to identify vendors who aren’t CMMC ready.
• Minimum requirement: Certified CMMC Level (1-3) as a condition of winning a contract award

Verdict: No CMMC Certification = No Contract to protect entire supply chain

The same month that the final 48 CFR rule was published in the Federal Register, Boeing sent out a notice saying they were currently assessing supplier practices to identify gaps that need to be addressed before CMMC enforcement officially began.
In their notice, they specified that "as a condition of winning a contract award, suppliers handling FCI and CUI will be required to have the specified CMMC level (1-3) certification identified in the solicitation." They also strongly encouraged suppliers to begin the process of preparing

for and obtaining a CMMC level 2 (C3PAO) certification.

Boeing stressed that achieving CMMC readiness was not only critical for maintaining contract eligibility—it was also critical for their “collective ability to protect sensitive information from unauthorized access or compromise.” 

Why it matters 

By reiterating that CMMC certification would be a "condition of winning a contract award," Boeing sent a clear signal to suppliers: if you aren't ready at the time of the bid, you simply cannot win the work. They also emphasized that CMMC wasn’t just about keeping your own contracts—it was about enhancing the cybersecurity of everyone in their supply chain and across the entire defense supply chain.

Image source: Boeing's supplier letter urging CMMC Level 2 readiness sent in September 2025

4. Elbit Systems of America

• Date Issued: November 5, 2025 
• Update: Suppliers must take urgent action to complete Level 1 self-assessment and submit in SPRS to stay in the supply chain.
• Minimum requirement: Level 1 self-assessment and affirmation in SPRS

Verdict: Level 1 self-assessment in SPRS mandatory for all non-COTS suppliers immediately

Timed to coincide with the official Phase 1 enforcement, Elbit issued a notice stating, "It's now time for Elbit America's suppliers to take urgent action” and “immediately conduct a Level 1 self-assessment and affirmation within the Supplier Performance Risk System,” citing 32 CFR § 170.15.

They emphasized that this was the minimum requirement to continue to do business with Elbit America—explaining that suppliers that handle CUI should also achieve a Level 2 (C3PAO) certification as defined within 32 CFR § 170.17. 

Why it matters

Elbit explicitly defined Level 1 as the "minimum requirement to continue to do business" now, but also warned that suppliers handling CUI should proactively prepare for Level 2 (C3PAO) since that “certification process is detailed and will require time and commitment to complete.” This directly links a subcontractor’s SPRS score and CMMC status to their eligibility for future work and revenue. 

Image source: Elbit's open letter to suppliers about CMMC Program Phase I sent in November 2025 

5. Northrop Grumman

• Date Issued: December 2025 
• Update: Prime contractors lack the legal authority to waive CMMC requirements and these may be immediately enforced in contracts now that the November 10 deadline has passed.
• Minimum requirement: Subcontractors must comply with CMMC cybersecurity control and assessment requirements flowed down from Northrop

Verdict: No waivers are coming and there will be no purchase orders for non-compliant subcontractors 

Northrop Grumman’s recent communications emphasize the rigid legal structure of the new CMMC program. They stated plainly: "Neither contracting officers nor prime contractors may waive or deviate from the CMMC cybersecurity control and assessment requirements." They also emphasized that prime contractors cannot award purchase orders to noncompliant subcontractors just as contracting officers cannot award contracts to noncompliant contractors

Consequently, they urged subcontractors to begin to prepare for these contractual requirements, which may appear in the future or immediately now that the Phase 1 enforcement deadline (November 10, 2025) has passed.

Why it matters

Northrop Grumman’s recent communications highlight the legal reality that primes have no choice but to enforce CMMC. Meaning, long-standing relationships or a "sole source” status cannot protect non-compliant subs, as the prime simply lacks the legal authority to issue a contract to a supplier who hasn't met the CMMC flowdown requirements.

Image source: Northrop's supplier letter asking if they're CMMC ready now that the rule is final sent in December 2025

3 Key challenges of prime contractor compliance with CMMC flowdown requirements

While the notices above are clear, enforcing them is a massive logistical endeavor. Prime contractor CMMC compliance requires managing data flow and security validation across a supply chain of tens to thousands of subcontractors.

Primes currently face three significant hurdles in meeting these flowdown requirements:

1. Lack of visibility

One of the major issues facing primes is the "black box" nature of their supply chains. Without a centralized process or automated tool, it is nearly impossible for primes to track the real-time compliance posture of all their subcontractors. You cannot fix what you cannot see, and right now, most primes cannot see past their Tier 1 suppliers.

2. Verification burdens

SPRS results are not visible to primes so subcontractors typically provide proof (e.g., SPRS printout/certification info) for verification. If a prime relies on manual emails and spreadsheets to verify the SPRS scores and CMMC certificates of thousands of vendors, the process will be time-consuming, prone to human error, and impossible to scale.

3. Supply chain attrition

These flowdown requirements are not only a compliance risk; they are a mission risk. Primes are rightfully worried about losing key suppliers—often small, specialized manufacturers or other types of small businesses—who cannot afford the high costs or manage the technical complexity of CMMC compliance. Secureframe simplifies this process for both sides of the contract.