The Wave of CMMC Flow-Down Notices Has Arrived

The notices are landing in inboxes across the defense industrial base and most subcontractors receiving them have no compliance program in place to respond to.

In the past six months, the largest prime contractors in the defense sector have moved from informal CMMC conversations to formal written demands with hard deadlines. This is not a preview of enforcement. It is enforcement. If you do business in the defense supply chain and handle Federal Contract Information or Controlled Unclassified Information, the question is no longer whether you will receive one of these notices. It is how ready you will be when you do.

The Primes Are Moving Ahead of the Government Timeline

The DoD's phased CMMC rollout gives contracting officers authority to require CMMC compliance in solicitations starting November 10, 2025 for Phase 1, with Phase 2 (requiring third-party C3PAO certification) opening November 2026. Prime contractors are not waiting for Phase 2.

The pattern that has emerged is consistent: primes are requiring compliance from their supply chains on their own schedules, often six to twelve months ahead of the government's mandated timeline. This is not generosity. Primes bear legal risk for sharing CUI with non-compliant subcontractors. They have every incentive to front-run the government's enforcement schedule.

Here is what the specific notifications have said.

Huntington Ingalls Industries sent a formal supplier letter in September 2024 communicating its CMMC plans. HII has since committed to flowing down Level 2 C3PAO requirements by Q4 2025 and Level 3 DIBCAC requirements by Q4 2026. That puts their supply chain on a twelve-month-early clock relative to the federal phased rollout.

Raytheon (RTX) distributed a survey to its supplier base in March 2026 requesting CMMC status updates with a hard deadline of March 17, 2026. The language in RTX's notice was pointed: C3PAO availability is extremely limited, and if an assessment has not been scheduled, certification in 2026 may not be achievable. RTX made clear that suppliers missing the deadline would face weekly follow-up.

L3Harris issued a supplier letter dated April 6, 2026, stating that suppliers must be CMMC certified by July 30, 2026. That is a three-and-a-half-month window from the letter date to a certification deadline. C3PAO assessments alone typically require three to six months of preparation followed by several weeks for the assessment itself.

Lockheed Martin has required suppliers to submit CMMC Level 2 self-assessment scores through its Exostar supply chain management system. Scores below 110 trigger follow-up. Lockheed's messaging frames compliance as a condition of the relationship: "Proactive cooperation is essential to maintaining the security of the Defense Industrial Base."

Northrop Grumman formalized its position in December 2025 with a clear statement of enforcement intent: non-compliant suppliers receive no purchase orders. Northrop's notice did not mince words on the regulatory reality: neither contracting officers nor prime contractors have authority to waive or deviate from CMMC requirements.

Elbit Systems of America issued a notice on November 5, 2025, directing suppliers to immediately conduct Level 1 self-assessments in SPRS as a minimum baseline. The message was direct: it is now time for suppliers to take urgent action.

Boeing followed in September 2025 with communications framing CMMC certification as a hard condition of contract award for suppliers handling FCI or CUI at any level.

A survey conducted in August and September 2025 found that 47 percent of defense subcontractors had already received a CMMC flow-down request from a prime. That number is higher now.

What the Flow-Down Actually Requires of You

The legal foundation for prime-to-subcontractor flow-down sits in 32 CFR § 170.23. The mechanism is straightforward: primes must pass the appropriate CMMC requirements into subcontract agreements for every tier of the supply chain that handles covered information. The CMMC level you need depends entirely on what kind of information you receive.

If you only process Federal Contract Information, Level 1 self-assessment is the floor. If you handle Controlled Unclassified Information, Level 2 is required. If the prime itself is required to hold C3PAO-assessed Level 2 or DIBCAC-assessed Level 3 status, the CUI-touching tiers below them need C3PAO Level 2 at minimum.

Three clauses govern this in practice: FAR 52.204-21, DFARS 252.204-7012, and DFARS 252.204-7021. These must appear in subcontracts covering FCI and CUI work. If your subcontract agreement does not contain these clauses, that is a compliance gap regardless of your technical security posture.

The verification obligation runs in both directions. Before a prime shares any covered data with you, they are required to confirm your CMMC status. This means your CAGE code needs to be current in SAM.gov, your SPRS submission needs to be current with an active senior official affirmation, and for Level 2 C3PAO requirements, your certification needs to be verifiable with valid dates covering the facility where the work actually happens.

This last point catches organizations with multiple business units or locations. CMMC certification is specific to the facility and scope that was assessed. A certification your parent company holds at a different site does not automatically cover the subcontract work you are doing at your facility.

What Happens to Subcontractors Who Are Not Ready

Prime contractors are not waiting indefinitely. The consequences for non-compliant subcontractors are already playing out in concrete ways.

The most immediate impact is contract award. Primes like Northrop Grumman have stated explicitly that purchase orders will not go to non-compliant suppliers. For companies where defense contracts represent a meaningful share of revenue, this is existential, not inconvenient.

Beyond individual awards, your SPRS score is visible to every prime contractor and contracting officer in the defense acquisition ecosystem. A low or absent SPRS submission signals unmanaged risk. Primes screening suppliers in 2026 are doing structured, evidence-based evaluations, not just checking a box. A score that has not been updated or shows a significant gap from 110 invites scrutiny that can knock you out of competitions before the subcontract language is even drafted.

The False Claims Act adds a layer that many subcontractors underestimate. Prime contractors that share CUI with non-compliant suppliers, while continuing to collect on government contracts, face FCA liability. That risk transfers. If you misrepresent your compliance status to a prime, you expose yourself to the same FCA framework. Courts have interpreted "knowingly" broadly in this context, and documented ignorance of your own compliance posture is not a defense.

The Practical Reality of Getting Ready

The timeline math is unforgiving. C3PAO-assessed Level 2 certification requires a formal third-party assessment by an accredited organization. Those organizations are heavily booked. RTX's March 2026 notice explicitly warned that scheduling an assessment may not even be possible in time for a 2026 certification. L3Harris's July 30, 2026 deadline, issued in April, gives suppliers fewer than four months from notification to certification. Organizations starting a compliance program from scratch in response to one of these notices face a genuinely difficult path.

The preparation work that needs to happen before you can schedule a C3PAO assessment includes completing a gap assessment against all 110 NIST SP 800-171 controls, defining your system boundary and documenting where CUI lives and flows, developing or updating your System Security Plan, building a Plan of Action and Milestones for any gaps, implementing technical and procedural remediation, and completing a readiness review before the formal assessment begins.

That sequence, done properly, takes three to six months for most organizations. It takes longer if scope is undefined, if the SSP does not exist or is inaccurate, or if the remediation backlog is significant. Organizations still in the "we need to figure out what this means for us" phase have already lost whatever comfortable margin they might have had.

What This Means for Your Organization

If you have not received a prime notification yet, that does not mean compliance is not already required. Phase 1 enforcement under the DoD's phased rollout began November 10, 2025. If your contracts include DFARS 252.204-7012, the underlying obligation to protect CUI at NIST SP 800-171 standards has been in place since that clause appeared in your agreements. The prime notifications are accelerating enforcement and formalizing accountability, but the legal requirement predates them.

The organizations that will weather this period without contract disruption are the ones that have done the structural work: accurate SSPs, verifiable control implementations, maintained SPRS submissions, and compliance documentation that survives external scrutiny. Not organizations that assembled a compliance narrative in a hurry when a notice arrived.

If you are a subcontractor in the defense industrial base and you are not certain of your current CMMC posture, the right move is a structured gap assessment now. Not because a prime has sent you a letter yet. Because the time to find and close gaps is before you are working against someone else's deadline.

Ensphere helps defense contractors and DIB suppliers across Southern California and the Inland Empire work through CMMC readiness from initial gap assessment through SSP development, remediation planning, and C3PAO pre-assessment preparation. If the prime notifications have reached you, or if you want to be prepared before they do, start with a direct conversation about where you actually stand.

Ready to talk about your security program?

Whether you are just starting or need a second opinion on where you stand, we are here to help. No pressure, no sales pitch — just a clear conversation about your situation.

Let's Connect →

Ensphere is a cybersecurity and compliance advisory firm serving defense contractors, federal-adjacent businesses, and growth-stage SMBs across Southern California. Our founder holds CCP, CCA, and Lead CCA credentials backed by over a decade of direct experience in defense and intelligence community cybersecurity programs.