What Is Your Prime Contractor Saying ABOUT CMMC 2.0?
A centralized page collecting what prime contractors are sharing about CMMC. Information based on publicly available data and content.
See Our Perspective on Why Early CMMC Adopters Have an AdvantagePRIME-BY-PRIME BREAKDOWN
As the phased implementation of CMMC 2.0 contract requirements approaches its scheduled start on November 10, 2025, prime contractors retain the discretion to require certification compliance from their subcontractors in advance of this date.
This resource is designed to serve as a consolidated reference, highlighting current public communications from leading prime contractors regarding CMMC 2.0, as published on their supplier cybersecurity portals. Here is what we have seen so far:
BAE Systems
LASTEST UPDATE: 09/17/2025
What’s Listed:
- DoD links on CUI, CDI, DFARS, and outdated NIST 800-171 Rev 1
- CMMC 2.0 resource document
outlining the maturity levels and the activation of the CMMC 2.0 program, as well as contact information for supply chain point of contacts - Information on BAE's Cybersecurity Enhancement Initiative
What’s Missing:
- A link to the correct NIST 800-171 Rev 2 standards
- An update on the 48 CFR final rule going into effect on November 10, 2025, activating the government's phased rollout plan
What to Know:
- Rev 1 is outdated. You’re expected to implement Rev 2.
- No communication ≠ no responsibility. Stay proactive.
Boeing
LASTEST UPDATE: 09/17/2025
Boeing has a section focused on both their Defense & Space suppliers and the CMMC 2.0 program. In addition to outsourced links, Boeing also provides their email announcements, a CMMC 2.0 preparedness document, and their Terms of Use and Cybersecurity Supplement document.
What’s Listed:
- Their supply chain monthly newsletter with additional information and resources
- A CMMC preparedness document
- Their supply chain Terms of Use and Cybersecurity Supplement
- Other resources pertaining to general and small business specific resources
- A link to NIST 800-171 Rev 3
What’s Missing:
- An update on the 48 CFR final rule being published into the Federal Register, activating the government's phased rollout on November 10, 2025
- Link to the correct version of NIST 800-171 required for Level 2 and Level 3 certification
What to Know:
- CMMC Level 2 (which is also a prerequisite for Level 3) requires adherence to NIST 800-171 Rev 2, not Rev 3
- The CMMC 48 CFR rule has been published and has an effective date of November 10, 2025, activating the government's phased rollout plan
General Dynamics
LASTEST UPDATE: 09/17/2025
What’s Listed:
- Solid overview of CMMC, phased implementation, and flow-down clauses
- Annual supplier certification required
- Link to the final 32 CFR rule pertaining to the CMMC program and ecosystem
- Links to additional resources, both from the DoD and local Procurement Technical Assistance Centers (PTACs)
What’s Missing:
- Have not updated their website regarding the final 48 CFR rule, which kickstarts the government's phased rollout on November 10, 2025
What to Know:
- Per their guidance, subcontractors handling CUI/CDI are expected to achieve a Level 2 (C3PAO) certification to continue working within their supply chain
- Start aligning with all 110 controls / 320 objectives in NIST 800-171 Rev 2
Huntington Ingalls Industries (HII)
LASTEST UPDATE: 09/17/2025
What’s Listed:
- Information on the CMMC 2.0 program
- Information on the government's phased rollout of CMMC certification requirements
- A supplier letter from September 2024
- A CMMC Timeline for their supply chain
What’s Missing:
N/A
What to Know:
- HII provides a clear picture for its supply chain
- Their internal timeline shows they plan to move 12 months ahead of the government's phased rollout schedule, shrinking compliance timelines for its subcontractors
L3 Harris
LASTEST UPDATE: 09/17/2025
What’s Listed:
- Focuses on CDI/CUI clauses, references DFARS and NIST 800-171
What’s Missing:
- CMMC 2.0 is not mentioned
- Fails to mention that the current CMMC 2.0 program is currently in effect
- Page has not been updated to reflect the 48 CFR final rule being published in the Federal Register, activating the government's phased rollout on November 10, 2025
What to Know:
- The CMMC 2.0 program is currently in effect
- CMMC certification requirements will begin appearing in contracts before the end of 2025
- Contractors handling CDI/CUI will need to fully align with NIST 800-171 Rev 2 and likely will need to go through a certified third-party assessment
Lockheed Martin
LASTEST UPDATE: 09/17/2025
Lockheed Martin’s Supplier Cybersecurity Page offers recent supplier newswire updates regarding updates to the CMMC 2.0 rulemaking process. Additionally, it reinforces its expectations for its supply base to align with all controls and objectives listed in NIST 800-171 Rev 2.
What’s Listed:
- Recent newsletters with updates on CMMC rulemaking
- Clear alignment with NIST 800-171 Rev 2
- Requests for updated SPRS scores
- Supplier Cybersecurity FAQs
What’s Missing:
- No mention of the 48 CFR final rule being published into the Federal Register with an effective date of November 10, 2025
- With Lockheed Martin's guidance focusing on full alignment with NIST 800-171 Rev 2, subcontractors should be planning to achieve Level 2 (C3PAO) certification
What to Know:
- If your score is below 110, expect a follow-up.
- Lockheed’s communication is ahead of most — stay engaged.
- The government's phased rollout of CMMC requirements in contracts begins on November 10, 2025
Northrop Grumman
LASTEST UPDATE: 09/17/2025
Northrop Grumman’s supplier cybersecurity page briefly mentions CMMC and DFARS 252.204-7012. There are no updates regarding the revised CMMC 2.0 program or timeline for the phased rollout of CMMC 2.0 certification requirements in contracts. However, there is a link to contact them if suppliers have any questions.
What’s Listed:
- Brief mention of CMMC and DFARS 252.204-7012
- Contact link for questions
- Links to Cyber Assist and Project Spectrum
What’s Missing:
- Does not reference the CMMC 2.0 program and that it has been the new standard since December 2024
- Fails to provide information on the 48 CFR final rule, which activates the government's phased rollout on November 10, 2025
- Does not list or mention NIST 800-171
- Does not provide information directly from the DoD about the CMMC 2.0 program or corresponding DFARS clauses
What to Know:
- You’ll need to ask. Use their contact form and request expectations in writing
- Review your contracts for current clauses that may provide insights into which CMMC maturity level will apply to you
- The government's phased rollout of CMMC contract requirements begins on November 10, 2025
Raytheon (RTX)
LASTEST UPDATE: 09/17/2025
What’s Listed:
- DoD CIO CMMC FAQ sheet
- Information on DFARS 252.204-7012
- Information on DFARS 252.204-7020 (DoD Assessment Requirements)
- Top 10 Cybersecurity Practices
- FAQs from Raytheon's perspective
What’s Missing:
- Fails to mention the CMMC 2.0 program is currently in effect
- Does not provide an update on the 48 CFR final rule, which activates the government's phased rollout on November 10, 2025
What to Know:
- The government's phased rollout is scheduled to begin on November 10, 2025
- The focus on NIST 800-171 self-assessment and POA&M closeouts implies Level 2 (C3PAO) certification will likely be required
- Reach out to your point of contact at Raytheon for information on their timeline to include CMMC requirements in new solicitations and current contract option years
ISI Insights
What You Need to Know About the CMMC 2.0 Rollout
- CMMC Level 2 = NIST 800-171 Rev 2
- The original model required NIST 800-171 Rev 1. Not to mention there is a newer revision (Rev 3) available. But all that said, CMMC Level 2 and DFARS 252.204-7012 require adherence to NIST 800-171 Rev 2 as of now.
- Clauses to look for in new contracts
-
DFARS 252.204-7012 has been the gold standard since 2017. However, going forward, there will be two additional clauses contractors should be looking for in contracts:
DFARS 252.204-7021 lets you know that a valid CMMC certification at the level appropriate to the information being shared is required to accept award of the contract.
DFARS 252.204-7025 will provide contractors with the CMMC maturity level required to work on the contract.
- Phased rollout ≠ flow down requirements
- The government's rollout phase for CMMC Level 2 (C3PAO) certifications is slated to begin in November 2026. However, the CMMC 32 CFR rule gave contract officers the power to flow down requirements ahead of the phased rollout schedule. Meaning Level 2 (C3PAO) certification requirements could appear in contracts before Phase II of the government's rollout.
- Applies to new contracts and option years
-
The phased rollout applies to new contracts as well as option years on current contracts. If you are on a multi-year deal with option years, review the timeline of those renewal dates and plan your compliance journey accordingly.
What You Can Do Right Now
1. CHECK YOUR CURRENT POSTURE
Use NIST 800-171 Rev 2 as a benchmark. Make sure to measure against all 320 objectives, not just the controls.
2. CONFIRM REMEDIATION PROGRESS
3. BOOK YOUR C3PAO ASSESSMENT
There is currently a 6-7 month backlog, and our analysis predicts it will get worse in the early parts of 2026. Once your scope and remediation timelines are set, schedule your assessment.
4. TALK TO YOUR PRIME CONTRACTOR
If they haven't communicated timelines or expectations yet, ask them. If asked about your posture, provide an honest representation and remediation timeline.
NEED MORE INFO?
As a CMMC Level 2 certified Registered Provider Organization, we take pride in providing defense contractors with the industry knowledge and technical guidance needed to continue working in the Defense Industrial Base.
See the resources below for real-time insights from our subject matter experts.
The BIG PICTURE
With the rollout of CMMC certification requirements set to begin on November 10, 2025, contractors need to be actively taking steps towards compliance. Here are some next steps you can take today to help secure your competitive advantage:
- Ask your prime contractor for information about their CMMC timeline
- If you have identified your scope, schedule your C3PAO assessment
- Get an update on your team's remediation timeline
ISI Insight: The onus of maintaining a secure supply chain is on the prime contractor, but it is up to the subcontractor to achieve CMMC compliance or risk losing contract opportunities as early as this year.
Request A Discovery Call
1. Check your current posture.
Use NIST 800-171 Rev 2. Your SPRS score should reflect it.
2. Close POA&Ms fast.
They’ll be prohibited under CMMC Level 2 unless tied to very narrow exceptions.
3. TALK to YOUR PRIME.
If they haven’t communicated timelines or expectations, ask.
4. Book your C3PAO.
There’s a 6–7 month backlog. Don’t get caught waiting.
Request A Discovery CallSuggested Resources
-
Learn More About the CMMC requirement rule
Learn what the 48 CFR rule says, its impact, and what you should expect to see in your contracts throughout the phased rollout period.
-
.png?width=150&height=150&name=l2%20strategy%20(1).png)
Insights and Forecasts into the CMMC Rollout
See how the CMMC ecosystem is progressing towards its goal of full compliance, and what that means for your competitive positioning in the DIB.
-
CMMC Compliance Insights, Resources, & Guidance
Our CMMC Compliance Command Center offers videos, blogs, and additional resources to help with your compliance journey.
The information above has been collected from publicly available prime contractor resources. It is intended to provide subcontractors with visibility into what has been published to date. This content is informational only and is not intended as compliance advice or recommendations.