Article

2025 Reality Check: What Prime Contractors Now Expect from Their Suppliers

July 01, 2025

What to Expect

  • Why the compliance landscape shifted under CFR 32 and upcoming CFR 48
  • How prime contractors are enforcing CMMC Level 2 readiness across their supply chains
  • What subcontractors must show to stay competitive in defense procurements
  • Key documentation and evidence primes now expect, including SSPs and POA&Ms

Based on insights from Summit 7’s webinar: “What Do Prime Contractors Expect from Their Supply Chain?”

The tone in 2025 has shifted—permanently.

CMMC is no longer a distant obligation or a checkbox project buried in future planning. With the implementation of CFR 32 and the imminent arrival of CFR 48, the compliance landscape has evolved—and prime contractors are now fully in motion. These changes didn’t happen overnight, but the cumulative effect is clear: primes are facing contractual pressure to validate cybersecurity across their supply chains, and they are pushing that pressure downstream.

In a recent Summit 7 webinar, several industry leaders underscored this new reality. The days of “working toward compliance” are over. Prime contractors are now demanding evidence of assessment readiness—not just promises of progress.

“We’re hearing from the DoD that self-attestation is no longer sufficient,” said Matt Ramsey, CIO at BlueHalo. “Third-party assessments will be embedded in procurements. If you're not already in the pipeline for certification, you're at serious risk of being dropped.”

What used to be a future requirement is now shaping award decisions. In fact, many prime contractors are already requiring CMMC Level 2 compliance as a precondition for subcontractor selection—even in advance of formal CFR 48 enforcement. The shift is real, and it’s already impacting who gets included in RFIs and RFPs.

“The knowledge gap and the certification gap must be closed if you want to be part of our future programs,” said John Kronick of Tutor Perini. “If you can't isolate CUI or decouple it from those suppliers, you're forced to replace them—or vertically integrate.”

This isn’t about fear. It’s about operational reality. Prime contractors have a business imperative to demonstrate due diligence and reduce supply chain risk. That means they are:

  • Vetting subcontractors for CMMC Level 2 assessment status
  • Asking for documentation on System Security Plans (SSPs), evidence packages, and closed POA&Ms
  • Requiring clear scoping of CUI boundaries and proof that all 110 NIST 800-171 practices are implemented

Simply put, if you can't show that you're ready, you're a liability.

What This Means for Suppliers

  • CMMC Level 2 is the new threshold. It’s no longer a goal to work toward—it’s becoming a gate you must pass through to compete.
  • Assessment-ready documentation is the new currency. If you haven’t completed a gap analysis, readiness review, or mock assessment, expect to be left behind.
  • "Good enough" is no longer good enough. Prime contractors need partners who are proactive, not reactive.

The Bottom Line

If you're part of the Defense Industrial Base, your readiness is no longer measured by intent—it’s measured by implementation. The clock started ticking with CFR 32. CFR 48 will make it contractual. Prime contractors are already acting like it’s in effect.

If you’re not ready for a C3PAO assessment, your position in the supply chain is at risk.

Ready Means Ready. Is Your Organization Prepared?

At Coalfire Federal, we’ve helped some of the nation’s most complex defense contractors achieve and maintain CMMC compliance. As an authorized C3PAO, we bring deep experience, technical rigor, and an efficient, objective approach to every assessment we perform.

Whether you need a mock assessment to pressure-test your environment or are ready to schedule your formal CMMC Level 2 assessment, we can help you move forward—confidently and compliantly.

Talk to an Expert

Avoid costly delays and missed contract opportunities. Get on our schedule today.

 

TL;DR FAQs

Prime contractors must prove that their supply chains are secure and compliant under CFR 32 and soon CFR 48. As a result, they are requiring subcontractors to demonstrate CMMC Level 2 readiness with documented proof of implemented controls, not just plans to comply.

Being assessment-ready means having complete and current documentation, such as a System Security Plan (SSP), closed POA&Ms, and evidence for all NIST 800-171 practices. Organizations should also complete a gap analysis or CMMC readiness review to verify that controls are implemented and maintained.

Prime contractors are vetting subcontractors based on documented CMMC Level 2 status. They often request SSPs, evidence packages, and proof of implemented security practices. Many primes are already treating CMMC compliance as a precondition for inclusion in RFIs and RFPs.

Suppliers who cannot show readiness for CMMC Level 2 assessment risk being excluded from defense programs or replaced by compliant vendors. Prime contractors view noncompliant partners as supply chain risks that could jeopardize contract eligibility.

Suppliers should complete a formal mock assessment or readiness review, remediate open POA&Ms, and centralize documentation to prove continuous compliance.