Last week, L3Harris Technologies sent an updated letter to its supplier base with a clear message: get CMMC certified by July 30, 2026, or risk losing your place on DoD programs.
Three months is not enough time to start.
For contractors who haven’t begun the certification process, the timeline is already somewhere between tight and impossible.
What the Letter Says
L3Harris is requiring suppliers to prove CMMC compliance at the appropriate level. For most in their supply chain, that means a validated Level 2 certification, not a self-attestation.
The requirement doesn’t stop at your organization. L3Harris expects suppliers to ensure their subtier suppliers, at all levels, meet applicable CMMC requirements as well.
This isn’t theoretical. These requirements originate with the U.S. Department of Defense and are now being enforced through contracts. The CMMC Final Rule is in place, and prime contractors are acting on it.
Why This Matters Beyond L3Harris
L3Harris is one of the largest defense primes in the country. When a company of that scale sets a firm deadline tied to contract eligibility, it signals where the rest of the ecosystem is heading.
If you support any major prime, expect similar communication if you haven’t already received it.
One line from the notice stands out:
“suppliers who do not qualify for certification at the required level will be precluded from the program.”
That’s not guidance. That’s a condition of award.
The Timeline Problem
A typical path from gap assessment through remediation to a C3PAO assessment takes six to twelve months, depending on the complexity of your environment and the maturity of your controls.
If you’re starting now, a July 2026 deadline is already compressed.
If you haven’t defined your CUI boundary or properly categorized your assets (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets), you’re behind.
Even organizations that have started often uncover issues late in the process, usually when they realize controlling CUI flow (AC.L2-3.1.3) doesn’t mean they’ve enforced the boundaries that contain it (SC.L2-3.13.1), and that passing one control doesn’t cover the other.
For most in their supply chain, that ultimately means a validated Level 2 certification, and sufficient evidence to demonstrate that controls are implemented, effective, and operating as intended over time.
What You Should Do Now
If you haven’t started
Begin with scoping. Define where CUI exists and categorize your assets using the CMMC Level 2 Scoping Guide. Everything depends on this step.
If you’re mid-preparation
Validate your timeline against C3PAO availability. Assessment scheduling is limited, and demand is increasing.
If you think CMMC doesn’t apply to you
Revisit your contracts. If you process, store, or transmit FCI or CUI on any DoD-related effort, requirements may already apply.
L3Harris notes that no action is required if you don’t handle FCI or CUI. That determination should be confirmed, not assumed.
The Bigger Picture
CMMC becomes real for most of the Defense Industrial Base through prime contractor flowdown.
The Final Rule established the program. DFARS will enforce it in contracts. Primes are operationalizing it across their supply chains.
The worst time to discover a scoping error or control gap is when a prime is asking for your certificate.
If you’re not confident in your current position, validate it now, before you’re working against someone else’s deadline. Talk to an expert at simplafi.us
Test your readiness with our free assessment tool app.simplafi.us