To remain eligible for defense contracts, prime contractors must do more than just meet the CMMC requirements in their own contracts. Under the final 48 CFR rule implementing CMMC, CMMC compliance now legally requires prime contractors to "flow down" requirements to every subcontractor handling FCI and/or CUI on their behalf.

For most of the Defense Industrial Base (DIB), this means the enforcement pressure is coming from primes, not the government itself. And the stakes have escalated significantly since Phase 1 of enforcement began. With Phase 2 starting on November 10, 2026, primes are no longer issuing supplier notices that say "prepare for CMMC.” They now say "submit your Level 2 certification or we will not issue purchase orders."

This post covers why primes are enforcing ahead of the DoD rollout, how that enforcement is accelerating, and what subcontractors need to understand to stay competitive, according to the Director of Supply Chain Business Excellence at one of the largest primes actively enforcing CMMC today.

Why are primes enforcing Level 2 (C3PAO) ahead of the government rollout?

The short answer: because they can't afford not to.

Phase 2, which will expand the contractual implementation of Level 2 (C3PAO) requirements, doesn’t begin until November 10, 2026. But prime contractors including Elbit, Lockheed Martin, Boeing, and Northrop Grumman are already demanding compliance documentation from suppliers, with some FY2026 contracts requiring C3PAO certification immediately.

That's not impatience with the rollout schedule. It's economics.

Primes can't deliver without a compliant supply chain.

Bo Birdwell, Director of Supply Chain Business Excellence at Elbit Systems of America, put it plainly at the Secureframe National Cybersecurity Summit 2026: “You cannot build a product without having a supply chain, and you can't build a supply chain once you've won the contract.”

In other words: you cannot build a CMMC-compliant product without having a CMMC-compliant supply chain.

“One of the things that I think the primes understand better than the rest of the Defense Industrial Base is that your supply chain is just as important to you being able to win a contract as you are. You can bust your butt and spend money and get yourself Level 2 certified, and if you don't address your supply chain, you're not going to be able to build the product you need to deliver at cost, on schedule, and be able to perform to meet your contractual obligations.”

His biggest point was that subcontractors must understand CMMC is a business-critical capability, not a checkbox, for primes evaluating bids.

Primes can't price contracts they can't staff.

Birdwell also explained a logistical driver that enforcement notices don't often explicitly state: primes competing for firm fixed price contracts worth hundreds of millions or billions of dollars have to know their costs before they bid. A non-compliant supply chain makes that impossible.

"Project Management 101 is you do not base your price until you know your costs. And right now, it's really hard to do that [without] certified suppliers. Because if you don't have a supply chain that can build the parts you need, you're having to estimate your costs.”

As a result, the C-suite’s decision to bid on a program now depends in part on CMMC: “Whether or not you can actually meet the contractual requirements could be a life-changing contract for your company, and CMMC is going to be part of that conversation. That is the reality we are now in."

Non-compliance also carries serious legal risk.

Beyond the operational pressure, the regulatory stakes for primes who fail to flow down these requirements are significant:

• Sanctions and penalties: Including potential False Claims Act settlements or contract termination.
• Award/eligibility impacts: Failure to validate subcontractor status can affect eligibility, evaluations, and award decisions under the DFARS CMMC clause.
• Audits and investigations: Increased scrutiny from contracting officers, including additional assessments.
• Reputational damage: Loss of standing as a reliable defense partner.

How has prime enforcement accelerated ahead of the DoD rollout?

While DoD enforcement for Phase 1 (focusing largely on CMMC self-assessments) officially began on November 10, 2025, the industry did not wait for this deadline to begin putting pressure on subcontractors to get CMMC ready.

Primes with sprawling supply chains, like Lockheed Martin and Raytheon, were among the first in the industry to take steps early to de-risk their programs and many others followed suit, issuing supplier notices and questionnaires asking for proof of CMMC compliance or readiness months before the final rule was even published. 

According to Redspin’s second annual report on the state of DIB readiness released in November, the same month that Phase 1 enforcement began, almost half (47%) of the surveyed subcontractors said they had already received a CMMC flow-down request from a prime. 

By early 2026, primes went from issuing awareness notices to following up with harder requirements: 

• mandatory CMMC status documentation in supplier portals,
• Level 2 (C3PAO) certification as a condition of new purchase orders, and
• in at least one case, a hard deadline for suppliers to submit proof of certification or be removed from program work.

Some FY2026 contracts already include C3PAO requirements as a condition of award, independent of the Phase 2 deadline.

Let’s take a look at two examples. 

Example 1: Elbit 

In November 2025, Elbit issued a notice saying that CMMC Level 1 was the “minimum” requirement to continue to do business with Elbit. By January 2026, Elbit notified suppliers that they’d already received a solicitation requiring Level 2 (C3PAO) certification and suppliers who failed to meet contractual CMMC flow-down requirements would not receive purchase orders. The told suppliers: Engage a C3PAO now and schedule your CMMC Level 2 assessment

In February 2026, Elbit America followed up with another memo stating that they are actively building a network of suppliers who have successfully completed their CMMC Level 2 assessment and that any certified supplier should email them right away.

During his Summit session, Birdwell echoed what this memo and Elbit's supplier page already made clear: Elbit will not issue purchase orders to suppliers who do not meet contractual CMMC flow-down requirements.

While this does not mean that suppliers who aren’t Level 2 certified are being kicked out of Elbit’s supply chain, it does mean that subcontractors who are compliant are in a “very attractive” position, Birdwell said. This will be a major competitive advantage, especially for the next 12-18 months, as Elbit remains focused on “growing a robust supply chain that we can build a relationship with to build amazing CMMC-compliant products for our customers,” he explained.

Why it matters:

This is one of the clearest examples of how prime enforcement has accelerated in a short period of time: what was "urgent action recommended" in November became "no PO without certification" within two months. This reflects an industry shift in primes moving past the enforcement question and now focusing on supply chain quality: who's certified, who can actually build compliant products, and who's worth competing for.

Example 2: L3Harris 

On April 6, 2026, L3Harris Missile Solutions sent a notice to subcontractors stating that all suppliers on DoD programs who receive CUI at all tiers must be certified if required by the DoD prime contract, including small businesses and foreign suppliers, and that certification may be needed to submit a proposal and prior to contract award. Suppliers who do not qualify for certification at Level 2 will be precluded from the program.

L3Harris has requested that applicable suppliers submit proof of certification by July 30, 2026.

Why it matters:

L3Harris is the first major prime to attach a specific certification deadline to supplier status: not just a requirement, but a date. At the time of the memo, the deadline was less than 4 months away. That’s not much runway for suppliers who haven't started, while those that are already certified are in an ideal position. This is the position that subcontractors want to be in as more primes start putting hard deadlines on suppliers. 

The prime's checklist for subcontractors

Reading supplier notices is one thing. Understanding what's actually happening inside a prime and how they’re making supplier decisions is another.

At the Summit, Birdwell offered a rare first-person account of CMMC enforcement from the prime's perspective. 

While capability, readiness, and predictability used to be the three pillars of supplier selection, CMMC has changed that math entirely. 

“When I started trying to implement it in our supply chain, I realized it isn't another pillar. It is a gateway,” he explained, through which capability, readiness, and predictability even get considered.

To help understand this, Birdwell outlined what he called a "silent checklist” or the unwritten criteria primes use to assess supplier contract-eligibility. Here are the four things that “good” suppliers have in common:

1. Correct CMMC status for the information they process. Level 2 (C3PAO) or Level 1 self-attestation is the starting point, not the finish line.
2. A scope they can explain without hesitation. What's in, what's out, why. Clear data flows. If a supplier can't articulate their scope, a prime can't confidently evaluate the risk.
3. Documentation that matches implementation. The self-assessment document should be a living record that’s continuously updated, not authored once and shelved.
4. Internal ownership and a governance rhythm. At least one certified internal lead. Processes that behave consistently. Ambiguity resolved quickly. These are signs that an organization has eliminated unknowns and made themselves easy to place.

5 lessons learned from a prime actively enforcing CMMC

Birdwell went beyond describing what primes want and shared what he's learned from working through CMMC compliance with over a thousand suppliers. These lessons explain why some suppliers are thriving while others are in crisis mode.

Lesson 1: This is not an IT problem.

"The first thing that has to be understood is that this is not an IT program. IT is not going to be the ones that fix your supply chain, make sure contract language flows down to the right companies, ensure that engineering is properly marking their documents, make sure program managers clearly understand the risks they are managing, or engage legal in the right places."

Companies that treat it as an IT project typically fail their assessments or hit serious friction during program execution. That’s because CMMC touches contracts, engineering, legal, program management, business development, and more. The first concrete action, Birdwell recommends: put names to who's responsible for each cross-functional piece.

Lesson 2: Revision history is your friend.

Good documentation isn't just about having an SSP. It's about showing a process that has evolved over time. Assessors and primes both look for evidence that your security posture isn't static.

Two failure modes to avoid: outsourcing documentation without having implementers validate it, and having strong implementation but weak documentation. Either one is enough to fail or significantly underperform in an assessment.

"You will fail just as hard if your implementation is fantastic but your documentation isn't, and vice versa," Birdwell said.

Lesson 3: Sequence matters: mark, scope, protect, then place.

Birdwell offered a simple sequencing rule: marking drives scope, scope drives protection, and protection determines where things get placed. Companies that invert this order—by standing up infrastructure before they know what they're protecting, for example—waste time and often have to redo the work.

"You can't protect what you haven't scoped. You can't scope what you haven't marked. And the timeline does not shrink by waiting."

Getting this order right starts with reading CMMC clauses in contracts carefully at the proposal stage, Birdwell said. Missing a CMMC requirement in a solicitation turns into “crisis management” once you've been awarded the work.

Lesson 4: Flow down early and triage your supply base strategically.

When it comes to flowing down requirements to your own suppliers, Birdwell recommended filtering by program revenue contribution first, then by criticality to your programs. Sole-source suppliers float to the top.

"Re-qualifying a supplier is a multi-month process; it is not free and it is not fast. When a critical supplier hasn't started, your options are: replace, partner, or hope. Hope isn't a strategy."

Lesson 5: Get out of firefighting mode. Governance is the goal.

The currency primes are looking for from subcontractors right now isn't perfection. It's predictability. Primes can and do work with suppliers who are still on the journey, but only when there's evidence of a real process and a realistic timeline.

"What matters is showing the trajectory, that you have a working operating model that improves over time. Transparency is your friend. A documented journey, with the artifacts to back it up, gets you credibility."

3 Biggest challenges primes are facing with CMMC flow down

While the notices above are clear, enforcing them is a massive logistical endeavor. Prime contractor CMMC compliance requires managing data flow and security validation across a supply chain of tens to thousands of subcontractors.

Primes currently face three significant hurdles in meeting these flowdown requirements:

1. Continuous supply chain management

Meeting these flowdown requirements is not a simple or one-time activity. Primes must actively:

• Contractualize compliance: Include specific CMMC requirements in subcontract language, making compliance a non-negotiable condition of doing business.
• Verify Status: Ensure subcontractors have a current CMMC status at the required level (e.g., via SPRS status/printout for self-assessments or proof of certification status where applicable). 
• Match the CMMC level to the data: Primes cannot simply blanket flow down their own CMMC level requirement. They must determine the appropriate level based on the type of data being shared with the subcontractor (e.g., Level 1 for FCI, Level 2 for CUI, Level 3 when required by the prime contract/solicitation).
• Annual affirmation: Ensure subcontractors affirm continuous compliance with the required level at least annually.
• Restrict data flowdown: Refrain from sharing FCI and/or CUI  with any subcontractor that has not verified they meet the required CMMC level.

2. Lack of visibility

One of the major issues facing primes is the "black box" nature of their supply chains. SPRS results are not visible to primes, only to the organizations themselves and DoD contracting officials. 

Without a centralized process or automated tool, it is nearly impossible for primes to track the real-time compliance posture of all their subcontractors. You cannot fix what you cannot see, and right now, most primes cannot see past their Tier 1 suppliers.

That’s why primes like Elbit are requesting Level 2 certified subs simply email them right away. 

3. Non-compliant supply chain

During the CMMC rulemaking, there was a lot of fear about primes losing key suppliers—often small, specialized manufacturers or other types of small businesses—who could not afford the high costs or manage the technical complexity of CMMC compliance.

But early data from the field suggests the feared mass exodus from the DIB hasn't materialized. Birdwell reported that out of more than a thousand supplier conversations at Elbit alone, “fewer than 1% have raised their hand and said they're walking away.” The majority are making business decisions, weighing risk, and finding a path forward.

That said, primes are anxious to build a compliant supply chain in order to deliver CMMC-compliant products to customers as soon as possible. That means most primes will continue to opt for early, proactive flowdown over reactive enforcement to keep their programs on track.

Ready to secure your supply chain or subcontract? Talk to an expert to see how Secureframe streamlines compliance with CMMC flowdown and security requirements.