Primes Can’t Waive CMMC

Key Takeaways:

• If your prime needs CMMC, you need CMMC. Subcontractors must match the prime’s CMMC level when handling CUI.
• Primes and contracting officers cannot waive CMMC requirements. Waivers only come from the DoD and are extremely rare.
• Waivers apply to entire contracts, not individual companies, and must be decided before the solicitation is released.
• Even if a waiver were granted, DFARS 7012 and other cybersecurity requirements still apply.
• Once CMMC appears in a solicitation, it is too late to seek exceptions. You must already be compliant.
• CMMC Phase 1 rollout has begun, and primes are sending notices because solicitations can now include immediate CMMC compliance requirements.

Resources:

• Pathfinder 101: https://www.summit7.us/pathfinder
• Pathfinder Demo: CMMC Pathfinder Tool 101  
• DFARS 7012: What is DFARS 7012?  
• 32 CFR Final rule: https://www.federalregister.gov/docum…
• 48 CFR Final rule: https://www.federalregister.gov/docum…
• January Memo (PDF): https://dodprocurementtoolbox.com/upl…

Outline

• (0:00 – 1:54): Intro
• (1:55 – 3:36): Prime CMMC = your CMMC
• (3:37 – 7:07): Primes can’t waive CMMC
• (07:08 – 14:45): Waivers are for entire contracts
• (14:46 – 17:12): Waivers occur pre-solicitation
• (17:13 – 20:00): Outro

Transcript

All right, folks — it’s December 2025. We’re somehow already at the end of the year, which is wild because it feels like just yesterday, back in January, we were all talking about memos, FedRAMP equivalency, and every other bit of chaos swirling around. But here we are, closing out the year, and the show goes on. Since the 48 CFR CMMC final rule dropped in September 2025, supplier notices have been everywhere — letters and webinars from Lockheed, RTX, BAE, HII, ABCD, EFG, you name it. Every prime is telling suppliers the same thing: CMMC is here, and it is officially a real problem. Most recently, Northrop Grumman published a supplier announcement titled “CMMC 2.0 Is Final. Are You Ready?” The bottom line: nobody is getting a waiver for CMMC. And this week, we’re talking about why.

It’s encouraging to finally see leadership from the people responsible for the contracts. The primes are stepping up and saying, “Hey, are you aware of this?” But I’m not convinced the companies they’re leading are prepared for what’s coming. Anecdotally, most of the DIB still isn’t ready, though inquiries have spiked thanks to these prime letters — more so than any rulemaking milestone. That’s how it always goes: the final rule lands and nothing happens; Lockheed sends a letter and everyone scrambles. So let’s get into the letter. As they say, when big alphabet gets involved, everyone pays attention. First things first: Prime CMMC equals your CMMC. If your prime needs CMMC, you need CMMC. Directly from the 32 CFR program rule — 32 CFR 170, which went into effect in December 2024 — section 170.23(a)(3) states that if a subcontractor processes, stores, or transmits CUI on a subcontract tied to a prime contract requiring CMMC Level 2 C3PAO, then the subcontractor must also meet that same Level 2 C3PAO requirement. So the easiest way to know whether you’ll need a third-party Level 2 assessment is to look at your prime. If your customer is Lockheed, BAE, HII, Northrop, ABCD, EFG — the answer is yes. They’re all going to require it because they all handle CUI that demands that level of assurance. That’s really the end of the story.

There’s no dodging this. Even if one rare contract looks like you might avoid a C3PAO assessment, every other contract you touch will almost certainly require it. Moving on: your prime cannot waive your CMMC requirement. If they require it, you require it. If you require it, they cannot waive it. Northrop’s letter quotes directly from the rule: neither contracting officers nor prime contractors may waive or deviate from CMMC cybersecurity control or assessment requirements. In very limited circumstances, a DoD service acquisition executive may waive the inclusion of CMMC requirements for an entire contract — but even then, contractors are still obligated to comply with FAR 52.204-21 and DFARS 252.204-7012 and -7020. We just wrapped up our Back to Basics series walking through those clauses, and even if CMMC were waived, those requirements still stand. Don’t make the mistake of conflating the CMMC assessment program with the cybersecurity requirements already in your contract.

There’s really nothing mysterious here — primes are simply carrying out what the rules require. The DoD doesn’t directly police supply chains, so primes are making it clear they’re enforcing the letter of the law. And remember, there are two rules: the 32 CFR rule, which sets the program, and the 48 CFR rule, which implements it in contracts. Waivers occur before the contracting officer is even involved, which is why Northrop says they don’t control waivers. They’re not the ones granting exceptions; that happens way before it reaches them.

Waivers also apply to entire contracts — not to individual companies. People often misunderstand this. When asked how many organizations might receive waivers, the answer is: zero. Organizations don’t get waivers. Contracts get waivers. A January 2025 memo explained that program managers may request a waiver from the service acquisition executive, but all requests must go through the component CIO first, who reports to the DoD CIO — the same office running the CMMC program. They are not itching to waive anything. If a waiver clears that hurdle, it still must be approved at the service or component acquisition executive level. And approved waivers must expire; they can’t be permanent. Even then, solicitations must require alternate protection plans for securing FCI and CUI — which will be evaluated as part of source selection. It’s basically the POA&M conversation all over again: technically possible, practically unavailable. Waivers exist, but you’re not getting one.

Could a waiver ever happen after a solicitation? Maybe. If the requirement goes out and the DoD discovers that not enough qualified companies exist to compete, they may reissue the solicitation without the CMMC requirement. We haven’t seen that yet, but it may happen someday. But the DoD doesn’t need hundreds of bidders — they need a handful. So the chances of adjusting requirements for the sake of inclusion are slim. And risk appetite isn’t uniform; it varies widely across programs, services, and activities. The only reliable path is talking to your customer. Unless they’ve explicitly told you they have waivers, resources, and time lined up for you, you should assume none of that is coming.

Waivers are strictly a pre-solicitation process. Once CMMC is in a solicitation, it is too late. The DoD has already determined that enough companies exist to meet the requirement, and no waivers will be granted. Which means if you’re waiting to see CMMC in a solicitation before you begin preparing, you’ve already waited too long. And that’s not even addressing implementation timelines. Many companies who delay aren’t just putting off the C3PAO assessment — they’re putting off meeting DFARS 7012 requirements altogether. But those requirements apply regardless of any assessment. DOJ enforcement, dip sampling, incident reporting — those risks don’t disappear because CMMC isn’t in the contract yet.

Wrapping up: all of this is a condition of contract award. Contracting officers cannot award to non-compliant contractors, and primes cannot issue POs to non-compliant subs. Northrop ends their letter by “encouraging” suppliers to proactively prepare to comply — the understatement of the decade. When your parents say, “I strongly suggest you clean your room,” it doesn’t mean you have a choice.

So why are primes making these announcements now? Because on November 10, 2025, contracting officers gained the authority to include DFARS clauses with immediate compliance requirements. Phase 1 of the rollout is in effect. Primes work opportunities long before solicitations appear, so they know what’s coming — and they know they need suppliers who are ready. That’s why these letters are going out now, and why they’re urging everyone to prepare.

Immediate compliance requirements are here. The rollout is active. Solicitation activity is increasing. Supplier notices are everywhere. If you’ve been waiting, you’ve only burned time. So take Northrop’s advice and proactively prepare to comply. And take ours — like and subscribe — and we’ll see you next week.