Prime Contractor CMMC Requirements in 2026
What Lockheed Martin, Boeing, Raytheon, and Others Expect from Suppliers
A centralized page collecting what prime contractors are sharing about CMMC. Information based on publicly available data and content.
What Major Prime Contractors Are Telling Subcontractors About CMMC
As of July 13, 2026, the Department of War (DoW) has suspended all pending and future implementation milestones for the CMMC 2.0 program.
During this interim period, CMMC Level 1 (Self) and Level 2 (Self) will be the only applicable CMMC requirements. However, several large prime contractors have set their own CMMC deadlines ahead of the original phased rollout schedule.
Primes reserve the right to include additional requirements and operate on different timelines than what was provided in the CMMC programmatic rule (32 CFR Part 170).
This page will be closely monitoring what guidance the largest defense contractors are sending to their supply chains after the DoW announcement.
| Prime | Last Updated | Stated Flow-Down Requirement | Supplier Deadline / Action Date | Source |
|---|---|---|---|---|
| BAE Systems | 1/22/2026 | Not Yet Communicated | None set — follows federal rollout | BAE Systems CMMC 2.0 Resources |
| Boeing | 1/22/2026 | Not Yet Communicated | None set — follows federal rollout | Boeing Supplier Cybersecurity Page |
| General Dynamics | 1/22/2026 | Level 2 (C3PAO) for CUI/CDI; annual self-certification | Annual recertification (recurring) | General Dynamics Cybersecurity for Suppliers Page |
| Huntington Ingalls Industry (HII) | 1/22/2026 | Level 2 (C3PAO) by Q4 2025; Level 3 (DIBCAC) by Q4 2026 | Q4 2025 (L2) / Q4 2026 (L3) — 12 months ahead of the government phased rollout | HII Supplier Cybersecurity Page |
| L3 Harris | 4/15/2026 | Flow down CDI/CUI clauses → NIST 800-171 Rev 2 | July 30, 2026 (certification) | L3 Harris Supplier Cybersecurity Page |
| Lockheed Martin | 1/22/2026 | Full Rev 2 alignment; L2 self-assessment scores required | Ongoing — score submission via Exostar | Lockheed Martin Supplier Cybersecurity FAQ |
| Northrop Grumman | 1/22/2026 | Not explicitly stated — directs suppliers to ask | None set — follows federal rollout | Northrop Grumman Supplier Cybersecurity Page |
| Raytheon (RTX) | 3/12/2026 | Active CMMC cert at contract-appropriate level (DFARS 7021) | March 17, 2026 (status survey) | Raytheon Supplier Cybersecurity Page |
BAE Systems
LASTEST UPDATE: 01/22/2026
Published Supplier Guidance
- DoD links on CUI, CDI, DFARS, and outdated NIST 800-171 Rev 1
- CMMC 2.0 resource document
outlining the maturity levels and the activation of the CMMC 2.0 program, as well as contact information for supply chain point of contacts - Information on BAE's Cybersecurity Enhancement Initiative
CMMC Guidance Gaps
- A link to the correct NIST 800-171 Rev 2 standards
- An update on the 48 CFR final rule going into effect on November 10, 2025, activating the government's phased rollout plan
- Prime contractor flow down requirements to subcontractors handling FCI and CUI
What Suppliers Need To Do
- Rev 1 is outdated. You’re expected to implement Rev 2.
- No communication ≠ no responsibility. Stay proactive.
Boeing
LASTEST UPDATE: 01/22/2026
Boeing has a section focused on both their Defense & Space suppliers and the CMMC 2.0 program. In addition to outsourced links, Boeing also provides their email announcements, a CMMC 2.0 preparedness document, and their Terms of Use and Cybersecurity Supplement document.
Published Supplier Guidance
- Their supply chain monthly newsletter with additional information and resources
- A CMMC preparedness document
- Their supply chain Terms of Use and Cybersecurity Supplement
- Other resources pertaining to general and small business specific resources
- A link to NIST 800-171 Rev 3
CMMC Guidance Gaps
- An update on the 48 CFR final rule published into the Federal Register, which activated the government's phased rollout on November 10, 2025
- Link to the correct version of NIST 800-171 required for Level 2 and Level 3 certification
- Information on prime contractor flow down requirements to subcontractors
What Suppliers Need To Do
- CMMC Level 2 (which is also a prerequisite for Level 3) requires adherence to NIST 800-171 Rev 2, not Rev 3
- The CMMC 48 CFR rule has been published and went into effect on November 10, 2025, activating the government's phased rollout plan
General Dynamics
LASTEST UPDATE: 01/22/2026
Published Supplier Guidance
- Solid overview of CMMC, phased implementation, and flow-down clauses
- Annual supplier certification required
- Link to the final 32 CFR rule pertaining to the CMMC program and ecosystem
- Links to additional resources, both from the DoD and local Procurement Technical Assistance Centers (PTACs)
CMMC Guidance Gaps
- Updates on the final 48 CFR rule, which started the government's phased rollout on November 10, 2025
- Information on prime contractor flow down requirements, which will likely require Level 2 (C3PAO) requirements
What Suppliers Need To Do
- Per their guidance, subcontractors handling CUI/CDI are expected to achieve a Level 2 (C3PAO) certification to continue working within their supply chain
- Start aligning with all 110 controls / 320 objectives in NIST 800-171 Rev 2
Huntington Ingalls Industries (HII)
LASTEST UPDATE: 01/22/2026
Published Supplier Guidance
- Information on the CMMC 2.0 program
- Information on the government's phased rollout of CMMC certification requirements
- A supplier letter from September 2024
- A CMMC Timeline for their supply chain
CMMC Guidance Gaps
N/A
What Suppliers Need To Do
- HII provides a clear picture for its supply chain
- Their internal timeline shows they plan to move 12 months ahead of the government's phased rollout schedule, shrinking compliance timelines for their subcontractors
L3 Harris
LASTEST UPDATE: 04/15/2026
Published Supplier Guidance
- Focuses on CDI/CUI clauses, references DFARS and NIST 800-171
CMMC Guidance Gaps
- CMMC 2.0 framework is currently in effect
- Information on the 48 CFR final rule published in the Federal Register which activated the government's phased rollout on November 10, 2025
-
A supplier letter from April 6, 2026 states L3 is expecting their suppliers to be certified by July 30, 2026
What Suppliers Need To Do
- The CMMC 2.0 program is currently in effect
- CMMC certification requirements began appearing in contracts at the end of 2025
- Contractors handling CDI/CUI will need to fully align with NIST 800-171 Rev 2 and likely will need to go through a certified third-party assessment
Lockheed Martin
LASTEST UPDATE: 01/22/2026
Lockheed Martin’s Supplier Cybersecurity Page offers recent supplier newswire updates regarding updates to the CMMC 2.0 rulemaking process. Additionally, it reinforces its expectations for its supply base to align with all controls and objectives listed in NIST 800-171 Rev 2.
The latest update requires their suppliers to submit their CMMC Level 2 self-assessment scores to their supplier management system, Exostar.
"Proactive cooperation is essential to maintaining the security of the Defense Industrial Base and guaranteeing uninterrupted business operations with Lockheed Martin. Please allocate the necessary resources promptly to ensure your company is prepared."
Published Supplier Guidance
- Recent newsletters with updates on CMMC rulemaking and expectations
- Clear alignment with NIST 800-171 Rev 2
- Requests for updated SPRS scores
- Supplier Cybersecurity FAQs
CMMC Guidance Gaps
- No mention of the 48 CFR final rule that went into effect on November 10, 2025
- With Lockheed Martin's guidance focusing on full alignment with NIST 800-171 Rev 2, subcontractors should be planning to achieve Level 2 (C3PAO) certification
What Suppliers Need To Do
- If your score is below 110, expect a follow-up.
- Lockheed’s communication is ahead of most — stay engaged.
- Phase 2 of the government's rollout of CMMC requirements in contracts begins on November 10, 2026.
Northrop Grumman
LASTEST UPDATE: 01/22/2026
Northrop Grumman’s supplier cybersecurity page briefly mentions CMMC and DFARS 252.204-7012. Their cybersecurity page does not provide updates regarding the revised CMMC 2.0 program or timeline for the phased rollout of CMMC 2.0 certification requirements in contracts. However, on their main supplier page, a notice from October 2025 discusses CMMC 2.0 updates and expectations.
Published Supplier Guidance
- Brief mention of CMMC, FAR 52.204-21, and DFARS 252.204-7012
- Contact link for questions
- Links to Cyber Assist and Project Spectrum
- Link to CMMC supplier notice from October 2025
CMMC Guidance Gaps
- Information on the government's phased rollout schedule
- Guidance on prime contractor flow down requirements
- Insights into what information would require a third-party assessment
What Suppliers Need To Do
- You’ll need to ask. Use their contact form and request expectations in writing
- Review your contracts for current clauses that may provide insights into which CMMC maturity level will apply to you
- The government's phased rollout of CMMC contract requirements began on November 10, 2025. Phase 2, which requires C3PAO assessments for Level 2 organizations, launches on November 10, 2026
- Phase 1 will focus on Level 1 and Level 2 self-assessments
- If you handle CUI within the Defense Organizational Index Grouping or if your prime is required to achieve Level 2 (C3PAO) certification, a Level 2 (C3PAO) certification will be required as a subcontractor
Raytheon (RTX)
LASTEST UPDATE: 03/12/2026
Raytheon has information on the CMMC 2.0 program featured on their supplier cybersecurity page. The page prominently features information on two DFARS clauses pertinent to the CMMC 2.0 framework (DFARS 252.204-7021 and 7025). The page also informs suppliers of prime contractor flow down requirements and encourages suppliers to work towards certification as soon as possible. See below:
"All RTX suppliers supporting DoW contracts and/or solicitations with DFARS 252.204-7021:
- Will be required to have an active CMMC certification at the appropriate level, as defined within the Prime Contract or Solicitation
- Must immediately take steps to ensure their Annual Supplier Registration Data, Representations and Certifications remains current on CMMC status"
Published Supplier Guidance
- Clear information and guidelines around the rollout and the government's ability to include Level 2 (C3PAO) and Level 3 (DIBCAC) ahead of schedule
- Information on DFARS 252.204-7021 (requiring contractors to have a valid NIST assessment/CMMC certification at time of award)
- Top 10 Cybersecurity Practices
- FAQs from Raytheon's perspective
CMMC Guidance Gaps
- A link to the Cyber AB marketplace for C3PAOs and MSPs
- Primes handling CUI within the Defense Organizational Index Group will be required to flow down Level 2 (C3PAO) requirements to subcontractors receiving CUI
What Suppliers Need To Do
- In March 2026, RTX released a notice requesting suppliers to fill out this survey for an update on their CMMC status by March 17, 2026
- If suppliers fail to submit their update by the deadline, RTX will be following up on a weekly basis
- The notice calls out that C3PAO availability is extremely limited and if an assessment has not been scheduled yet, certification in 2026 may not be achievable
ISI Insights
What You Need to Know About the CMMC 2.0 Rollout
- CMMC Level 2 = NIST 800-171 Rev 2
- The original model required NIST 800-171 Rev 1. Not to mention there is a newer revision (Rev 3) available. But all that said, CMMC Level 2 and DFARS 252.204-7012 require adherence to NIST 800-171 Rev 2 as of now.
- Clauses to look for in new contracts
-
DFARS 252.204-7012 has been the gold standard since 2017. However, going forward, there will be two additional clauses contractors should be looking for in contracts:
DFARS 252.204-7021 lets you know that a valid CMMC certification at the level appropriate to the information being shared is required to accept award of the contract.
DFARS 252.204-7025 will provide contractors with the CMMC maturity level required to work on the contract.
- Phased rollout ≠ flow down requirements
- The government's rollout phase for CMMC Level 2 (C3PAO) certifications is slated to begin in November 2026. However, the CMMC 32 CFR rule gave contract officers the power to flow down requirements ahead of the phased rollout schedule. Meaning Level 2 (C3PAO) certification requirements could appear in contracts before Phase II of the government's rollout.
- Applies to new contracts and option years
-
The phased rollout applies to new contracts as well as option years on current contracts. If you are on a multi-year deal with option years, review the timeline of those renewal dates and plan your compliance journey accordingly.
What You Can Do Right Now
1. CHECK YOUR CURRENT POSTURE
Use NIST 800-171 Rev 2 as a benchmark. Make sure to measure against all 320 objectives, not just the controls.
2. CONFIRM REMEDIATION PROGRESS
3. BOOK YOUR C3PAO ASSESSMENT
There is currently a 6-7 month backlog to schedule a C3PAO, and many are already booked through the end of 2026. Once your scope and remediation timelines are set, schedule your assessment so you won’t be stuck waiting.
4. TALK TO YOUR PRIME CONTRACTOR
If they haven't communicated timelines or expectations yet, ask them. If asked about your posture, provide an honest representation and remediation timeline.
NEED MORE INFO?
As a CMMC Level 2 certified Registered Provider Organization, we take pride in providing defense contractors with the industry knowledge and technical guidance needed to continue working in the Defense Industrial Base.
See the resources below for real-time insights from our subject matter experts.
Stay Ahead of the CMMC Rollout as Phase 2 Approaches
The guidance on this page tells you what major prime contractors expect. What it can't tell you is where your program stands against those expectations: your scope, your current SPRS score, your gap status, and how much runway you realistically have before a new contract requirement or a prime's follow-up forces the question.
Getting that picture now, while you still have time to act on it, is the right next step.
1. Check your current posture.
Use NIST 800-171 Rev 2. Your SPRS score should reflect it.
2. Close POA&Ms fast.
They’ll be prohibited under CMMC Level 2 unless tied to very narrow exceptions.
3. TALK to YOUR PRIME.
If they haven’t communicated timelines or expectations, ask.
4. Book your C3PAO.
There’s a 6–7 month backlog. Don’t get caught waiting.
Request A Discovery CallSuggested Resources
-
Learn More About the CMMC requirement rule
Learn what the 48 CFR rule says, its impact, and what you should expect to see in your contracts throughout the phased rollout period.
-
Insights and Forecasts into the CMMC Rollout
See how the CMMC ecosystem is progressing towards its goal of full compliance, and what that means for your competitive positioning in the DIB.
-
CMMC Compliance Insights, Resources, & Guidance
Our CMMC Compliance Command Center offers videos, blogs, and additional resources to help with your compliance journey.
The information above has been collected from publicly available prime contractor resources. It is intended to provide subcontractors with visibility into what has been published to date. This content is informational only and is not intended as compliance advice or recommendations.