A letter is circulating in the defense supply chain right now that should be on the desk of every subcontractor doing business with a major prime. L3Harris Technologies, one of the largest defense contractors in the country, sent formal written notice to all suppliers on DoD programs demanding CMMC certification documentation by July 30, 2026. The letter was signed by the Vice President of Supply Chain for Missile Solutions and leaves no ambiguity about the consequences: suppliers who do not qualify for certification at the required level will be precluded from the program.
This is not a government mandate. It is a prime contractor enforcing the rules before the government must.
And it will not be the last letter like this that lands in a subcontractor’s inbox this year.
What the Letter Actually Says
The L3Harris notice, dated April 2026, does four things worth paying attention to.
First, it establishes that CMMC applies to all suppliers and subtier suppliers at all levels of DoD programs who process, store, or transmit Federal Contract Information or Controlled Unclassified Information. It does not leave room for the common assumption that CMMC is only a prime contractor problem.
Second, it distinguishes between what each level of supplier must produce. Suppliers handling FCI must show evidence of a completed CMMC Level 1 self-assessment and required affirmation. Suppliers handling CUI must provide a valid CMMC Level 2 certificate and confirmation of current certification status in SPRS.
Third, it sets a hard internal deadline: become certified no later than July 30, 2026. That is more than three months before the government’s own Phase 2 deadline of November 10, 2026. L3Harris is not waiting for the DoD to enforce this. They are enforcing it themselves, because their own customer contracts now require it.
Fourth, it places the obligation on suppliers to verify that their own subtier suppliers are compliant. The letter explicitly states that L3Harris expects suppliers to ensure their subtier suppliers at all levels are also in compliance. The flow-down obligation runs all the way through the supply chain.
Why Primes Are Moving Before the Government Does
This is not surprising to anyone who understands how DFARS 252.204-7021 works. The clause requires prime contractors to flow CMMC requirements down to subcontractors who process, store, or transmit FCI or CUI in the performance of the contract. When a prime signs a contract with that clause, they accept responsibility for ensuring their supply chain is compliant. A non-compliant subcontractor is not just that subcontractor’s problem it is the prime’s problem with the DoD.
Under 32 CFR § 170.23, the flow-down requirement is formal and specific. If a subcontract will require processing, storing, or transmitting FCI or CUI, the CMMC requirement attaches. There is no exemption based on subcontract value, company size, or tier level. A third-tier machine shop cutting parts to a USML-adjacent specification has the same obligation as a first-tier systems integrator, if they are touching controlled information.
What L3Harris is doing is simply getting ahead of that exposure. They cannot afford to have a subcontractor’s non-compliance discovered by a contracting officer during proposal evaluation or, worse, during contract performance. So they are building their own documentation requirements and their own internal deadline that give them time to take corrective action including finding a new supplier before it becomes their problem with the government.
Every major prime in the defense industrial base is either doing this already or about to do it. The contractors who receive these letters and treat them as routine correspondence are the ones who will find themselves off the supplier list without having seen it coming.
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and understand what steps are required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
July 30 Is Not as Far Away as It Sounds
There are roughly 90 days between today and L3Harris’s July 30 deadline. That number matters because of what achieving CMMC Level 2 certification actually requires in time and sequencing.
A contractor starting from scratch today needs to scope their CUI environment, conduct a gap assessment against all 110 NIST SP 800-171 controls, remediate gaps, build or update their System Security Plan, submit their SPRS score, engage a C3PAO, complete a pre-assessment readiness review, schedule the formal assessment, and wait for the C3PAO to have availability.
C3PAO wait times as of early 2026 are already running three to six months for new clients and climbing. Most practitioners estimate that the total timeline from gap assessment initiation to final certification runs 12 to 18 months for organizations starting from a moderate baseline. An organization beginning that process today is not going to be certified by July 30. That window has already closed.
What organizations can realistically do before July 30 is show credible, documented progress. Gap assessment complete. Remediation plan in place. C3PAO engaged and assessment scheduled. SPRS score submitted and defensible. In some cases, primes will accept a contractor that is actively in process over one that has done nothing. But that calculation belongs to L3Harris’s supply chain team, not to the subcontractor. The safer position the only truly safe position is certification in hand.
The False Claims Act Dimension
The L3Harris letter adds a legal dimension that goes beyond losing a supplier relationship. When a subcontractor certifies compliance to a prime, and that prime incorporates that representation into their own government submission, an inaccurate compliance claim becomes a potential False Claims Act exposure for the entire chain.
The Department of Justice’s Civil Cyber-Fraud Initiative has made this sequence its primary enforcement model. The DOJ recovered $52 million across nine cybersecurity-related False Claims Act settlements in fiscal year 2025. The cases that have resulted in the largest recoveries have not required evidence of a breach or a cyberattack. They have required evidence of a gap between what was represented and what was actually implemented.
Under 31 U.S.C. § 3729, the False Claims Act imposes liability on any person who knowingly presents a false claim to the government. A subcontractor who certifies CMMC compliance to a prime knowing that their self-assessment is inflated, their POA&M is aspirational, or their controls are not actually implemented is creating a False Claims Act exposure for themselves and potentially for the prime that relied on their representation.
The SPRS system makes this traceable. Every self-assessment submission carries a timestamp, a score, and the identity of the senior official who made the affirmation. When a C3PAO assessment later produces a materially different result, both records exist and both are visible to the government. That comparison is exactly what the DOJ’s initiative is designed to pursue.
What Subcontractors in the L3Harris Supply Chain Should Do Right Now
First, determine whether CMMC applies to your work. If your contract involves no FCI or CUI you are producing a purely commercial item with no controlled information in the scope of work CMMC may not apply. The letter itself says so. But do not assume the answer without reviewing your contract, your Statement of Work, and what data you receive or generate in performance.
Second, if CMMC applies, submit your current SPRS score. Your score, however low it is, must be in SPRS with a current affirmation. A missing or outdated SPRS entry is itself a compliance gap that a contracting officer or prime can act on immediately.
Third, engage a C3PAO now, not after remediation is complete. The queue is the constraint. Many C3PAOs will work with organizations earlier in the readiness process and help structure remediation to align with assessment requirements. Waiting until controls are fully implemented to make contact means waiting even longer for an assessment slot.
Fourth, document everything you are doing. Evidence of active, good-faith compliance effort matters in two ways: it improves first-pass assessment outcomes, and it is a meaningful mitigating factor if a compliance gap ever becomes a DOJ inquiry. The CMMC Assessment Guide for Level 2 outlines exactly what evidence a C3PAO will look for against each control. Build your documentation to that standard.
Fifth, verify your own subtier suppliers. L3Harris is requiring this of its suppliers. Your prime may soon require it of you. Know which of your own subcontractors handle FCI or CUI and where they stand on compliance before someone else asks you.
The Broader Signal
The L3Harris letter is significant not because of what it says about L3Harris specifically, but because of what it represents across the industry. Primes are translating the government’s compliance framework into their own supply chain management requirements, with deadlines, documentation standards, and enforcement consequences that operate independently of the DoD’s formal rollout schedule.
The contractors who read the L3Harris letter as a wake-up call and move immediately are the ones who will still have programs to work on when the second round of these letters arrives because there will be a second round, from more primes, with less lead time than this one.
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.