A

All right, folks, great news for L3Harris Missile Solutions suppliers. On April 20, L3Harris announced that they have received a contract valued at more than $65 million to produce solid rocket motors for the army tactical missile system. L3Harris and their suppliers will fabricate, test and deliver M124 rocket motors, igniters, exit cones and associated components and services, with deliveries to schedule scheduled to run from 2027 through 2028, not very long from now. That's why L3Harris Missile Solutions released a letter to their suppliers on April 6th letting everyone know that if they want a piece of that $65 million, need CMC Level 2 certification, you need it by July 30, 2026. That's what we're going to talk about today. Jason, this one caused quite a stir on LinkedIn. Biggest post of the year for me so far. 350 likes, 100 comments, 50 reposts, 70,000 impressions. Pretty good for LinkedIn these days. So much for November and I.

B

Right, right. I mean, we spent a whole episode trying to explain to people, you know, why November wasn't the date that they had to adhere to. Right. Why this wasn't the hard deadline then. L3Harris, in a trend that has become basically common nowadays, is like, you know what, that last prime letter that went out, hold my beer, here's another one. I, I also want to say 65 million, Jacob. We got in the wrong business, buddy. Yeah, yeah.

A

The missile business is good business if you can get it these days, if you've been watching the news and current events. But either way, it's the point about November. Right. Bottom line comes down to this. We've been saying the same things for several years now. First, the phase rollout doesn't contain any deadlines. Everyone who needs a level 2 CMMC status doesn't need it by November of 2026. Some people have already had their deadlines come and go, but a lot of people found out they got a deadline in July. Some people have a deadline. November. All depends on your customer, all depends on the contract, all depends on your individual situation. November is definitely not a bright line if you're an L3Harris Missile Solutions supplier. Second, if your situation is downstream from a mega prime contractor, they can give you whatever deadline they want to ahead of their own deadline. In this case July, which is about three months from this conversation. And they can ask you for basically whatever they want to. In this case, your assessment report, in addition to your Level 2 certification certificate that you would get from a C3 PAO. But we'll talk about that when we get into the letter.

B

Yeah, I think this is the first time that we've asked for, they've asked for something that in depth. And I think the two points that we've kind of been making is that like, there's no way to tell exactly what your deadline is going to be. And the Department of War is not the people that are technically going to dictate your deadline. It's going to be the primes that are going to push this more than anything.

A

Yeah. Because if you've been telling your prime that you've been compliant with DFARS 7012, and you've implemented 800, 171, then three or four months of a heads up to go get a certification is plenty of time. Because all you need to do is just call up a C3PO and get your assessment. If you haven't started your implementation until you see one of these letters, then you're in pretty hot, deep, dark, whatever, you know, whatever, whatever metaphor of water you want to use. Anyways, let's talk about this supplier letter. We can break it down into basically five parts.

B

Our audience is going to say we're losing our touch because you didn't break it down into seven parts. Yeah, you can't be perfect every week.

A

We could do seven, but we'll just do five for now.

B

All right.

A

Anyways, part one, the top of the letter here. Right. So from L3Harris Missile Solutions on April 6th, subject cyber security Maturity Model certification. Action needed. Dear supplier team members, Missile Solutions has been closely monitoring the DoD's development of the new cybersecurity Maturity Model certification process. The purpose of this letter is to ensure all suppliers on DoD programs are aware of and preparing for CMMC. We've seen lots of letters to lots of suppliers from lots of prime contractors both before and after CMMC rulemaking. I really hope that this wasn't the first one from L3Harris. You Yolky was putting out a letter like every other month for a year before the rules were even done. But I don't know. I don't know if L3Harris sends out. Like I said, this was not a letter that was necessarily posted on their supplier portal right away. These companies send out different letters to different divisions and different supply chains all the time. I really hope this wasn't the first time.

B

I really hope that this was just a case of they saw that everybody else was sending out the warning shots and they were like, hey, you know, we have Those out there, too. But we've been communicating behind closed doors. The other thing that kind of stood out to me specifically about this one, Jacob, is that it's Missile Solutions. So it looks like that it's attached to a specific program. And I think that there's more details to add to that.

A

Yeah, I mean, these big primes are basically like what used to be individual prime contractors all stitched together with the same logo on the wall. Right. So, you know, like Northrop Grumman acquired trw. TRW was its own prime contractor for decades and decades. It's got Northrop Grumman on the building now. So they're all the same prime, but very different cultures, vibes, programs, ways of doing things. So, you know, Missile Solutions is. Might. Might have been a completely different prime contractor prior to being L3Harris. You know, L3Harris acquired Aerojet Rocketdyne not too long ago. And so Missile Solutions might just be the name that they put on the outside of the building. So it all. It all just depends. But anyways, part two of the letter here, CMMC 48 CFR is the final rulemaking CMMC enforceable, making CMMC enforceable. The final rulemaking. The final rule making CMMC enforceable in DoD contracts. I got it. I got it, I got it. Published in the Federal Register on September 10th of 2025 with an effective date of November 10th of 2025 almost six months ago. this point, this marks the official start of phase one of the CMMC rollout, meaning readiness is mandatory for all new DoD solicitations and contracts, which now include some level of CMMC requirement. There are three levels of certification from one to three, with level two being the minimum for processing controlled unclassified information. CMMC compliance is required in order to be awarded a contract. If you haven't started your CMMC certification process, the contacting a C3PAO should be a priority. Jason, this all checks out. No lies detected. Nice summary of what has happened since 48 CFR CMMC went into effect. I have no notes here.

B

Yeah, the only notes I have that if I could rename this section of the letter, it would be in case you're in our supply chain, have been living under a rock for the past seven years.

A

Yeah, good, good header for that section of the letter.

B

But. But I don't know if you can fit it all. You might have to condense it shorthand, I don't know. But, yeah, that's basically it. It's just. This is what it is. This is what's going to come. And this is the reason why this letter is coming out right here.

A

Absolutely. So like they said, they're ruling into effect in November of 2025. This letter came out in April of 2026. So quite a ways afterwards. But anyways, let's move further down here into the juicy stuff. So part three all suppliers on DoD programs who receive CUI at all tiers must be certified by the DoD prime contract, including small businesses and foreign suppliers. Certification may be needed to submit a proposal and prior to the contract award. Suppliers who do not qualify for certification at Level 2 will be precluded from the program. This requirement does not apply to suppliers who solely produce commercial off the shelf items as defined in FAR 2.101. Okay, these are also true. First, if the prime requires CMMC Level 2 certification and you handle the same CUI that they do, as in they flow that same CUI down to you, then you require CMMC Level 2 certification that is baked into the black and white of the 32 CFR CMMC program. Second, and we've talked about in the past, actually I think our most watched episode last year was our episode outlining the fact that prime contractors do not have the power to waive CMMC requirements for their suppliers. Waivers occur pre solicitation at the DoD level. So once that requirement is in the solicitation, there is no waiver process. Once the prime has it, they can't waive it for you downstream. The only way to get out of this obligation is if they don't, they don't send you the data at all. And if your business is built on necessarily needing to handle this data, then you're going to have the requirements and the requirement to certify that you have implemented them come come your way as the information flows down to you.

B

So this is three points here. You know, we often talk about like a lot of times people lay blame on the CMMC program for things that are not within the purview of the CMMC program. Feel like that this part of the letter is basically providing clarity as to why this is happening and to make sure that people aren't laying blame for the prime contractors for things that really are out of their control. We get the cui. In order to perform this contract, we have to flow this data down to you. This clause says that we have to do it. We have no power to waive this. If we do that, that already happened. We see it. This is not going to get waived. The program office has decided that this needs to have protections in it. And then the third thing is the pre proposal. That's not something that primes are putting in there anyway before you see it. This is things that we're seeing that are coming out in the the RFIs and things like that way before again decided way before the prime contractor. But the prime is going to get the, the blunt of the blame for all of this for people that aren't in the know.

A

Yeah, absolutely. And I mean it is not policy, it is not part of the CMC program rule that you need CMMC certification before contract award. It is clearly outlined condition of contract award. But things vary. The DoD is not a monolith. The primes are not a monolith. And so occasionally we've seen this pop up where they say you actually need to prove that you've implemented the requirements before we send you the data before award because you need to handle the data in order to produce the proposal. Makes total sense. That was a wrinkle and a gap in the CMMMC regulation. The DoD was basically willing to kind of look the other way on. Apparently L3Harris or their upstream government customer are not willing to look the other way in terms of giving people the data that they would otherwise have to protect after they win the award. So your mileage may vary. Let's just zoom out for a second. We're talking about putting parts on missiles, everybody. So it's probably pretty important that you should do the requirements regardless. And so it's not unreasonable that they're going to ask for that, even though that technically isn't.

B

And with the DoD DoW holding discretion based upon risk associated with the program, when you start talking about things like missiles and etc, more than likely a lot more risk is going to be, you know. Yeah, exercise and considered.

A

Yeah, absolutely. So, okay, moving on to part four here. To maintain compliance with the integrity of our supply chain, L3Harris requires all suppliers to provide documentation verifying their CMMC level 2 certification, including a copy of your CMMC level 2 assessment report and a copy of your CMMC level two certificate issued by a C3PAO. This is a spicy meatball because providing your CMC level two certificate that you got from your C3PAO proving that you have implemented the requirements in NIST SP 800171 has been standard fare. That's sort of been the expectation. You want to know if we have implemented these requirements and you're allowed to send us the data. I got a certificate here signed by a C3PAO that says I have implemented those requirements, L3Harris says, We want the assessment report in addition to the certificate. This is the first time that I've heard of an assessment report requirement, let alone being put out in a supplier letter. So just to switch gears really quickly, for those of you who haven't read it or haven't read it in a while, the CMMC assessment process. The CAP is the document that outlines the phases of a CMMC assessment. Not to be confused with the phased rollout of CMC requirements showing up in contracts. The actual assessment that you undergo itself, that CAP document, which we'll link below, it's on the DOD CIO website. It mentions something known as a final assessment report and an assessment results briefing interchangeably. Right. So not the most precise language used at the end of the CAP document. However, we reached out to a bunch of C3 PAOs after this letter came out and from the C3POs that we've spoken to, when they hear assessment report, like in this letter, they think about the outbrief document that's used in the third phase of the assessment. It outlines the control by control implementations, what was missed, if anything, all that sorts of stuff. It's outlined in the third phase of the CMMC assessment process documents. So read that if you're interested. Not something that I've heard anybody ask for before, but it's also not that hard to produce from the C3PAO and everybody gets a copy of it.

B

So I guess I'll be honest with you, when I read this and when I found out that this is what we were doing the episode on this week, I figured pretty much would have bet everything that I have in the bank that this is where we were going to spend the most time discussing. Because this is the one time in which we look at all the other letters that have come from suppliers and like, hey, CMMC's coming. Check. You know, normal par for the course. Hey, you need to be prepared. Check. Par for the course. Hey, these are the deadlines, but they're loose deadlines. Check. Par for the course. Hey, we can't waive things. We can't do this. Hey, check. Par for the course. And then the two places where the wrinkles come in is the deadline for it to get done. And what you have to provide at the deadline, which is the, basically the detailed summary of how your assessment went down. Not just the UID and the certificate that says, hey, we're good to go. As C3PO says, we, we passed taking the risk and the evaluation of the risk and the supply chain even deeper. L3Harris is saying, we want to see you do like the math teacher. We don't want to see the answer. We want to see you show your work. Right. Like. And that's exactly what it is.

A

Now you.

B

If you're in L3Harris's supply chain, you must show the work or you're not getting credit.

A

Yeah. And we reached out to L3Harris to see if they could let us know why they wanted to see the Assessment Report. They didn't get back to us. So if you're watch 3Harris, leave a comment below and let us know why you asked for the assessment report. But back to our first point at the top. Like we've been saying all along, if you work for a Prime, that prime can ask you for whatever they want. Even if CMMC doesn't necessarily say that the Assessment Report is like some big deliverable at the end that's going to be shipped around and advertised to people like your certificate of Level 2 status might be. L3Harris says, we want your report, they can ask for your report. And that's between you and L3Harris to negotiate. And this is a perfect example of the Prime's immense level of discretion about timelines, deliverables, what they want above and beyond what is outlined in the CMMC program. Okay, part five, wrapping up here. These documents, the certificate and the assessment report. These documents are essential for us to verify that our suppliers adhere to the necessary cybersecurity standards mandated by our contract awards. As we are starting to see contracts from our customers with these requirements, we are requesting that our suppliers become certified no later than July 30, 2026. We request that you submit the required documentation at your earliest convenience to ensure there are no disruptions to our business operations. I'll tell you what. This is what I post on LinkedIn. When I saw this is the first thing that jumped out to me besides the date, more so than the Security Assessment Report. It is very hard to miss how many times they use the word our versus you. And that line really cuts to the point. We request that you submit the documentation at your earliest convenience to ensure that there are no disruptions to our business operations. Right. It's just business, everybody.

B

So I'm surprised that that stuck out to you. That also stuck out to me as well. There's a line that you didn't read in that paragraph that really stuck out to me. Please send the requested documents to. I don't want to mess this up. Arrow, is it Aerojet rocket Dine supply chain@l3Harris.com.

A

That's right.

B

I don't know if I've heard that before, Eric. It. It. It's. I don't know. It's. It's spinning something up in my brain. Aerojet, Rocketdyne, wherever. Yeah.

A

You know, not that we want to bring up the old stuff or anything, but people who remember their history remember that the False Claims act lawsuit with Aerojet Rocketdyne was the thing that unloaded the False Claims act suits for cyber security against defense contractors for this stuff back in the day.

B

I'm. The only reason I'm pointing that out is because I think that this is clear exact. This is a clear example of, hey, we messed up, we got the slap on the wrist, we got in trouble, we got our butts handed to us. However you want to classify it, we're going to make sure we don't make this mistake again.

A

Right? Yeah. I mean, that's what they're asking for. And like we talked about the beginning,

B

you know, sometimes you're a little bit proactive or maybe you'd be a little overreaching in your deadlines. But hey, we've already been burned once, we are not getting burned again. And we have $65 million in the line to do it. Yeah.

A

Fool me once, shame on me. Fool me twice, can't fool me again. So, you know, just. Just to remind everybody, right, they don't expect to actually start delivering on this contract until 2027 sometime. That means that they're going to start the work before then. Which means that then if you're in their supply chain, they're putting out letters two weeks before they even announce the contract award that you need to be certified by July. Right? So it ain't November of 2026, and ain't November of 2028. Nothing to do with the phased rollout has everything to do with your specific customer, your specific contract, your specific situation. And if you're an L3 Harris supplier and you have implemented all of your requirements, all you need is your level two certification, then there is a crapload of work that's about to start flowing your way. Because if you've been watching current events, but we're going through a lot of these army missiles recently, and we need a lot more. So if you haven't implemented anything and you were waiting for the balloon to go up, as it were, to know when to get started, you got about three months to go from zero to implemented to certification in hand. So if that's. You give us a call. We know some people, and if you've already been implemented, then congratulations and I look forward to your future prosperity. Underneath the missile contract here, the summer

B

of 2026 for L3Harris will be known as the summer of supply chain CMMC.

A

I was going to say Hot Missile

B

Summer, but Summer, actually, I like Hot. Hot Missile Summer.

A

Well, actually, that might be the title of this podcast. Actually, we might stick with that. Hot Missile Summer. There you go. All right, everybody. There you go. If you're L3Harris supplier, you got a lot of work to do. And we'll see you next week.

B

See you, Sam.