Some organizations continue to speculate how “real” the November 10th CMMC deadline is. Previously, it was because the 48 CFR rule hadn’t been finalized. Now, it’s because of the government shutdown. 

But amidst this speculation, Boeing and other primes continue to make their expectations clear: subcontractors need to be CMMC ready. And not by November—now.

Back in August, we highlighted how leading defense contractors like Lockheed and General Dynamics were already making CMMC readiness a condition of doing business.

Now, Boeing has joined the growing list of primes publicly announcing that they have already begun the process of assessing their suppliers’ cybersecurity practices for any unmet CMMC requirements so these gaps can be addressed as soon as possible. 

Boeing’s message to suppliers is the latest signal that enforcement isn’t just coming in November or a later phase in the rollout. It’s already happening in the defense supply chain—and it’s being spearheaded by the industry, not the government.

Boeing to suppliers: Prepare for CMMC Level 2 certification now or risk losing future contracts

In a supplier communication last month, Boeing announced that it is taking all necessary steps to prepare for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework—starting with “assessing supplier cybersecurity practices and identifying gaps that need to be addressed to be ready for CMMC.”

Boeing reiterated that suppliers handling FCI or CUI will be required to hold the CMMC certification level (1–3) specified in the customer or Boeing solicitation as a condition of contract award. 

But beyond being a prerequisite to participate in the company’s defense supply chain, it also emphasized that certification is meant to enhance both subcontractors’ and Boeing’s cybersecurity posture and their “collective ability to protect sensitive information from unauthorized access or compromise.” This is an important reminder that CMMC is not regulatory red tape—it’s essential to national security. 

Back in May, Katie Arrington, who is performing the duties of the DoD CIO, said Boeing would have to rely on CMMC to keep the plans for the US Air Force’s highly classified F-47 fighter secure from hackers. She told Breaking Defense: “The CMMC certification will be proof — trust, verify that those companies have the cyber posture needed to secure the data that is critical to national security, like on programs like the F-47.”

To this end of securing the supply chain, the aerospace company is strongly encouraging suppliers to begin the process of obtaining a CMMC Level 2 certification from a Certified Third-Party Assessor Organization (C3PAO). This will be proactive for some subcontractors, but not all. While Phase 1 will primarily roll out Level 1 and 2 self-assessment requirements into new solicitations and contracts, DoD contracting officers will have the discretion to include Level 2 (C3PAO) requirements in select contracts involving sensitive unclassified information.

Acting early and engaging in a CMMC Level 2 certification assessment, Boeing stated, will net three important benefits. It will “enhance your cybersecurity posture, safeguard your eligibility for future contracts, and ensure your sub-tier suppliers are also engaged in the process.”

Why Boeing and other primes are urging CMMC compliance now

DoD enforcement of CMMC contractual requirements begins November 10, 2025—less than a couple of weeks away. After that date, the 48 CFR Rule takes effect and new contracts and renewals will begin including DFARS clause 252.204-7021, which requires CMMC certification at the appropriate level before award.

Prime contractors like Lockheed Martin, General Dynamics, and now Boeing are not waiting for this contract clause to take effect. They’re already assessing suppliers’ cybersecurity practices, identifying gaps, and demanding evidence of compliance with NIST SP 800-171 Rev. 2 and CMMC Level 2 requirements.

These efforts aren’t recent. Boeing has been keeping CMMC top-of-mind for its suppliers in its monthly newsletter, starting all the way back in January 2025 and continuing to date.

Image Source: Newsletter Boeing sent on September 23, 2025

This pressure reflects the growing urgency to address both widespread noncompliance and growing cyber threats across the Defense Industrial Base (DIB). Primes cannot risk delays in their own CMMC certification timelines or gaps in their defenses, and suppliers who aren’t compliant will jeopardize entire contract bids and continue to leave sensitive unclassified information vulnerable to adversaries.

That’s why primes are continuing to push forward with enforcing CMMC across their supply chains, even during the government shutdown. Michael Gruden, a cybersecurity attorney and former Pentagon branch chief, told GovCIO Media & Research, “The clock is already ticking. There’s no further activity required of the government [to implement DFARS] … contingent upon a shutdown or funding.”

In short: subcontractors must act now. 

What Boeing subcontractors should do right now

If you’re part of Boeing’s supply chain—or plan to be—here are the key steps to take right now:

• Assess your cybersecurity posture: Identify gaps against CMMC and NIST 800-171 Rev. 2 controls and implement all required security practices.
• Start drafting your SSP: A System Security Plan (SSP) is required for all CMMC levels to document your implementation of CMMC requirements. For many organizations, it can be over 150 pages so the sooner you start, the better. 
• Start your certification journey: Engage a C3PAO early to conduct a readiness assessment and begin remediation.
• Submit your assessment and score in SPRS asap: Make sure your latest assessment results and score is submitted in the Supplier Performance Risk System (SPRS) as soon as possible so DoD contracting officers can verify you’re eligible for contract awards.
• Verify your sub-tier suppliers: Ensure your own subcontractors, partners, and “fourth parties” are aware of their CMMC obligations.
• Leverage available resources: Boeing has published guidance and training materials through its Cybersecurity webpage to help suppliers prepare for CMMC requirements. 
• Use a GRC platform: A GRC solution can help automate a lot of this process, including the gap assessment, documentation, remediation, and more. This will drastically reduce the time and costs associated with certification. 

Waiting until CMMC enforcement could cost you

For suppliers managing export controlled information and other controlled unclassified information, playing a wait-and-see game and delaying CMMC certification is no longer an option. 

Once CMMC requirements start rolling into contracts on November 10, you won’t be eligible to bid or renew work without the appropriate certification. 

And as primes like Boeing continue to vet suppliers in advance, being unprepared could mean losing existing contracts and your place in the defense supply chain—even before the rule is in effect.

Conversely, proactive suppliers that achieve CMMC Level 2 certification now can demonstrate stronger security and trustworthiness, positioning themselves as preferred partners for defense work and unlocking new and often lucrative opportunities.

Simplify CMMC certification with automation

Preparing for CMMC certification doesn’t have to be overwhelming. Automation helps organizations fast-track CMMC Level 1 and 2 readiness by streamlining gap assessments, evidence collection, documentation, and remediation—which can not only reduce the time but also the cost it takes to get certified.

Talk to an expert to understand how you can get CMMC compliant now and stay in Boeing’s supply chain tomorrow.