NAVFAC Pacific and NAVFAC Hawaii awarded over $23 billion in new construction contracts in 2025 — the largest MILCON investment in the Pacific in a generation. Every contract carries CMMC compliance requirements that flow directly to subcontractors. This brief covers what that means for Hawaii, Guam, and CNMI prime contractors and what you need to do before November 2026.
Executive Summary
NAVFAC Pacific and NAVFAC Hawaii awarded over $23 billion in new construction contracts between June and September 2025 — covering Hawaii, Guam, CNMI, and the broader INDOPACOM area of operations. Every contract vehicle in this wave includes CMMC compliance requirements that prime contractors must flow down to their subcontractors. The compliance requirement is not a future obligation — it is active now under Phase 1 of the CMMC rollout, effective November 10, 2025.
At the same time, the Department of Justice settled seven cybersecurity-related False Claims Act cases in 2025 and recovered $52 million — including the first enforcement action ever brought against a defense subcontractor. For Pacific prime contractors, this brief maps the contract landscape, the regulatory timeline, and the five actions your supply chain program needs to include before the November 2026 Phase 2 deadline.
Enforcement landscape
The False Claims Act has always applied to cybersecurity misrepresentations in defense contracts — CMMC makes the compliance standard explicit and enforceable at every level of the supply chain. Since 2021, the Department of Justice's Civil Cyber-Fraud Initiative has pursued contractors who certify compliance without implementing the required controls. What changed in December 2025 is that for the first time, a subcontractor — not a prime — was held directly accountable.
⚠ First subcontractor enforcement action
In December 2025, a precision machining subcontractor in Illinois agreed to pay approximately $421,000 to resolve allegations that it failed to adequately protect technical drawings supplied by prime contractors. The case was initiated by a former quality control manager. This is the first FCA enforcement action brought against a defense subcontractor for cybersecurity non-compliance — and it confirms that the compliance obligation extends all the way down the supply chain, not just to primes.
The pattern is instructive for Pacific prime contractors: the compliance obligation exists at every tier of the supply chain, and verification — not just flowdown language — is what creates a defensible record. A prime contractor who actively manages sub compliance is in a materially different position than one who relies on boilerplate contract clauses and hopes for the best.
Key 2025 settlements the Pacific supply chain needs to know:
| Date | Entity | Amount | Allegation |
|---|---|---|---|
| February 2025 | Health Net Federal Services (TRICARE prime) | $11.25M | Falsely certified cybersecurity compliance in annual reports to the Defense Health Agency, 2015–2018 |
| April 2025 | Defense contractor (undisclosed) | $4.6M | Submitted a false SPRS score |
| July 2025 | Aero Turbine Inc. + Gallant Capital Partners (PE owner) | $1.75M | Failed to implement NIST SP 800-171 controls; shared sensitive defense info with unauthorized entity in Egypt. PE owner held liable for violations predating acquisition. |
| July 2025 | Genomic sequencing company | $9.8M | Sold sequencing systems to federal agencies with known cybersecurity vulnerabilities; false compliance certifications |
| December 2025 | Precision machining subcontractor (Illinois) | $421K | Failed to protect technical drawings supplied by prime contractors. First subcontractor named in cybersecurity FCA action. Qui tam case by former QC manager. ⚠ SUBCONTRACTOR |
The compliance standard under the FCA
Under the FCA, liability does not require intent to defraud. "Knowingly" under 31 U.S.C. § 3729(b)(1) includes reckless disregard of whether a certification is accurate. A prime contractor who affirms compliance annually without verifying subcontractor status takes on meaningful risk. The solution is active verification and documentation — exactly what a structured supply chain compliance program provides.
Pacific contract activity
The Pacific defense build-up is not slowing. NAVFAC Pacific and NAVFAC Hawaii issued some of the largest construction contract vehicles in the command's history between June and September 2025 — creating thousands of new prime-sub relationships that are now subject to CMMC requirements from day one.
Every prime contractor on these vehicles is responsible for CMMC compliance flowdown to their subcontractors. Every electrical sub, HVAC contractor, welding firm, roofing company, and mechanical trade that touches FCI under these contracts needs a documented Level 1 SPRS score. That requirement is active now under Phase 1 — primes who build their supply chain compliance programs before Phase 2 arrives in November 2026 will be better positioned for task order awards and contract renewals.
Regulatory timeline
CMMC 2.0 is implementing in four phases. Understanding where you are in this timeline is critical for sequencing your supply chain compliance program.
December 2024
32 C.F.R. Part 170 effective
CMMC final rule codified. All compliance requirements formally in effect. Self-assessment for Level 1 becomes mandatory baseline.
November 10, 2025
Phase 1 begins — CMMC in solicitations
DFARS 252.204-7021 effective. Contracting officers begin requiring Level 1 self-assessed CMMC status in new solicitations and contracts. NAVFAC Pacific contracts issued after this date carry the clause.
NOW — April 2026
You are here. Phase 1 active.
CMMC clauses are appearing in active Pacific solicitations. Annual affirmations are being submitted. The first FCA subcontractor case has already been resolved. The window to get ahead of Phase 2 is 7 months.
November 10, 2026
Phase 2 — C3PAO assessment required for CUI
Contracting officers begin requiring C3PAO-assessed Level 2 status for CUI contracts. Primes with CUI-handling subs must have third-party verification complete before this date or risk contract ineligibility.
November 10, 2027
Phase 3 — DIBCAC assessment for Level 3
DIBCAC-assessed Level 3 requirements begin for the most sensitive programs. Full CMMC framework applies across all applicable contracts.
November 10, 2028
Full implementation
CMMC requirements mandatory in all applicable DoD solicitations and contracts. No exceptions, no phase-ins, no grace periods.
Pacific-specific implications
The Pacific supply chain has characteristics that make getting ahead of CMMC requirements both more valuable and more challenging than on the mainland:
Trade sub concentration. Military construction in Hawaii, Guam, and CNMI relies heavily on local trade subcontractors — electricians, HVAC, welding, mechanical, fencing, roofing. These businesses typically run on 5–15 employees, use consumer-grade technology, and have no dedicated IT staff. They are the exact population the December 2025 subcontractor enforcement action targets. Most have never heard of SPRS.
Geographic isolation means no local expertise. Mainland CMMC consultants charge $3,000–$8,000 per sub assessment and are not calibrated to the trade sub IT profile in the Pacific. There is no CMMC Level 2 C3PAO in Guam or CNMI. The only C3PAO in the entire Asia-Pacific region is eResilience in Honolulu. For Guam and CNMI-based subs, there is no local compliance support at all.
Contract density is increasing, not decreasing. The NAVFAC Pacific and NAVFAC Hawaii MACC vehicles awarded in 2025 will generate task orders for years. The INDOPACOM buildup in Guam is accelerating — Camp Blaz, missile defense infrastructure, and logistics support facilities are all under active development. Prime contractors who have a documented, functioning supply chain compliance program in place will be better positioned to compete for and perform on these task orders than those who are still piecing their program together after award.
The prime's obligation under 32 C.F.R. § 170.23
A Level 2 prime can hire Level 1 subcontractors as long as information discipline is maintained — share FCI only, not CUI. The prime must verify that Level 1 subs have a current SPRS score, flow down FAR 52.204-21 in subcontracts, re-verify annually, and document the entire process. An affirming official certifies this compliance posture every time they sign a contract or invoice. That documentation is also the prime's protection — a verified, documented supply chain is a defensible supply chain.
Action items
1. Map your sub supply chain against FCI exposure. Identify every active subcontractor that touches contract information — not just technical drawings, but purchase orders, schedules, invoices, and project files. If they receive, process, or store any of it, they need a Level 1 SPRS score.
2. Verify SPRS scores for every applicable sub. Look up each sub in the Supplier Performance Risk System. A missing score, a score of zero, or a significantly negative score is a documented compliance gap — and it's your gap as the prime. Build this into your sub vetting workflow before the next contract award or invoice submission.
3. Flow down FAR 52.204-21 in every applicable subcontract. Boilerplate DFARS language is not sufficient on its own. Every subcontract where FCI may be transmitted needs explicit FAR 52.204-21 flowdown language. Review active contracts and renewals against this standard.
4. Get your subs to a documented SPRS score before November 2026. Phase 2 tightens the compliance requirement for CUI handlers. Before that date, every sub in your supply chain that touches FCI needs a current SPRS score and a System Security Plan on file. Build a 90-day timeline to work through your sub list systematically.
5. Treat annual re-verification as a business process, not a one-time event. Level 1 SPRS scores expire every 12 months. A sub who was compliant in January 2026 may not be compliant in January 2027. Calendar re-verification checkpoints for every applicable sub throughout the contract period of performance.
Pacific Cyber Compliance gives prime contractors a ready-to-run CMMC Level 1 compliance program — onboarding packet, sub tracker, rollout playbook, and annual renewal workflow. Flat fee. Unlimited subs. Pacific-based.