Skip to content

Prime Contractor CMMC Requirements in 2026

What Lockheed Martin, Boeing, Raytheon, and Others Expect from Suppliers

A centralized page collecting what prime contractors are sharing about CMMC. Information based on publicly available data and content.

Last updated: July 14, 2026

What Major Prime Contractors Are Telling Subcontractors About CMMC

As of July 13, 2026, the Department of War (DoW) has suspended all pending and future implementation milestones for the CMMC 2.0 program. 

During this interim period, CMMC Level 1 (Self) and Level 2 (Self) will be the only applicable CMMC requirements. However, several large prime contractors have set their own CMMC deadlines ahead of the original phased rollout schedule. 

Primes reserve the right to include additional requirements and operate on different timelines than what was provided in the CMMC programmatic rule (32 CFR Part 170). 

This page will be closely monitoring what guidance the largest defense contractors are sending to their supply chains after the DoW announcement.

 

 

Prime Last Updated Stated Flow-Down Requirement Supplier Deadline / Action Date Source
BAE Systems 1/22/2026 Not Yet Communicated None set — follows federal rollout BAE Systems CMMC 2.0 Resources
Boeing 1/22/2026 Not Yet Communicated None set — follows federal rollout Boeing Supplier Cybersecurity Page
General Dynamics 1/22/2026 Level 2 (C3PAO) for CUI/CDI; annual self-certification Annual recertification (recurring) General Dynamics Cybersecurity for Suppliers Page
Huntington Ingalls Industry (HII) 1/22/2026 Level 2 (C3PAO) by Q4 2025; Level 3 (DIBCAC) by Q4 2026 Q4 2025 (L2) / Q4 2026 (L3) — 12 months ahead of the government phased rollout HII Supplier Cybersecurity Page
L3 Harris 4/15/2026 Flow down CDI/CUI clauses → NIST 800-171 Rev 2 July 30, 2026 (certification) L3 Harris Supplier Cybersecurity Page
Lockheed Martin 1/22/2026 Full Rev 2 alignment; L2 self-assessment scores required Ongoing — score submission via Exostar Lockheed Martin Supplier Cybersecurity FAQ
Northrop Grumman 1/22/2026 Not explicitly stated — directs suppliers to ask None set — follows federal rollout Northrop Grumman Supplier Cybersecurity Page
Raytheon (RTX) 3/12/2026 Active CMMC cert at contract-appropriate level (DFARS 7021) March 17, 2026 (status survey) Raytheon Supplier Cybersecurity Page

BAE Systems

LASTEST UPDATE: 01/22/2026

BAE Systems provides links for resources on or adjacent to the CMMC 2.0 program, including a CMMC resource document and a message from their Supply Chain Cybersecurity Risk Manager regarding BAE's plans to support their supply chain.

Published Supplier Guidance

CMMC Guidance Gaps

  • A link to the correct NIST 800-171 Rev 2 standards
  • An update on the 48 CFR final rule going into effect on November 10, 2025, activating the government's phased rollout plan
  • Prime contractor flow down requirements to subcontractors handling FCI and CUI

What Suppliers Need To Do

  • Rev 1 is outdated. You’re expected to implement Rev 2.
  • No communication ≠ no responsibility. Stay proactive.

Boeing

LASTEST UPDATE: 01/22/2026

Boeing has a section focused on both their Defense & Space suppliers and the CMMC 2.0 program. In addition to outsourced links, Boeing also provides their email announcements, a CMMC 2.0 preparedness document, and their Terms of Use and Cybersecurity Supplement document. 

Published Supplier Guidance

CMMC Guidance Gaps

  • An update on the 48 CFR final rule published into the Federal Register, which activated the government's phased rollout on November 10, 2025
  • Link to the correct version of NIST 800-171 required for Level 2 and Level 3 certification
  • Information on prime contractor flow down requirements to subcontractors

What Suppliers Need To Do

  • CMMC Level 2 (which is also a prerequisite for Level 3) requires adherence to NIST 800-171 Rev 2, not Rev 3
  • The CMMC 48 CFR rule has been published and went into effect on November 10, 2025, activating the government's phased rollout plan

General Dynamics

LASTEST UPDATE: 01/22/2026

General Dynamics provides a thorough overview of the CMMC program and certification process. On their page, they reference that phased implementation began in mid-2025. It also mentions GDMS is responsible for ensuring their supply chain is compliant with FAR 52.204-21 and DFARS 252.204-7012 clauses. To do so, GDMS will require suppliers to certify annually that they’re compliant with CMMC requirements.

Published Supplier Guidance

  • Solid overview of CMMC, phased implementation, and flow-down clauses
  • Annual supplier certification required
  • Link to the final 32 CFR rule pertaining to the CMMC program and ecosystem
  • Links to additional resources, both from the DoD and local Procurement Technical Assistance Centers (PTACs)

CMMC Guidance Gaps

  • Updates on the final 48 CFR rule, which started the government's phased rollout on November 10, 2025
  • Information on prime contractor flow down requirements, which will likely require Level 2 (C3PAO) requirements

What Suppliers Need To Do

  • Per their guidance, subcontractors handling CUI/CDI are expected to achieve a Level 2 (C3PAO) certification to continue working within their supply chain
  • Start aligning with all 110 controls / 320 objectives in NIST 800-171 Rev 2

Huntington Ingalls Industries (HII)

LASTEST UPDATE: 01/22/2026

HII has provided clear, tangible guidance for their supply chain regarding the CMMC 2.0 program. HII began to flow down Level 2 (C3PAO) requirements in Q4 2025 and plan to flow down Level 3 (DIBCAC) requirements by Q4 2026, effectively working 12 months ahead of the official phased rollout timeline.

Published Supplier Guidance

CMMC Guidance Gaps

N/A

What Suppliers Need To Do

  • HII provides a clear picture for its supply chain
  • Their internal timeline shows they plan to move 12 months ahead of the government's phased rollout schedule, shrinking compliance timelines for their subcontractors

L3 Harris

LASTEST UPDATE: 04/15/2026

L3 Harris focuses specifically on clauses that cover Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). They make clear on their website that they will flow down these clauses to all applicable subcontractors which will require adherence to NIST 800-171 Rev 2 security controls.

Published Supplier Guidance

  • Focuses on CDI/CUI clauses, references DFARS and NIST 800-171

CMMC Guidance Gaps

  • CMMC 2.0 framework is currently in effect
  • Information on the 48 CFR final rule published in the Federal Register which activated the government's phased rollout on November 10, 2025
  • A supplier letter from April 6, 2026 states L3 is expecting their suppliers to be certified by July 30, 2026



What Suppliers Need To Do

  • The CMMC 2.0 program is currently in effect
  • CMMC certification requirements began appearing in contracts at the end of 2025
  • Contractors handling CDI/CUI will need to fully align with NIST 800-171 Rev 2 and likely will need to go through a certified third-party assessment

Lockheed Martin

LASTEST UPDATE: 01/22/2026

Lockheed Martin’s Supplier Cybersecurity Page offers recent supplier newswire updates regarding updates to the CMMC 2.0 rulemaking process. Additionally, it reinforces its expectations for its supply base to align with all controls and objectives listed in NIST 800-171 Rev 2.

The latest update requires their suppliers to submit their CMMC Level 2 self-assessment scores to their supplier management system, Exostar. 

"Proactive cooperation is essential to maintaining the security of the Defense Industrial Base and guaranteeing uninterrupted business operations with Lockheed Martin. Please allocate the necessary resources promptly to ensure your company is prepared."

Published Supplier Guidance

  • Recent newsletters with updates on CMMC rulemaking and expectations
  • Clear alignment with NIST 800-171 Rev 2
  • Requests for updated SPRS scores
  • Supplier Cybersecurity FAQs

CMMC Guidance Gaps

  • No mention of the 48 CFR final rule that went into effect on November 10, 2025
  • With Lockheed Martin's guidance focusing on full alignment with NIST 800-171 Rev 2, subcontractors should be planning to achieve Level 2 (C3PAO) certification

What Suppliers Need To Do

  • If your score is below 110, expect a follow-up.
  • Lockheed’s communication is ahead of most — stay engaged.
  • Phase 2 of the government's rollout of CMMC requirements in contracts begins on November 10, 2026.

Northrop Grumman

LASTEST UPDATE: 01/22/2026

Northrop Grumman’s supplier cybersecurity page briefly mentions CMMC and DFARS 252.204-7012. Their cybersecurity page does not provide updates regarding the revised CMMC 2.0 program or timeline for the phased rollout of CMMC 2.0 certification requirements in contracts. However, on their main supplier page, a notice from October 2025 discusses CMMC 2.0 updates and expectations.

Published Supplier Guidance

  • Brief mention of CMMC, FAR 52.204-21, and DFARS 252.204-7012
  • Contact link for questions
  • Links to Cyber Assist and Project Spectrum
  • Link to CMMC supplier notice from October 2025

CMMC Guidance Gaps

  • Information on the government's phased rollout schedule
  • Guidance on prime contractor flow down requirements
  • Insights into what information would require a third-party assessment

What Suppliers Need To Do

  • You’ll need to ask. Use their contact form and request expectations in writing
  • Review your contracts for current clauses that may provide insights into which CMMC maturity level will apply to you
  • The government's phased rollout of CMMC contract requirements began on November 10, 2025. Phase 2, which requires C3PAO assessments for Level 2 organizations, launches on November 10, 2026
  • Phase 1 will focus on Level 1 and Level 2 self-assessments
  • If you handle CUI within the Defense Organizational Index Grouping or if your prime is required to achieve Level 2 (C3PAO) certification, a Level 2 (C3PAO) certification will be required as a subcontractor

Raytheon (RTX)

LASTEST UPDATE: 03/12/2026

Raytheon has information on the CMMC 2.0 program featured on their supplier cybersecurity page. The page prominently features information on two DFARS clauses pertinent to the CMMC 2.0 framework (DFARS 252.204-7021 and 7025). The page also informs suppliers of prime contractor flow down requirements and encourages suppliers to work towards certification as soon as possible. See below:

"All RTX suppliers supporting DoW contracts and/or solicitations with DFARS 252.204-7021:

  • Will be required to have an active CMMC certification at the appropriate level, as defined within the Prime Contract or Solicitation
  • Must immediately take steps to ensure their Annual Supplier Registration Data, Representations and Certifications remains current on CMMC status"

Published Supplier Guidance

  • Clear information and guidelines around the rollout and the government's ability to include Level 2 (C3PAO) and Level 3 (DIBCAC) ahead of schedule
  • Information on DFARS 252.204-7021 (requiring contractors to have a valid NIST assessment/CMMC certification at time of award)
  • Top 10 Cybersecurity Practices
  • FAQs from Raytheon's perspective

CMMC Guidance Gaps

  • A link to the Cyber AB marketplace for C3PAOs and MSPs
  • Primes handling CUI within the Defense Organizational Index Group will be required to flow down Level 2 (C3PAO) requirements to subcontractors receiving CUI

What Suppliers Need To Do

  • In March 2026, RTX released a notice requesting suppliers to fill out this survey for an update on their CMMC status by March 17, 2026
  • If suppliers fail to submit their update by the deadline, RTX will be following up on a weekly basis
  • The notice calls out that C3PAO availability is extremely limited and if an assessment has not been scheduled yet, certification in 2026 may not be achievable

ISI Insights

What You Need to Know About the CMMC 2.0 Rollout

CMMC Level 2 = NIST 800-171 Rev 2
The original model required NIST 800-171 Rev 1. Not to mention there is a newer revision (Rev 3) available. But all that said, CMMC Level 2 and DFARS 252.204-7012 require adherence to NIST 800-171 Rev 2 as of now.
Clauses to look for in new contracts

DFARS 252.204-7012 has been the gold standard since 2017. However, going forward, there will be two additional clauses contractors should be looking for in contracts:

DFARS 252.204-7021 lets you know that a valid CMMC certification at the level appropriate to the information being shared is required to accept award of the contract.

DFARS 252.204-7025 will provide contractors with the CMMC maturity level required to work on the contract.

Phased rollout ≠ flow down requirements
The government's rollout phase for CMMC Level 2 (C3PAO) certifications is slated to begin in November 2026. However, the CMMC 32 CFR rule gave contract officers the power to flow down requirements ahead of the phased rollout schedule. Meaning Level 2 (C3PAO) certification requirements could appear in contracts before Phase II of the government's rollout.
Applies to new contracts and option years

The phased rollout applies to new contracts as well as option years on current contracts. If you are on a multi-year deal with option years, review the timeline of those renewal dates and plan your compliance journey accordingly. 

What You Can Do Right Now

1. CHECK YOUR CURRENT POSTURE

Use NIST 800-171 Rev 2 as a benchmark. Make sure to measure against all 320 objectives, not just the controls.







2. CONFIRM REMEDIATION PROGRESS

While certain controls are allowed on a POA&M, you'll want to get as close to a perfect score as possible ahead of your assessment.

3. BOOK YOUR C3PAO ASSESSMENT

There is currently a 6-7 month backlog to schedule a C3PAO, and many are already booked through the end of 2026. Once your scope and remediation timelines are set, schedule your assessment so you won’t be stuck waiting.

4. TALK TO YOUR PRIME CONTRACTOR

If they haven't communicated timelines or expectations yet, ask them. If asked about your posture, provide an honest representation and remediation timeline.

NEED MORE INFO?

As a CMMC Level 2 certified Registered Provider Organization, we take pride in providing defense contractors with the industry knowledge and technical guidance needed to continue working in the Defense Industrial Base.

See the resources below for real-time insights from our subject matter experts.

 

shutterstock_2024994257

Stay Ahead of the CMMC Rollout as Phase 2 Approaches

The guidance on this page tells you what major prime contractors expect. What it can't tell you is where your program stands against those expectations: your scope, your current SPRS score, your gap status, and how much runway you realistically have before a new contract requirement or a prime's follow-up forces the question.

Getting that picture now, while you still have time to act on it, is the right next step.

Schedule A Discovery Call
man presenting a business chart

1. Check your current posture.

Use NIST 800-171 Rev 2. Your SPRS score should reflect it.

2. Close POA&Ms fast.

They’ll be prohibited under CMMC Level 2 unless tied to very narrow exceptions.

3. TALK to YOUR PRIME.

If they haven’t communicated timelines or expectations, ask.

4. Book your C3PAO.

There’s a 6–7 month backlog. Don’t get caught waiting.

Request A Discovery Call

The information above has been collected from publicly available prime contractor resources. It is intended to provide subcontractors with visibility into what has been published to date. This content is informational only and is not intended as compliance advice or recommendations.