On November 10, 2025, the 48CFR CMMC Final Rule was published marking a significant milestone in the history of CMMC. As of now, all new DoW contracts and solicitations will include CMMC level 1 requirements as phase 1 of implementation begins. Many contractors may also begin to see level 2 language appear in contracts, requiring organizations to pass a third-party C3PAO audit. The major push, however, comes from several large prime contractors. Many primes are now requiring their subcontractors to achieve level 2 compliance regardless of what the current CMMC implementation status is in an effort to secure their supply chain.
Several prime contractors have been outspoken in their commitment to CMMC compliance. Below are several statements from major primes regarding CMMC compliance and their subcontractors.
Lockheed Martin
Lockheed Martin has been ahead of many primes when it comes to communicating their CMMC expectations. Their Supplier Cybersecurity page has made it clear they expect their suppliers to align with all controls and objectives listed in NIST SP 800-171. They have also requested subcontractors to submit updated SPRS scores-- expecting a perfect 110 score.
For suppliers unready for CMMC level 2 requirements, they stated:
"Suppliers without a green CCRA rating create significant risk for programs anticipating CMMC requirements and may evoke program mitigation actions to reduce or eliminate dependencies on suppliers who are under-prepared to achieve CMMC Level 2 compliance."
Boeing
Boeing has provided several links and resources for their suppliers regarding CMMC compliance. These include a CMMC preparedness document, their supply chain terms of use and cybersecurity supplement, as well as a link to NIST 800-171 Rev 3. It is important to note that, as of now, CMMC level 2 only requires organizations to implement the controls listed in Rev 2 of the NIST SP 800-171 document.
In a memo earlier this year, Boeing stated:
"Currently, Boeing is assessing supplier cybersecurity practices and identifying gaps that need to be addressed to be ready for CMMC. As a condition of winning a contract award, suppliers handing FCI and CUI will be required to have the specified CMMC level certification identified in the customer/Boeing solicitation."
Raytheon (RTX)
Raytheon has also provided several resources for their suppliers with documents on CMMC FAQ's, CMMC 101, and a SPRS overview. On their supplier's cybersecurity page, Raytheon states:
"All RTX suppliers supporting DoW contracts and/or solicitations with DFARS 252.204-7021:
Prime contractors have an obligation to ensure that every one of their subcontractors at every tier meets the appropriate cybersecurity requirements to protect FCI or CUI. Through the process of flow down, subcontractors are required to achieve CMMC compliance at the same level as their prime to bid on, win, and maintain contracts.
It is specifically stated in the 32 CFR rule that "CMMC requirements apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract." Prime contractors must "require subcontractors to comply with and to flow down CMMC requirements" alongside the accompanying certification processes.
CorpInfoTech is a CMMC L2 certified MSP that helps organizations achieve and maintain CMMC compliance. We specialize in helping small-medium sized contractors achieve compliance through proven tools and technologies, pre-certified policies and controls, and continuous monitoring and maintenance. Through TAS for CMMC Compliance, organizations are able to inherit 200+ of the 320 objectives required by CMMC level 2. We help contractors through every step of their journey, beginning with comprehensive gap assessments, scoping, and evidence creation--culminating with the implementation of the required controls and ongoing management. For organizations in need of CMMC level 1 compliance we utilize the CIS Controls, an industry standard framework, that aligns nicely with the foundational requirements of level 1. As a CIS-accredited organization, we have externally validated our ability to protect and secure our clients IT infrastructure.
To discuss how CorpInfoTech can help your organization meet its cybersecurity and compliance objectives, contact us today
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.