Lockheed Martin just sent a clear message to defense contractors still in “wait and see” mode: your cybersecurity compliance status will now determine your place in their supply chain.
With CMMC expected to enter DoD contracts in mid-to-late 2025 once the 48 CFR rule is finalized, prime contractors aren’t waiting for the official rollout to make compliance a business requirement.
The Ultimatum
In their June 30, 2025 supplier announcement, Lockheed Martin made their position crystal clear:
Lockheed Martin Supply Chain Cybersecurity is reaching out to all suppliers whose latest self-assessment is indicative of unmet cyber requirements (including unimplemented CMMC controls).
This isn’t a friendly check-in. When the world’s largest defense contractor starts “reaching out” to suppliers with compliance gaps, it’s a final warning before exclusion. Lockheed Martin’s supply chain includes thousands of contractors across all 50 states—and now they’re systematically identifying which ones don’t meet their cybersecurity standards.
The message is direct: demonstrate CMMC readiness or risk losing your place in the defense supply chain.
The Reality Check
Lockheed Martin’s announcement includes a telling expectation:
By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements.
The problem? Most contractors aren’t there yet. While many have submitted self-assessments claiming compliance, the reality is that full implementation of all 110 NIST 800-171 controls remains a challenge for the majority of defense contractors. Hear directly from Lockheed Martin’s cybersecurity supply chain expert:
Lockheed Martin knows this. That’s why they’re requiring all suppliers to complete the Cybersecurity Compliance and Risk Assessment (CCRA); They’re moving beyond self-reported scores to verify actual compliance.
Worried about meeting Lockheed’s deadline? Talk to our compliance experts today.
Competitive Advantage
This creates an immediate opportunity for contractors who can demonstrate real compliance. As we heard from CISOs at major primes like Leidos and BAE Systems during PreVeil’s 2024 CMMC Summit, early compliance is becoming a key differentiator in contract awards.
JR Williams, CISO at Leidos, put it bluntly:
We may have a really great supplier with a perfect solution, but if they’re not certified and won’t be for another 12-15 months, we just can’t use them.
The contractors who meet all CMMC Level 2 controls and are assessment-ready, or who have passed an assessment, will have a significant competitive advantage as primes prioritize working with suppliers who won’t create compliance risk.
Action Plan
If you’re a DoD supplier (or want to be), here’s what you need to do immediately based on Lockheed’s announcement:
- Complete your CCRA assessment in the Exostar Supplier Management portal
- Verify full NIST 800-171 Rev 2 implementation—not just documentation, but actual controls as required by current DFARS clauses
- Submit your DOD NIST Assessment Methodology Score into the DoD Supplier Performance Risk System (SPRS)
The window for “wait and see” just closed. Lockheed Martin’s announcement makes it clear that compliance isn’t a future requirement—it’s a current business imperative.
Don’t wait for the call from your Prime; Get clarity on your compliance status now.
PreVeil’s proven solution has helped 25 customers achieve CMMC compliance while delivering 75% cost savings vs GCC High through our unrivaled security & assessment-ready documentation.
