Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: Primes Can't Waive CMMC

Host: Summit 7
Date: December 4, 2025

Episode Overview

This episode tackles the critical misconception in the defense contracting community that "Prime contractors can waive CMMC requirements for subcontractors." With the CMMC 2.0 final rule now firmly in effect, Summit 7's hosts break down the latest supplier notices—particularly Northrop Grumman's clear messaging—why nobody is getting a waiver, how the CMMC waiver process actually works, and what it means for contractors in the Defense Industrial Base (DIB). The hosts also emphasize the urgency for all suppliers to take proactive steps toward compliance, dispelling persistent myths and clarifying how CMMC is enforced contractually.

Key Discussion Points & Insights

1. Primes Are Enforcing CMMC—Letters & Wake-Up Calls

Major primes (Lockheed, RTX, BAE, HII, Northrop, etc.) have started issuing supplier notifications since the 48 CFR CMMC final rule was published in September 2025.
Northrop Grumman's headline: "CMMC 2.0 is final. Are you ready?"
The mass messaging is raising awareness far more effectively than the regulatory announcements themselves.
- "Final rule comes out, goes into effect. You know, crickets. Lockheed sends a letter, everybody, you know, scrambles." (A, 01:46)
Immediate impact: Spike in supplier inquiries about CMMC ("big uptick in inquiries...thanks to the Primes letters" —A, 01:20).

2. CMMC Requirements Apply Throughout the Supply Chain

If your prime requires CMMC, you require CMMC. There is no special exemption for subcontractors.
- Directly from 32 CFR 170: If you handle CUI under a contract requiring CMMC Level 2 C3PAO, you must also meet that requirement.
- "So, first things first: if your prime needs CMMC, you need CMMC... That's kind of the end of the story for that one." (A, 01:46–02:58)
No way to "dodge" the requirement: Even if you rarely handle CUI, if any contract calls for that threshold, you must comply.

3. Primes Cannot Waive CMMC Requirements—Period

Primes and contracting officers do not have waiver authority. CMMC assessment requirements can only be waived under narrow circumstances, at high levels within the DoD, and never by the prime or the standard contract team.
- Cited: Northrop Grumman letter, 32 CFR 170.5.
- "Neither contracting officers nor prime contractors may waive or deviate from the CMMC Cybersecurity Control and Assessment requirements..." (A, 03:36)
- Even if a waiver is granted, all existing FAR/DFARS cybersecurity requirements still apply (e.g., DFARS 252.204-7012), so compliance doesn't vanish.
- "If somehow there is a waiver, you still have the obligations under those FAR and DFARS CL to implement cybersecurity. So don't make the common mistake of conflating the CMMC Assessment program with the requirements that are still in your contract." (A, 04:39)

4. How Does Waiving CMMC Actually Work?

Waivers are granted only for entire contracts, not for organizations or specific suppliers.
The waiver process is complex and rare:
- Requested by the program office, must go through multiple high-level approvals (component CIO, service acquisition executive, DoD CIO).
- Not decided by primes or contracting officers.
- "You don't understand. Organizations don't get waivers. The entire contract is waived of the requirements." (A, 07:12)
- "There's a whole maze of bureaucracy that has to happen before the solicitation ever goes out." (A, 08:45)
Timing: Waivers must be requested and granted before the solicitation is released.
- "Waivers are a pre solicitation process." (A, 14:44)
- Once CMMC is in a solicitation, it is too late to seek a waiver.
- "Once you see it in a solicitation, it has been determined there will be enough companies to meet the requirement that there aren't going to be waivers for that contract." (A, 15:37)

5. Exception Rarity and Temporary Nature

Waivers, if they exist at all, are rare and temporary:
- No waivers for CMMC Level 1.
- No waivers for Level 2 self-assessment.
- Waivers for Level 2 C3PAO assessment "will be rare" and must have expiration dates.
- "These will, quote, be rare. They are not for cleared defense contractors. And approved waivers on a class basis must include a planned expiration date." (A, 10:54)
Any wafered contract requires alternative protection plans for FCI/CUI in the meantime.

6. DIB Risk, Readiness, and the Reality of Enforcement

If you haven’t heard from your prime about exemptions, don’t count on there being any. Talk to your customer directly.
The contracting community is not ready: Many in the DIB are waiting for CMMC to appear in solicitations before acting, but at that point, it's too late.
- "If you are hoping that you'll see it in the solicitation and then get special exceptions, you are too late." (A, 15:37)
- "You're just burning time." (A, 15:57)
CMMC compliance is now a condition of contract award: Primes cannot award purchase orders to non-compliant subcontractors.
- "Contracting officers may not award contracts to non-compliant contractors and prime contractors may not award purchase orders to non-compliant subcontractors." (A, 17:06)
The phased rollout has started—now is the time to act.
- "We are in the phase rollout. We are in phase one of CMMC as it is going into contracts since November 10th. It's free game." (A, 18:33)

Notable Quotes & Memorable Moments

On prime notices vs. regulatory milestones:
- "Final rule comes out, goes into effect. You know, crickets. Lockheed sends a letter, everybody... scrambles." (A, 01:46)
On the myth of getting waivers:
- "No, you're not getting a waiver. Right. So in this... memo they go on to say... waivers... will be rare." (A, 10:54)
On the reality of waiting for CMMC to appear in solicitations:
- "Once you see it in a solicitation... you're just burning time." (A, 15:37–15:57)
Northrop's letter—corporate understatement:
- "We encourage you to proactively prepare to comply with this future contractual requirement. Understatement of the decade, Northrop." (A, 17:36)
- Banter: "That's like when your parents say, I strongly suggest you clean your room. Yeah." (A & B, 17:44)

Timestamps for Important Segments

Primes' Supplier Notices & Impact: 00:02 – 01:40
Clarifying CMMC Down the Supply Chain: 01:46 – 03:19
Waivers: Not Controlled By Primes/COs: 03:36 – 05:36
How the Waiver Process Actually Works: 07:03 – 09:49
Why Waivers Are So Rare: 10:54 – 12:19
Waivers Must Occur Pre-Solicitation: 14:44 – 15:57
Proactive Compliance Urged by Primes: 17:06 – 18:55
Current State of CMMC Enforcement: 18:55 – 19:18

Tone and Final Takeaways

The hosts emphasize urgency laced with realism, directness, and a bit of humor:

The rules are final, the rollout has started, and prime contractors are issuing wake-up calls.
Suppliers need to stop waiting for exceptions and start preparing now—waivers are not coming to save anyone.
Takeaway: If you want to remain part of the defense contracting supply chain, CMMC compliance—at the level required by your contract and your prime—is now a non-negotiable, enforceable prerequisite.

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: Primes Can't Waive CMMC

Host: Summit 7
Date: December 4, 2025

Episode Overview

Key Discussion Points & Insights

1. Primes Are Enforcing CMMC—Letters & Wake-Up Calls

Major primes (Lockheed, RTX, BAE, HII, Northrop, etc.) have started issuing supplier notifications since the 48 CFR CMMC final rule was published in September 2025.
Northrop Grumman's headline: "CMMC 2.0 is final. Are you ready?"
The mass messaging is raising awareness far more effectively than the regulatory announcements themselves.
- "Final rule comes out, goes into effect. You know, crickets. Lockheed sends a letter, everybody, you know, scrambles." (A, 01:46)
Immediate impact: Spike in supplier inquiries about CMMC ("big uptick in inquiries...thanks to the Primes letters" —A, 01:20).

2. CMMC Requirements Apply Throughout the Supply Chain

If your prime requires CMMC, you require CMMC. There is no special exemption for subcontractors.
- Directly from 32 CFR 170: If you handle CUI under a contract requiring CMMC Level 2 C3PAO, you must also meet that requirement.
- "So, first things first: if your prime needs CMMC, you need CMMC... That's kind of the end of the story for that one." (A, 01:46–02:58)
No way to "dodge" the requirement: Even if you rarely handle CUI, if any contract calls for that threshold, you must comply.

3. Primes Cannot Waive CMMC Requirements—Period

Primes and contracting officers do not have waiver authority. CMMC assessment requirements can only be waived under narrow circumstances, at high levels within the DoD, and never by the prime or the standard contract team.
- Cited: Northrop Grumman letter, 32 CFR 170.5.
- "Neither contracting officers nor prime contractors may waive or deviate from the CMMC Cybersecurity Control and Assessment requirements..." (A, 03:36)
- Even if a waiver is granted, all existing FAR/DFARS cybersecurity requirements still apply (e.g., DFARS 252.204-7012), so compliance doesn't vanish.
- "If somehow there is a waiver, you still have the obligations under those FAR and DFARS CL to implement cybersecurity. So don't make the common mistake of conflating the CMMC Assessment program with the requirements that are still in your contract." (A, 04:39)

4. How Does Waiving CMMC Actually Work?

Waivers are granted only for entire contracts, not for organizations or specific suppliers.
The waiver process is complex and rare:
- Requested by the program office, must go through multiple high-level approvals (component CIO, service acquisition executive, DoD CIO).
- Not decided by primes or contracting officers.
- "You don't understand. Organizations don't get waivers. The entire contract is waived of the requirements." (A, 07:12)
- "There's a whole maze of bureaucracy that has to happen before the solicitation ever goes out." (A, 08:45)
Timing: Waivers must be requested and granted before the solicitation is released.
- "Waivers are a pre solicitation process." (A, 14:44)
- Once CMMC is in a solicitation, it is too late to seek a waiver.
- "Once you see it in a solicitation, it has been determined there will be enough companies to meet the requirement that there aren't going to be waivers for that contract." (A, 15:37)

5. Exception Rarity and Temporary Nature

Waivers, if they exist at all, are rare and temporary:
- No waivers for CMMC Level 1.
- No waivers for Level 2 self-assessment.
- Waivers for Level 2 C3PAO assessment "will be rare" and must have expiration dates.
- "These will, quote, be rare. They are not for cleared defense contractors. And approved waivers on a class basis must include a planned expiration date." (A, 10:54)
Any wafered contract requires alternative protection plans for FCI/CUI in the meantime.

6. DIB Risk, Readiness, and the Reality of Enforcement

If you haven’t heard from your prime about exemptions, don’t count on there being any. Talk to your customer directly.
The contracting community is not ready: Many in the DIB are waiting for CMMC to appear in solicitations before acting, but at that point, it's too late.
- "If you are hoping that you'll see it in the solicitation and then get special exceptions, you are too late." (A, 15:37)
- "You're just burning time." (A, 15:57)
CMMC compliance is now a condition of contract award: Primes cannot award purchase orders to non-compliant subcontractors.
- "Contracting officers may not award contracts to non-compliant contractors and prime contractors may not award purchase orders to non-compliant subcontractors." (A, 17:06)
The phased rollout has started—now is the time to act.
- "We are in the phase rollout. We are in phase one of CMMC as it is going into contracts since November 10th. It's free game." (A, 18:33)

Notable Quotes & Memorable Moments

On prime notices vs. regulatory milestones:
- "Final rule comes out, goes into effect. You know, crickets. Lockheed sends a letter, everybody... scrambles." (A, 01:46)
On the myth of getting waivers:
- "No, you're not getting a waiver. Right. So in this... memo they go on to say... waivers... will be rare." (A, 10:54)
On the reality of waiting for CMMC to appear in solicitations:
- "Once you see it in a solicitation... you're just burning time." (A, 15:37–15:57)
Northrop's letter—corporate understatement:
- "We encourage you to proactively prepare to comply with this future contractual requirement. Understatement of the decade, Northrop." (A, 17:36)
- Banter: "That's like when your parents say, I strongly suggest you clean your room. Yeah." (A & B, 17:44)

Timestamps for Important Segments

Primes' Supplier Notices & Impact: 00:02 – 01:40
Clarifying CMMC Down the Supply Chain: 01:46 – 03:19
Waivers: Not Controlled By Primes/COs: 03:36 – 05:36
How the Waiver Process Actually Works: 07:03 – 09:49
Why Waivers Are So Rare: 10:54 – 12:19
Waivers Must Occur Pre-Solicitation: 14:44 – 15:57
Proactive Compliance Urged by Primes: 17:06 – 18:55
Current State of CMMC Enforcement: 18:55 – 19:18

Tone and Final Takeaways

The hosts emphasize urgency laced with realism, directness, and a bit of humor:

The rules are final, the rollout has started, and prime contractors are issuing wake-up calls.
Suppliers need to stop waiting for exceptions and start preparing now—waivers are not coming to save anyone.
Takeaway: If you want to remain part of the defense contracting supply chain, CMMC compliance—at the level required by your contract and your prime—is now a non-negotiable, enforceable prerequisite.

wavePod

Primes Can't Waive CMMC

Powered by Wave AI

Summary

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: Primes Can't Waive CMMC

Episode Overview

Key Discussion Points & Insights

1. Primes Are Enforcing CMMC—Letters & Wake-Up Calls

2. CMMC Requirements Apply Throughout the Supply Chain

3. Primes Cannot Waive CMMC Requirements—Period

4. How Does Waiving CMMC Actually Work?

5. Exception Rarity and Temporary Nature

6. DIB Risk, Readiness, and the Reality of Enforcement

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Tone and Final Takeaways

Summary

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: Primes Can't Waive CMMC

Episode Overview

Key Discussion Points & Insights

1. Primes Are Enforcing CMMC—Letters & Wake-Up Calls

2. CMMC Requirements Apply Throughout the Supply Chain

3. Primes Cannot Waive CMMC Requirements—Period

4. How Does Waiving CMMC Actually Work?

5. Exception Rarity and Temporary Nature

6. DIB Risk, Readiness, and the Reality of Enforcement

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Tone and Final Takeaways