cmmc-logo
cmmc-logo
Talk to a CMMC expert
post-feature
Expert InsightsJanuary 7, 2026

The 5 Prime Contractors Leading CMMC Enforcement Ahead of the Phased Rollout

For many subcontractors, enforcement of CMMC requirements did not start on November 10, 2025 with a DoD contracting officer, but long before that with their prime. 

Over the past 12 months, major defense prime contractors have begun proactively assessing and enforcing CMMC readiness across their supply chains. Supplier questionnaires, portal updates, and direct notices are already being used to assess CMMC compliance, restrict data flowdown, and determine contract eligibility.

That means the DoD’s phased rollout is not the primary driver of CMMC readiness timelines for most organizations. In other words, if you’re waiting for Phase 2 to kick off in November 2026 to get Level 2 (C3PAO) certification, your subcontracts and DoD information are already at risk.

The new reality: Primes are now the main enforcers of cybersecurity compliance

Under previous regulations (FAR 52.204-21 and DFARS 252.204-7012), the DoD had a "trust but verify later" model of security that permitted defense contractors and subcontractors to self-attest their compliance with information protection requirements like NIST 800-171 R2.

The government did have enforcement mechanisms to verify that organizations were actually implementing these requirements—like the False Claims Act—but often these were triggered only after a major security incident had put national security data at risk. Furthermore, the DoD could only use these mechanisms to verify the cybersecurity compliance of a handful of organizations across the defense ecosystem, leaving hundreds of thousands without oversight.

Under the 48 CFR CMMC Acquisition Rule which introduced new DFARS clauses, the DoD has effectively deputized prime contractors to act as the front-line enforcement arm for the Defense Industrial Base (DIB). 

Primes are now legally required to "flow down" CMMC requirements to every tier of their supply chain handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and ensure their subcontractors have the appropriate CMMC status prior to awarding a contract. By doing so, primes help ensure that CMMC requirements are applied uniformly to all organizations that process, store, or transmit sensitive unclassified information on the DoD’s behalf and ultimately enhance the protection of this information against evolving threats.

This is not merely a box-checking exercise. Failure to verify a subcontractor’s CMMC status can result in severe consequences for the prime, including:

  • False Claims Act (FCA) settlements with hefty monetary penalties
  • Immediate ineligibility for new contract awards or renewals
  • Contract termination for non-compliance

How & when prime contractors began enforcing CMMC

Enforcement actions starting in early 2025 through the end of the year show a clear escalation in how primes are assessing and validating their suppliers’ current compliance status. 

1. Raytheon (RTX) - February 2025

  • Enforcement action: Updated Annual Supplier Registration Data, Representations and Certifications form so all suppliers wishing to support USG contracts had to disclose their current or intended CMMC status.
  • Immediate next step: Update supplier registration form with current CMMC status.
  • Minimum requirement: Active CMMC certification at level specified in contract or solicitation

feature-image

Image source: RTX Supplier Reps and Certs form updated in February 2025

2. Lockheed Martin - June 2025

  • Enforcement action: Began direct outreach to suppliers with low SPRS scores that indicated unmet CMMC requirements.
  • Immediate next step: Submit NIST self-assessments in SPRS and Cybersecurity Compliance and Risk Assessment (CCRA) assertions in the Supplier Management Module, and validate preparedness for a CMMC Level 2 third-party assessment.
  • Minimum requirement: Full implementation of NIST 800-171 R2 requirements and readiness for CMMC Level 2 (C3PAO) certification

feature-image

Image source: Lockheed's supplier update on CMMC Rulemaking Progress sent June 2025

3. Boeing - September 2025

  • Enforcement action: Began assessing supplier cybersecurity practices and identifying gaps that need to be filled to be CMMC ready.
  • Immediate next step: Begin to proactively prepare for and obtain CMMC Level 2 (C3PAO) certification.
  • Minimum requirement: CMMC certification at level specified in the customer/Boeing solicitation

feature-image

Image source: Boeing's supplier letter urging CMMC Level 2 readiness sent in September 2025

4. Elbit Systems - November 2025

  • Enforcement action: Issued a notice to suppliers that CMMC Level 1 certification was the minimum requirement to continue to do business with Elbit.
  • Immediate next step: Conduct a Level 1 self-assessment and affirmation within the SPRS and proactively achieve Level 2 (C3PAO) if Elbit flows down CUI.
  • Minimum requirement: Level 1 (Self) 

feature-image

Image source: Elbit's open letter to suppliers about CMMC Program Phase I sent in November 2025 

5. Northrop Grumman - December 2025

  • Enforcement action: Sent a supplier letter explicitly stating that they cannot waive or deviate from CMMC requirements or award purchase orders to noncompliant subcontractors
  • Immediate next step: Begin to prepare for CMMC contractual requirements.
  • Minimum requirement: CMMC cybersecurity control and assessment requirements flowed down from Northrop

feature-image

Image source: Northrop's supplier letter asking if they're CMMC ready now that the rule is final sent in December 2025

Why primes began CMMC enforcement ahead of the rollout

The transition from theoretical compliance to contractual enforcement has revealed three significant friction points:

1. Missing verification process

Because SPRS scores are only viewable by the DoD and the organization itself, primes are forced to rely on manual questionnaires or other documentation requests (like screenshots or copies of their SPRS scores and reports) to verify the CMMC status of their suppliers. This creates a massive administrative burden for both sides so many primes kicked off the outreach and verification process early. 

2. Fear of supply chain attrition

Small subcontractors, especially specialized manufacturers, are the lifeblood of the DIB. But they are also the most vulnerable to the high costs and technical complexity of CMMC, particularly at the higher levels. 

Many primes are concerned that key suppliers will be forced to exit the supply chain if they cannot achieve the specified CMMC level requirement in time, which spurred much of the proactive outreach and enforcement. 

3. The wait-and-see game

Many organizations across the DIB have been playing a wait-and-see game when it comes to CMMC due to its lengthy rulemaking timeline. Many continue to delay readiness, particularly for CMMC Level 2 (C3PAO), thinking they have until Phase 2 kicks off on November 10, 2026. However, with third-party requirements appearing during Phase 1 and C3PAO wait times stretching into mid- to late 2026 already, these subcontractors are likely already behind. 

Starting long before Phase 1, primes have already been looking for Level 2 (C3PAO) certified or ready partners to de-risk their own bids for late 2026 contracts.

The path forward for defense subcontractor compliance

The "warning letters" of 2025 have already been replaced by mandatory questionnaires, assessments, and attestations of 2026. That means most subcontractors can no longer rely on self-attestations of cybersecurity compliance to win new work or keep existing contracts.

The bottom line: If you handle CUI and haven't yet secured your certification or path to Level 2 (C3PAO), your position in the defense supply chain is actively being reassessed by your primes.

Here’s what you can do to maintain eligibility now and in the future:

  • Automate documentation: Manual System Security Plans (SSPs) and other documentation are often outdated the moment they are printed. Use platforms that make it easy to generate this documentation and maintain a "living" compliance posture with AI and automation.
  • Implement compliant enclaves: Rather than overhauling an entire corporate network, many successful DIB organizations are moving CUI into pre-configured, CMMC-compliant enclaves to isolate risk and reduce assessment scope.
  • Provide evidence of your latest CMMC status: Be ready to provide primes with more than just a point-in-time assessment and affirmation of compliance. Look for a tool that offers continuous monitoring and live SPRS score tracking so you can prove your compliance status in real time, any time.

To learn how DIB organizations are using Secureframe to get CMMC ready fast and stay mission-ready while keeping costs low, talk to an expert