L3Harris Won a Big Contract, Now You Need CMMC By July

L3Harris Missile Solutions recently sent a letter informing their suppliers that they will need to achieve CMMC Level 2 (C3PAO) Status by July, 30th 2026. Two weeks later, L3Harris announced that they had been awarded a new contract for the Army Tactical Missile System. Coincidence? We think not. Not only do subcontractors need to provide their Level 2 certification, they also need to provide their Level 2 assessment report. This week we talk about whether this is an anomaly or a sign of things to come.

---

Transcript

Jason:
All right, folks. Great news for L3 Harris Missile Solutions suppliers.

On April 20th, L3 Harris announced they received a contract valued at more than $65 million to produce solid rocket motors for the Army Tactical Missile System.

L3 Harris and their suppliers will fabricate, test, and deliver M124 rocket motors, igniters, exit cones, and associated components and services, with deliveries scheduled from 2027 through 2028—so not very long from now.

That’s why L3 Harris Missile Solutions released a letter to their suppliers on April 6th letting everyone know that if they want a piece of that $65 million, you need CMMC Level 2 certification by July 30th, 2026.

That’s what we’re going to talk about today.

---

Reactions / Context

Jacob:
Jason, this one caused quite a stir on LinkedIn.

Jason:
Biggest post of the year for me so far—350 likes, 100 comments, 50 reposts, 70,000 impressions. Pretty good for LinkedIn these days.

And so much for November, am I right?

Jacob:
Right. We spent a whole episode explaining why November wasn’t a hard deadline.

Then L3 Harris basically said, “hold my beer”—here’s another supplier requirement letter.

Also, $65 million… Jacob, we’re in the wrong business.

Jason:
Yeah, missile business is good business right now.

---

The Bottom Line (Deadlines & Primes)

Jacob:
Bottom line—we’ve been saying this for years.

First, the CMMC phase rollout does not have a single universal deadline. Not everyone needs Level 2 by November 2026.

Some already had deadlines in July. Some in November. It depends on your contract and your customer.

Second, primes can absolutely set earlier deadlines than the DoD baseline.

In this case, L3 Harris is setting July 2026—about three months’ notice.

Jason:
And that’s because if you’ve been telling your prime you’re DFARS 7012 and NIST 800-171 compliant, then three to four months is enough time to get certified—assuming you’re actually implemented.

If you aren’t, you’re in trouble.

---

Letter Breakdown Intro

Jacob:
Let’s break the supplier letter into five parts.

Jason:
Our audience is going to say we’re losing our touch because it’s not seven parts this time.

Jacob:
You can’t be perfect every week.

---

Part 1 — Context of the Letter

Jason:
From L3 Harris Missile Solutions, April 6th. Subject: Cybersecurity Maturity Model Certification—Action Needed.

They say they’ve been monitoring CMMC development and want suppliers to be aware and preparing.

Jacob:
We’ve seen lots of these letters from primes over the years—Lockheed, others.

This isn’t unusual. These companies communicate constantly with their supply chains.

Also, Missile Solutions likely refers to a specific business unit inside L3 Harris, which has been shaped by acquisitions like Aerojet Rocketdyne.

---

Part 2 — Rulemaking Boilerplate

Jason:
The letter references the final rule (48 CFR) published in September 2025, effective November 2025, marking Phase 1.

Level 2 is the minimum for CUI. Certification is required to win contracts.

Jacob:
All accurate.

And just to clarify—CMMC isn’t “optional readiness.” It’s a contract requirement once it shows up in solicitations.

---

Part 3 — Who Must Be Certified

Jason:
All suppliers handling CUI must be certified if required by the prime.

Certification may be required even before award, and non-certified suppliers may be excluded.

COTS suppliers may be exempt.

Jacob:
Key point: primes can’t waive CMMC requirements downstream.

Once CUI flows to you, the requirement flows with it.

And yes—the DoD, not primes, defines the requirement. But primes enforce it.

---

Part 4 — Certification + Assessment Report Requirement

Jason:
Suppliers must provide:

• CMMC Level 2 certificate
• AND the full assessment report

Jacob:
This is the first time we’ve really seen “assessment report” explicitly requested like this.

The certificate is standard—but the report is new.

That report is basically the detailed breakdown of control implementation and assessor findings.

Not hard to produce—but more detailed than what most suppliers are used to sharing.

Jason:
This is the “show your work” version of CMMC.

Not just “we passed”—but “here’s exactly how we passed.”

---

Part 5 — Deadline Pressure & Business Continuity

Jason:
L3 Harris says suppliers must be certified by July 30th, 2026, and submit documentation early to avoid disruption to their business.

Jacob:
What stands out is the language—“our business operations” versus “your compliance.”

It’s clear: if you want into their supply chain, you follow their timeline.

And with a $65M missile contract, they’re not taking chances.

Jason:
And remember—deliveries don’t even start until 2027–2028. So they’re building supply chain readiness well in advance.

---

Closing

Jacob:
This isn’t really about November 2026 or federal rollout timing.

It’s about specific primes setting specific requirements for their suppliers.

Jason:
If you’re already implemented, you’re in a great position.

If you’re not, you’ve got a very tight timeline to go from zero to certified.

Jacob:
And if that’s you… give us a call. We know people.

This summer might end up being known as the summer of supply chain CMMC.

Jason:
Or “hot missile summer.”

Jacob:
Yeah… I think that might stick.