If you’re a subcontractor in the defense supply chain, your prime has probably sent you something about CMMC in the past six months. A letter. Updated terms. A supplier questionnaire.
Most of those documents are probably sitting in a folder somewhere, waiting.
Meanwhile, your prime is already making decisions about who stays in their supply chain and who doesn’t. The CMMC Level 2 requirements in those documents aren’t a heads-up. They’re a filter. And the language tells you exactly where the bar is.
The DoD cybersecurity requirements rollout gives the impression of runway. Phase 1 started November 2025. Phase 2 starts November 2026. That schedule makes it feel like there’s time.
Your prime doesn’t agree.
Lockheed Martin is requiring suppliers to document their CMMC status in SPRS now. Boeing is telling subcontractors to start Level 2 preparation immediately. The compliance language showing up in subcontractor agreements goes beyond what DoD technically requires.
The government’s timeline is the floor. Your prime’s timeline is the ceiling. And the ceiling is lower than what many subcontractors expect.
Many subcontractors read their prime’s CMMC language and make reasonable assumptions. Reasonable assumptions are where most timelines fall apart.
Misreading 1: Assuming Level 1 is enough.
Level 1 is simpler. It covers basic safeguarding of Federal Contract Information. That’s why many subcontractors default to it. But if your prime’s language specifies Level 2, that’s the requirement. CMMC Level 2 requirements kick in when your work touches CUI. The data determines your level, not your preference.
Misreading 2: Thinking compliance is needed before performance, not before award.
This one catches people off guard. Many contractors assume compliance needs to be in place before the work starts. The requirement actually works the other way. Your CMMC status has to be current in SPRS before the contract is awarded. If it’s not there when your prime submits, your bid may not even be eligible.
Misreading 3: Planning to deal with it at renewal.
Your prime’s contract language doesn’t just apply to new awards. It often covers option periods and renewals too. If you have an option year approaching, CMMC Level 2 requirements could apply sooner than you think. Waiting for the next new contract to start preparing is a timing miscalculation that puts existing work at risk
If you run a manufacturing operation, you already manage systems more complex than CMMC. Quality standards. Safety protocols. Customer specifications. Traceability requirements that would make most IT consultants’ heads spin.
Meeting CMMC Level 2 requirements is the same discipline applied to information security. Scope it like a quality system. Document it like a safety protocol. Train your people the way you train them on customer specs.
The organizations that treat it this way tend to scope it more accurately and sustain it more naturally. The ones that treat it as a separate IT project tend to over-scope, overspend, and lose momentum before the assessment even happens.
You’re not starting from zero. You’re extending what you already do well into a new domain.
Three things separate the organizations that get this right:
• Read your prime’s actual contract language. Not a summary. Not an industry article about what primes are doing. The specific terms that apply to your specific contracts.
• Compare those requirements against your SPRS status today. The gap between what’s required and what you’ve documented is your scope of work. Nothing more, nothing less.
• Build the capability inside your building. Outsourcing compliance as a checkbox gets you through one assessment. Building internal understanding gets you through every assessment after that.
The roadmap for meeting your CMMC Level 2 requirements is already in your building. It’s in the documents your prime sent you.
• Pull out the most recent letter, updated terms, or supplier questionnaire
• Read the CMMC language
• Identify which level is required and when
• Compare it against where your organization stands today
That’s the starting point. Not a report. Not a webinar. The documents you already have.
If you’d like help reading that language or understanding where your gaps are, Prescott works with mid-sized manufacturers across Michigan to navigate exactly this. Reach out for a conversation.