An email lands from one of your biggest customers one morning, the one whose orders make up a meaningful chunk of your year. Somewhere in the body is a question that doesn’t quite fit the rest. Something about your CMMC status. Or your SPRS score. Or, more vaguely, a request for an update on your “current cybersecurity posture.” Sometimes there’s a questionnaire attached.
If you’re like most of the suppliers we talk to, the email gets forwarded to whoever handles IT with a one-line note: “Do we have any of this?”
The first reaction is usually a version of the same thought. We make the parts. We write the firmware. We run their payroll. We’re not a defense contractor. The question feels like it belongs to someone else or like a procurement formality that will go away if it’s left alone for a week.
But it won’t. According to Redspin’s 2025 Momentum but Slow Movement report, 47% of DIB contractors surveyed had already received a CMMC flow-down request from a prime – months before the formal enforcement timeline says they need one. The questions aren’t random, and they aren’t going away. They’re the front edge of a process; the prime is already running, and the supplier on the other end of the email is part of it whether they planned to be or not.
The question itself isn’t the problem. Not having an answer is.
Why Primes are Asking, and Why Now
CMMC requirements are being phased into DoD contracts beginning in 2025, with increasing enforcement through 2026 and beyond as new solicitations include certification requirements. The trigger date is still recent, with CMMC Phase 1 enforcement going live on November 10, 2025, which means CMMC requirements have started appearing in new DoD solicitations. Phase 2, when C3PAO-assessed Level 2 becomes mandatory for any contract handling Controlled Unclassified Information, arrives a year later on November 10, 2026. That’s the calendar primes are working backward from.
The legal mechanics matter too, because they explain why this is landing on suppliers who have never bid for a federal contract. Prime contractors are responsible for ensuring their subcontractors meet applicable CMMC requirements before awarding work involving FCI or CUI. A non-compliant supplier is no longer just a procurement inconvenience. It’s a contractual liability the prime carries on their own books.
Which is why the questions are arriving early and not from one prime in isolation. Lockheed Martin, RTX, Boeing, Northrop Grumman, Elbit America, Parsons, and L3Harris have all issued supplier notices, questionnaires, or readiness surveys in the last twelve months. Several have stated, in writing, that suppliers who can’t demonstrate the right level of compliance won’t receive purchase orders. Boeing has gone further and started conducting gap assessments across its own supply base to identify which vendors are ready and which aren’t.
For a defense supply chain supplier two or three tiers down, that activity reaches you indirectly but inevitably. Your customer’s customer is being graded. They’re now grading you.
What They’re Actually Asking For
When a prime asks about your cybersecurity, they’re not looking for reassurance. They’re looking for specifics they can put on file that will hold up if their own compliance is audited later.
In practice, that usually means four things:
- A current SPRS score that reflects your present security posture, updated at least every three years (or more frequently if required by contract.)
- Evidence that your organization is implementing the 110 security requirements in NIST SP 800-171, with any gaps documented and tracked through a formal Plan of Action and Milestones (POA&M).
- A System Security Plan (SSP) and Plan of Action and Milestones (POA&M) that describe, in writing, how each control is met or how the gaps will be closed.
- The right CMMC level for the data you handle: The required CMMC level is determined by the contract and typically aligns with the type of information handled – Level 1 for Federal Contract Information (FCI) and Level 2 for Controlled Unclassified Information (CUI).
The honest answer might be that you have parts of this. A score from years ago that nobody has revisited. An SSP that exists in a folder somewhere but doesn’t reflect how the network actually looks today. Controls that are in place operationally but never documented in a way an assessor would accept. That’s a normal starting position, and it’s still workable. What isn’t workable is silence, vague reassurance, or a self-attestation that contradicts what’s on the ground.
Primes know the difference. The first answer ends the conversation. The second keeps it going.
What No Answer Means for the Relationship
The risk most suppliers underestimate is the gap between feeling compliant and being able to prove it. CyberSheath’s 2025 State of the Defense Industrial Base report found that only 1% of contractors said they were fully ready for a CMMC assessment, even as most expressed high confidence in their security posture. Confidence and readiness aren’t the same thing, and primes are now in the business of telling them apart.
When a supplier can’t produce a credible answer, the consequences rarely arrive as a confrontation. They arrive in silence:
- A bid that doesn’t progress.
- A renewal conversation that stalls.
- A purchase order is held while procurement “reviews options.”
Primes are already mapping backup suppliers for the vendors who look unprepared, and the supplier usually finds out after the work has moved.
The two answers that decide which side of that line you land on:
- “We’ve assessed where we are; here’s our score, and here’s the remediation timeline.” Keeps the relationship.
- “We’ll get back to you.” Hands the prime a reason to start sourcing elsewhere.
A Credible Answer Starts with a Gap Analysis
A Security Gap Analysis is what turns “We’ll get back to you” into a defensible response. It maps your environment against the CMMC level that applies to your data, surfaces missing or undocumented controls, baselines an interim SPRS score, and produces a prioritized remediation roadmap; the exact set of artifacts a prime is looking for as proof you’re taking it seriously. Our team includes CMMC Registered Practitioners, so the output is something primes will recognize.
The suppliers who keep their place in the supply chain aren’t always the ones with perfect compliance. They’re the ones who can answer the question. Book your Security Gap Analysis with us today and find out where your business stands before your next contract is on the line.
