On June 30, 2025, Lockheed Martin issued a supplier cybersecurity update that sent a clear message to the entire defense ecosystem. CMMC 2.0 is no longer a nice-to-have or an initiative that subcontractors can delay as the 48 CFR rulemaking progresses—it’s becoming a prerequisite for doing business in the defense supply chain.

Let’s take a closer look at this memo and what it means for subcontractors.

Lockheed Martin to suppliers: Get CMMC compliant now or get out of the supply chain

The latest update from Lockheed Martin to its suppliers emphasized that:

“By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements.”

This isn’t the first time Lockheed suppliers have seen this message. It was included in a memo from December 16, 2024, the same day that the final rule (32 CFR Part 170) for the CMMC 2.0 program went into effect.  

Six months later, Lockheed’s newest update builds on this expectation. It not only tells suppliers they should have already transitioned their self-assessments to its Cybersecurity Compliance and Risk Assessment (CCRA) portal—it warns that Lockheed Martin Supply Chain Cybersecurity is proactively contacting vendors whose self-assessments show unmet cyber requirements, including unimplemented CMMC controls.

For subcontractors and their subcontractors (“fourth parties”), the takeaway is simple: be ready to demonstrate CMMC Level 2 compliance if you manage CUI—or risk losing your place in Lockheed’s supply chain.

This is the same message that many other primes are sending to subcontractors as they gear up for CMMC enforcement to begin this fall or later this year. 

Why primes are pressuring subcontractors about CMMC 2.0 certification before the deadline

Lockheed is not alone in proactively requiring subcontractors to get CMMC 2.0 compliant before the phased rollout even begins. 

According to lead Certified CMMC Assessors (CCAs), General Dynamics has already started embedding CMMC requirements into contracts, and suppliers have lost work because they couldn’t prove compliance. The Defense Logistics Agency (DLA) is starting to require CMMC attestations even before contract awards. Even non-DoD agencies like the Department of Energy are starting to push CMMC as the easiest way to verify NIST 800-171 compliance if required instead of NIST 800-53.

This pressure from primes comes months before the final 48 CFR acquisition rule is expected to be finalized and take effect. This is expected to happen by the end of 2025, at which point DFARS clause 252.204-7021 will formally require CMMC certification for nearly all new DoD contracts, starting with Level 1 and 2 self-assessments. 

Why the rush? While other members of the DIB are still playing a wait and see game as the 48 CFR rule progresses to its final stage of the rulemaking process, prime contractors know they don’t have time to lose to delaying the inevitable. Primes build supply chain teams years in advance of big proposals, and they need subcontractors who can already demonstrate compliance to avoid delays in their own CMMC 2.0 certification and risk losing massive contracts. 

The risk of waiting—and the competitive advantage of acting now

While some members of the Defense Industrial Base are still hoping CMMC won’t be enforced, Lockheed’s June update and similar moves by other primes—combined with updates from CyberAB—prove that this is a losing gamble.

Primes are already starting to make compliance a condition of contract eligibility and award. That means subcontractors who wait until the CMMC deadline is finalized to begin their certification journey may already be locked out of future bids. Plus, those fourth parties may be subject to CMMC requirements so it’s critical they get compliant as well to protect the DIB’s supply chain.

On the other hand, proactive subcontractors have a golden opportunity. By demonstrating CMMC Level 2 compliance now, you can not only keep your seat in the supply chain—you may be able to get ahead of competitors still stuck in denial and win more complex, lucrative contracts. 

What subcontractors should do immediately

If you are—or aspire to be—a supplier for Lockheed, General Dynamics, or other primes, here’s what to do immediately:

• If you handle FCI only, implement CMMC Level 1 requirements. Ensure you meet the 15 security requirements set by FAR clause 52.204-21 in full—no exceptions or POA&Ms are allowed at this level. The DoD estimates that 63% of the DIB will need a Level 1 self-assessment. 
• If you handle CUI, implement NIST 800-171 Rev. 2 controls in full. Gaps at this stage are red flags since DFARS 252.204-7012 has mandated implementation of NIST SP 800-171 requirements for almost a decade. The DoD estimates that 37% of the DIB will need a Level 2 certification assessment, with the overwhelming majority (35%) requiring a third-party assessment.  
• Update your SPRS or CCRA score in supplier portals. Don’t wait for a call from the supply chain team—keep primes current on your current level of CMMC readiness by having the latest SPRS or CCRA scores available in whatever portal your prime is using to verify compliance.

Get CMMC 2.0 compliant now, stay part of the defense supply chain tomorrow

CMMC 2.0 is not theoretical anymore. Lockheed Martin’s June announcement is the sixth such supplier notice—and this time it came with a clear warning. If you want to stay in the game, you need to be CMMC compliant.

For subcontractors, that means certification isn’t just about cybersecurity. It’s now the make-or-break factor in whether you keep contracts with major primes, or you’re left behind as they build their next-generation supply chains.

A purpose-built solution like Secureframe can help streamline CMMC certification with automated evidence collection, policy templates, continuous monitoring, and direct partnerships with C3PAOs like Coalfire Federal—so subcontractors can demonstrate compliance quickly and confidently. Read how automation is a game-changer for organizations seeking certification or request a demo to learn more.