CMMC certifications prescribed by prime contractors ahead of phased roll out

Prime contractors are no longer waiting for the Department of Defense’s phased CMMC rollout to begin before tightening expectations across their supply chains. As CMMC 2.0 moves from policy to contract language under DFARS 252.204‑7021, primes are exercising their obligation to flow requirements down to every subcontractor that handles FCI or CUI, regardless of when a given phase officially starts. This shift reflects the reality codified in 32 CFR §170.23: primes are responsible for ensuring cybersecurity compliance at all tiers, and failure by a subcontractor can directly jeopardize contract eligibility for the entire program. As a result, many defense suppliers are discovering that “waiting for Phase 2” is no longer a viable strategy.

Lockheed Martin and Boeing have been especially explicit, using supplier communications and portal updates to make early readiness a condition of continued business. Lockheed has repeatedly told suppliers that organizations handling CUI should already be fully implementing NIST SP 800‑171 and be prepared to demonstrate CMMC Level 2 compliance—well ahead of the government’s later phases—while proactively contacting vendors with gaps in their self‑assessments. Boeing has echoed that posture, formally assessing supplier cybersecurity practices and strongly encouraging Level 2 certification as a prerequisite for future awards, even before the bulk of contracts require third‑party assessments under the phased rollout. In both cases, CMMC readiness has become a competitive gate rather than a distant compliance milestone.

Other primes are following suit, with L3Harris and RTG (RTX, formerly Raytheon Technologies) illustrating how quickly expectations are hardening. In April 2026, L3Harris Missile Solutions issued a supply‑chain notice giving subcontractors roughly 80 working days to provide proof of CMMC Level 2 certification or risk exclusion from DoD programs—an unmistakable signal that third‑party validation is replacing self‑attestation in real time. RTX has likewise been identified among major primes communicating early CMMC expectations through supplier cybersecurity portals, reinforcing that certification may be required in advance of formal phase triggers to protect high‑value programs and limit supply‑chain risk. Together, these actions make one point clear: for subcontractors, CMMC is no longer about compliance “eventually,” but about proving eligibility today, before the phased rollout ever reaches full stride.