On November 10, 2025, the 48CFR CMMC Final Rule was published marking a significant milestone in the history of CMMC. As of now, all new DoW contracts and solicitations will include CMMC level 1 requirements as phase 1 of implementation begins. Many contractors may also begin to see level 2 language appear in contracts, requiring organizations to pass a third-party C3PAO audit. The major push, however, comes from several large prime contractors. Many primes are now requiring their subcontractors to achieve level 2 compliance regardless of what the current CMMC implementation status is in an effort to secure their supply chain.
What are the Primes Saying About Being CMMC Compliant?
Several prime contractors have been outspoken in their commitment to CMMC compliance. Below are several statements from major primes regarding CMMC compliance and their subcontractors.
Lockheed Martin
Lockheed Martin has been ahead of many primes when it comes to communicating their CMMC expectations. Their Supplier Cybersecurity page has made it clear they expect their suppliers to align with all controls and objectives listed in NIST SP 800-171. They have also requested subcontractors to submit updated SPRS scores-- expecting a perfect 110 score.
For suppliers unready for CMMC level 2 requirements, they stated:
"Suppliers without a green CCRA rating create significant risk for programs anticipating CMMC requirements and may evoke program mitigation actions to reduce or eliminate dependencies on suppliers who are under-prepared to achieve CMMC Level 2 compliance."
Boeing
Boeing has provided several links and resources for their suppliers regarding CMMC compliance. These include a CMMC preparedness document, their supply chain terms of use and cybersecurity supplement, as well as a link to NIST 800-171 Rev 3. It is important to note that, as of now, CMMC level 2 only requires organizations to implement the controls listed in Rev 2 of the NIST SP 800-171 document.
In a memo earlier this year, Boeing stated:
"Currently, Boeing is assessing supplier cybersecurity practices and identifying gaps that need to be addressed to be ready for CMMC. As a condition of winning a contract award, suppliers handing FCI and CUI will be required to have the specified CMMC level certification identified in the customer/Boeing solicitation."
Raytheon (RTX)
Raytheon has also provided several resources for their suppliers with documents on CMMC FAQ's, CMMC 101, and a SPRS overview. On their supplier's cybersecurity page, Raytheon states:
"All RTX suppliers supporting DoW contracts and/or solicitations with DFARS 252.204-7021:
- Will be required to have an active CMMC certification at the appropriate level, as defined within the Prime Contractor Solicitation
- Must immediately take steps to ensure their Annual Supplier Registration Data, Representations and Certifications remains current on CMMC status
- Are asked to stay connected with the DoW Chief Information Officer Website for CMMC for available resources and information here"
CMMC Supplier Flow down Requirements
Prime contractors have an obligation to ensure that every one of their subcontractors at every tier meets the appropriate cybersecurity requirements to protect FCI or CUI. Through the process of flow down, subcontractors are required to achieve CMMC compliance at the same level as their prime to bid on, win, and maintain contracts.
It is specifically stated in the 32 CFR rule that "CMMC requirements apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract." Prime contractors must "require subcontractors to comply with and to flow down CMMC requirements" alongside the accompanying certification processes.
CorpInfoTech, a Trusted CMMC Partner
CorpInfoTech is a CMMC L2 certified MSP that helps organizations achieve and maintain CMMC compliance. We specialize in helping small-medium sized contractors achieve compliance through proven tools and technologies, pre-certified policies and controls, and continuous monitoring and maintenance. Through TAS for CMMC Compliance, organizations are able to inherit 200+ of the 320 objectives required by CMMC level 2. We help contractors through every step of their journey, beginning with comprehensive gap assessments, scoping, and evidence creation--culminating with the implementation of the required controls and ongoing management. For organizations in need of CMMC level 1 compliance we utilize the CIS Controls, an industry standard framework, that aligns nicely with the foundational requirements of level 1. As a CIS-accredited organization, we have externally validated our ability to protect and secure our clients IT infrastructure.
To discuss how CorpInfoTech can help your organization meet its cybersecurity and compliance objectives, contact us today
Key Takeaways
- Prime contractors are driving enforcement ahead of the DoD timeline. Major primes such as Lockheed Martin, Boeing, and Raytheon are already requiring CMMC readiness or certification from subcontractors to reduce supply-chain risk.
- Flow-down requirements apply at every tier of the supply chain. Any organization that processes, stores, or transmits FCI or CUI must meet the appropriate CMMC level—regardless of company size or contract value.
- SPRS scores and evidence matter more than ever. Primes are increasingly scrutinizing NIST SP 800-171 implementation and expecting demonstrable compliance, not just plans of action.
- The right partner can significantly reduce complexity and cost. Leveraging a CMMC-experienced MSP like CorpInfoTech allows contractors to inherit controls, streamline audits, and focus on their core mission while maintaining compliance.
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
