How Defense Primes Are Evaluating Their Supply Chain for CMMC
Raytheon, Lockheed, and General Dynamics are already sending CMMC readiness questionnaires. Here is what they are asking and what your answers should be.
If you are a Tier 2 or Tier 3 supplier to a defense prime, you have likely received (or will soon receive) a supply chain security questionnaire. These questionnaires are the primes' way of assessing which suppliers will be CMMC-ready and which need to be replaced. Understanding what they are asking gives you a significant advantage.
What the Questionnaires Ask
The questionnaires vary by prime, but they converge on five categories:
1. Current SPRS Score: They want your self-assessed SPRS score from the SPRS portal (sprs.csd.disa.mil). If you have not submitted one, that is a red flag. If your score is below 70, they will ask for your Plan of Action and Milestones (POA&M).
2. C3PAO Assessment Timeline: When is your Level 2 assessment scheduled? If the answer is "we have not scheduled one," you are signaling unreadiness. Even booking a tentative date with a C3PAO shows intent.
3. CUI Handling Procedures: How do you identify, mark, store, transmit, and destroy Controlled Unclassified Information? If you cannot describe your CUI data flow, you likely have CUI handling gaps.
4. Incident Response Capability: Can you detect, report, and respond to a cybersecurity incident within 72 hours? The DFARS 252.204-7012 clause requires 72-hour reporting to the DoD. If you do not have an incident response plan, you cannot meet this requirement.
5. Subcontractor Flow-Down: If you subcontract any work involving CUI, are your subcontractors also CMMC-compliant? Supply chain risk flows downward. Primes are liable for their entire chain.
What Good Answers Look Like
The suppliers who score well on these questionnaires share common traits: they have a documented System Security Plan (SSP), a current SPRS score above 80, a POA&M for remaining gaps, an incident response plan that has been tested, and a timeline for C3PAO assessment.
You do not need to be perfect. You need to demonstrate progress and intent. A supplier at SPRS 75 with a clear remediation plan and a booked assessment date is preferable to a supplier at SPRS 90 with no documentation.
The Timeline Pressure
Primes are building their certified supplier lists now, not in November 2026. The contracts being awarded in Q3 and Q4 of 2026 will include CMMC requirements. If you are not on the approved list by mid-2026, you will miss the award cycle entirely.
Start your gap assessment today at compliance.aegisos.ai.