By now, most people in the Defense Industrial Base (DIB) have circled November 10, 2026 on their calendars. That's the day CMMC Phase 2 officially begins, meaning it’s the date when certification by third-party assessors (C3PAOs) becomes the default requirement for contracts involving Controlled Unclassified Information (CUI), replacing the self-attestation model that defined Phase 1.
Here’s the problem with focusing too much on that date: It’s the official deadline on paper and the stated start of CMMC Phase 2, but in many cases it’s up to the prime contractor to determine when compliance is actually required.
The "Big Five" major DIB prime contractors (Lockheed Martin, RTX, Boeing, Northrop Grumman, and General Dynamics) are not waiting for the DoD to force the issue. Because they choose subs for their contracts, they are the enforcement mechanism, and they've been pulling that lever for months.
Under 32 CFR §170.23, prime contractors are legally required to verify subcontractor compliance before sharing covered information. If a sub gets breached and didn't have its controls in place, the prime bears program risk, reputational damage, and potential False Claims Act exposure.
That liability calculus (not altruism, and not early adoption enthusiasm) is why primes aren't waiting for Phase 2 to officially begin. They're already triaging their supply chains, and they’re using real tools to do so: SPRS score reviews, the standardized Cybersecurity Compliance and Risk Assessment (CCRA) questionnaire delivered through Exostar, and, in some cases, outright contract conditions requiring active certification now.
Here are three relevant stats that are extremely important:
That last figure is what makes the primes' posture so consequential. If the typical path to certification takes 4 to 12 months, and your prime is already assessing your readiness today, the window isn't just narrowing — for many subs, it has already closed.
But all is not lost! RADICL can get you up to speed quickly. Let’s talk.
Here are The Big Five, by FY2023 DoD contract volume, and where they currently stand on CMMC compliance.
Lockheed has been the most aggressive and publicly explicit prime in the industry. On June 30, 2025, it notified suppliers that CMMC Level 2 compliance is a non-negotiable expectation, not just a future goal. The company stated it was "reaching out to all suppliers whose latest self-assessment is indicative of unmet cyber requirements," making clear that continued business depends on full implementation of all NIST SP 800-171 controls.
That June notice built on an earlier December 2024 memo sent the same day that the 32 CFR rule took effect. Lockheed is now requiring suppliers to submit CMMC Level 2 self-assessment scores directly into Exostar. Some FY2026 contracts already include C3PAO certification requirements, meaning a third-party assessment isn't just a Phase 2 concept for Lockheed's supply chain. It's already in contract language.
Effective posture: Compliance is a condition of continued business, not just future awards. Non-compliant suppliers are already being contacted.
Boeing made CMMC certification a condition of contract award for all suppliers handling FCI or CUI. Its Terms of Use and Cybersecurity Supplement (SP5), updated in August 2025, sets binding minimum security requirements for all suppliers under contract. Suppliers must also complete Boeing's cybersecurity questionnaire through Exostar's Partner Information Manager portal.
Boeing's warning to non-compliant suppliers is blunt: those without a green CCRA rating "create significant risk for programs anticipating CMMC requirements and may evoke program mitigation actions to reduce or eliminate dependencies on suppliers who are under-prepared." That's procurement language for: we’d really rather work with compliant suppliers, and we will replace you if you’re not.
Boeing has also stated it strongly encourages Level 2 C3PAO certification now, not waiting until Phase 2, noting it will "enhance your cybersecurity posture, safeguard your eligibility for future contracts, and ensure your sub-tier suppliers are also engaged in the process."
Effective posture: C3PAO certification actively encouraged for all subs now. Contract award conditions are already in place for FCI/CUI handlers.
RTX operates all three of its defense divisions (Raytheon, Collins Aerospace, and Pratt & Whitney) under a single consolidated Supplier Cybersecurity policy. For any contract containing DFARS 252.204-7021, suppliers must hold an active CMMC certification at the specified level before RTX will issue a Purchase Order or Letter of Subcontract.
RTX moved earlier than most: in February 2025, it updated its Annual Supplier Registration form to require suppliers to disclose their current and intended CMMC status. That data is now being used to triage the supply chain.
Worth noting for your compliance conversations: in April 2025, RTX and affiliated entities settled with the DOJ for $8.4 million over allegations of falsely certifying cybersecurity compliance under DFARS and FAR. The settlement, covering Raytheon, RTX Corporation, and successor Nightwing Group LLC, is a stark reminder that CMMC isn't just a procurement hurdle. Misrepresentation carries False Claims Act exposure and the primes know this from direct experience.
Effective posture: POs contingent on active certification where DFARS 7021 applies. Supplier status being actively tracked via annual registration data.
Northrop Grumman has been less explicit in its public supplier communications than Lockheed or Boeing, but it has issued supplier directives requiring compliance documentation and maintains a dedicated Cybersecurity Resources page. An October 2025 notice on its main supplier page addresses CMMC 2.0 expectations and updates.
Perhaps more importantly, Northrop was a founding member of the DIB Sector Coordinating Council working group that developed the CCRA, which is the standardized cybersecurity questionnaire now used across the entire defense supply chain. Northrop helped design the assessment tool being used to evaluate its own suppliers. They understand the framework better than almost anyone, even if requirements in their public communications are quieter.
All five primes — including Northrop — accept CCRA results on a reciprocal basis through Exostar. If your CCRA result is poor, every prime who uses the platform can see it.
Effective posture: Compliance documentation is required. Lower public urgency than Lockheed/Boeing, but they’re using the same assessment infrastructure.
General Dynamics is the most understated of the Big Five in public communications about CMMC. It operates multiple defense divisions, each with its own supplier cybersecurity page, and has not issued the same high-profile supplier letters as Lockheed or Boeing.
But according to certified CMMC assessors working in the industry, GD has already started embedding CMMC requirements directly into contracts, and suppliers have already lost work because they couldn't demonstrate compliance. The absence of loud public messaging does not mean a lack of enforcement. In fact, it may mean the opposite.
Like all five primes, GD participates in the CCRA through Exostar. Suppliers complete the questionnaire once and share results with every prime that accepts it. A low score affects GD relationships alongside all others.
Effective posture: CMMC requirements are already embedded in some contracts and subs have reportedly already lost work. Do not interpret silence as inactivity.
The Big Five dominate by contract volume, but two other primes deserve attention for how clearly they've telegraphed their timelines to the supply chain.
L3Harris issued a supplier letter on April 6, 2026 stating explicitly that it expects its suppliers to be certified by July 30, 2026, more than three months before the DoD's Phase 2 date. L3Harris focuses specifically on clauses covering Covered Defense Information (CDI) and CUI, and has made clear it will flow those requirements to all applicable subcontractors.
Effective posture: The most concrete, date-specific deadline issued by any major prime. If you're an L3Harris sub, July 30 is your real deadline.
HII has been one of the most methodical primes in publishing a concrete internal timeline. The company flowed down Level 2 C3PAO requirements in Q4 2025, a full year ahead of the government's Phase 2 date, and has signaled Level 3 DIBCAC requirements will follow in Q4 2026. HII's posture effectively means its supply chain is already operating under Phase 2 conditions.
Effective posture: Level 2 C3PAO requirements have already flowed down. If you work with HII, you are already in Phase 2.
Even if every subcontractor reading this started their CMMC journey today, there's a structural problem: there aren't enough assessors.
As of this writing, there are 103 C3PAOs registered to serve an estimated 80,000-plus defense contractors needing Level 2 certification. Many are already booked through mid-2026. Industry analysts project that Level 2 assessment fees could range from $75,000 to $150,000 or more by late 2026, as demand increasingly outstrips supply.
That math is brutal and can be pretty demoralizing. And it means the contractors who treated November 2026 as a "start preparing" date (rather than a "be done by" date) are already in trouble.
"A typical readiness journey runs 12 to 14 months: gap analysis, remediation, documentation, pre-assessment review, then the C3PAO engagement itself. Add another 180 days if you receive a Conditional status. If you start gap analysis today, you're realistically looking at certification in mid-to-late 2027."— Grey Pike, CMMC advisory firm, April 2026
If there's a single takeaway from where the major primes stand today, it's this: the enforcement of CMMC Level 2 is not a future event. It’s a present one. The mechanism isn't a government contracting officer, it's the prime writing your next purchase order.
A few concrete implications:
Your real deadline is your prime's deadline, not the DoD's. L3Harris subs have until July 30. HII subs are already living under Phase 2 conditions. Lockheed subs are being contacted right now if their SPRS scores are low. The DoD November 10, 2026 date only matters if your prime hasn't already moved faster than the Phase 2 rollout.
CCRA scores are visible to all primes simultaneously. The cybersecurity questionnaire is completed once and shared across every prime using Exostar. This includes all Big Five primes, so a weak CCRA rating doesn't just affect one relationship.
Self-attestation is no longer sufficient cover. The Raytheon FCA settlement in April 2025 demonstrated that falsely certifying compliance with cybersecurity requirements is not just a technicality, it’s also potential fraud. With primes now actively verifying claims through SPRS, CCRA, and direct outreach, gaps between stated and actual compliance are increasingly discoverable.
Book your C3PAO now, even if you're not ready. Assessment slots are filling into late 2026. Getting into the queue, even with remediation still underway, is better than discovering in September that no assessor is available until Q1 2027.
The DoD's Phase 2 rollout date is a defined regulatory milestone. But for the subcontractors who make up the backbone of the defense industrial base, the real deadline is set by whoever is writing your purchase orders. Several of them have already set their own deadline, named it, and have even started acting on it.
November 2026 was never the deadline. It was always the floor.