Boeing has issued a new memo outlining expectations for the Department of War’s Cybersecurity Maturity Model Certification (CMMC) rollout. Beginning November 10, 2025, all new contracts — apart from commercial off-the-shelf (COTS) items — will require CMMC.

Because NIST SP 800-171 requirements flow down through the supply chain, this shift directly impacts a large number of companies with active Boeing contracts.

For most suppliers, this will mean meeting CMMC Level 2. The Department of War projects that nearly 94% of Level 2 companies will require a third-party CMMC audit. Boeing stresses that suppliers at this level must be prepared for assessment — a process that requires full compliance with CMMC practices and can be both complex and time-intensive.

CMMC Level 2 Certification Requirements

Suppliers required to obtain CMMC Level 2 certification must undergo an assessment performed by a certified Third-Party Assessment Organization (C3PAO). Boeing strongly encourages suppliers to begin preparations immediately, as certification efforts can take months and demand for C3PAOs is expected to rise significantly.