Based on insights from Summit 7’s webinar: “What Do Prime Contractors Expect from Their Supply Chain?”
The tone in 2025 has shifted—permanently.
CMMC is no longer a distant obligation or a checkbox project buried in future planning. With the implementation of CFR 32 and the imminent arrival of CFR 48, the compliance landscape has evolved—and prime contractors are now fully in motion. These changes didn’t happen overnight, but the cumulative effect is clear: primes are facing contractual pressure to validate cybersecurity across their supply chains, and they are pushing that pressure downstream.
In a recent Summit 7 webinar, several industry leaders underscored this new reality. The days of “working toward compliance” are over. Prime contractors are now demanding evidence of assessment readiness—not just promises of progress.
“We’re hearing from the DoD that self-attestation is no longer sufficient,” said Matt Ramsey, CIO at BlueHalo. “Third-party assessments will be embedded in procurements. If you're not already in the pipeline for certification, you're at serious risk of being dropped.”
What used to be a future requirement is now shaping award decisions. In fact, many prime contractors are already requiring CMMC Level 2 compliance as a precondition for subcontractor selection—even in advance of formal CFR 48 enforcement. The shift is real, and it’s already impacting who gets included in RFIs and RFPs.
“The knowledge gap and the certification gap must be closed if you want to be part of our future programs,” said John Kronick of Tutor Perini. “If you can't isolate CUI or decouple it from those suppliers, you're forced to replace them—or vertically integrate.”
This isn’t about fear. It’s about operational reality. Prime contractors have a business imperative to demonstrate due diligence and reduce supply chain risk. That means they are:
Simply put, if you can't show that you're ready, you're a liability.
If you're part of the Defense Industrial Base, your readiness is no longer measured by intent—it’s measured by implementation. The clock started ticking with CFR 32. CFR 48 will make it contractual. Prime contractors are already acting like it’s in effect.
If you’re not ready for a C3PAO assessment, your position in the supply chain is at risk.
At Coalfire Federal, we’ve helped some of the nation’s most complex defense contractors achieve and maintain CMMC compliance. As an authorized C3PAO, we bring deep experience, technical rigor, and an efficient, objective approach to every assessment we perform.
Whether you need a mock assessment to pressure-test your environment or are ready to schedule your formal CMMC Level 2 assessment, we can help you move forward—confidently and compliantly.
Avoid costly delays and missed contract opportunities. Get on our schedule today.
Prime contractors must prove that their supply chains are secure and compliant under CFR 32 and soon CFR 48. As a result, they are requiring subcontractors to demonstrate CMMC Level 2 readiness with documented proof of implemented controls, not just plans to comply.
Being assessment-ready means having complete and current documentation, such as a System Security Plan (SSP), closed POA&Ms, and evidence for all NIST 800-171 practices. Organizations should also complete a gap analysis or CMMC readiness review to verify that controls are implemented and maintained.
Prime contractors are vetting subcontractors based on documented CMMC Level 2 status. They often request SSPs, evidence packages, and proof of implemented security practices. Many primes are already treating CMMC compliance as a precondition for inclusion in RFIs and RFPs.
Suppliers who cannot show readiness for CMMC Level 2 assessment risk being excluded from defense programs or replaced by compliant vendors. Prime contractors view noncompliant partners as supply chain risks that could jeopardize contract eligibility.
Suppliers should complete a formal mock assessment or readiness review, remediate open POA&Ms, and centralize documentation to prove continuous compliance.