Safeguard
Compliance

CMMC 2.0 Explained: What Defense Contractors and Their Software Must Do

CMMC 2.0 turns NIST SP 800-171 into a certification requirement for the defense supply chain. Here's how the three levels work, who assesses them, and where your software components fit.

Priya Mehta
Compliance Analyst
6 min read

If your company sells to the U.S. Department of Defense, or sits anywhere in the defense supply chain, the Cybersecurity Maturity Model Certification (CMMC) is about to become a condition of doing business. CMMC 2.0 does not invent new security requirements so much as it makes existing ones auditable: it takes the controls in NIST SP 800-171 and requires you to prove you have implemented them before a contract is awarded. This guide explains the model, the timeline, and the parts that land on engineering teams.

What CMMC 2.0 is

CMMC is a DoD program that verifies whether defense contractors adequately protect two kinds of government information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The original 2020 framework had five maturity levels; the streamlined CMMC 2.0 model announced in November 2021 collapsed these into three:

  • Level 1 (Foundational) protects FCI and maps to the 15 basic safeguarding requirements in FAR 52.204-21. Verified by annual self-assessment.
  • Level 2 (Advanced) protects CUI and aligns to the 110 security requirements of NIST SP 800-171 Revision 2. Depending on the contract, it is met by either self-assessment or a third-party assessment.
  • Level 3 (Expert) targets the highest-priority programs and adds a subset of NIST SP 800-172 controls on top of the 800-171 baseline. Assessed by the government (DIBCAC).

The program rule (32 CFR Part 170) that formally established CMMC became effective on December 16, 2024. Note that CMMC 2.0 currently references NIST SP 800-171 Revision 2; NIST published Revision 3 in May 2024, and DoD has signaled it will address the transition separately, so treat the exact control set as subject to change.

Who is affected and on what timeline

CMMC applies across the Defense Industrial Base, from prime contractors down to subcontractors, wherever FCI or CUI is stored, processed, or transmitted. That reaches far beyond traditional defense primes into SaaS vendors, managed service providers, and software suppliers whose products touch this data.

Assessment obligations differ by level. Level 1 and a subset of Level 2 contracts allow annual self-assessment with a senior-official affirmation submitted in the Supplier Performance Risk System (SPRS). Most Level 2 contracts require a triennial assessment by an accredited CMMC Third-Party Assessment Organization (C3PAO). Level 3 is assessed directly by the government.

The requirement enters contracts through a companion acquisition rule (a change to the DFARS, in 48 CFR). DoD has structured the rollout as a phased implementation running over roughly three years from that rule's effective date, gradually expanding from a limited set of solicitations to all applicable contracts. Because the precise phase dates depend on the acquisition rule's status, confirm current requirements against official DoD guidance rather than assuming a fixed calendar.

Software and supply-chain obligations

Most of NIST SP 800-171 concerns access control, identification, and physical protection, but several control families land squarely on software and its dependencies:

  • Configuration Management (3.4): establish and maintain baseline configurations, apply the principle of least functionality, and control what software is installed on systems handling CUI. You cannot baseline what you cannot inventory.
  • Risk Assessment (3.11): scan for vulnerabilities in systems and applications periodically and when new vulnerabilities are identified, then remediate in accordance with risk. Third-party components are systems too.
  • System and Information Integrity (3.14): identify, report, and correct system flaws in a timely manner, protect against malicious code, and monitor security advisories. A known-vulnerable library in a CUI-handling application is an uncorrected flaw.

The practical takeaway: a defensible CMMC posture requires you to know every component in the software that touches CUI, watch those components for new vulnerabilities, and show that you remediate them on a schedule. An accurate software bill of materials is the backbone of that evidence.

Compliance checklist

RequirementWhat engineering teams do
Scope your environmentIdentify every system that stores, processes, or transmits FCI or CUI
Determine your levelConfirm whether contracts require Level 1, 2, or 3
Inventory componentsMaintain an SBOM for each in-scope application
Scan continuouslyRun vulnerability scanning against dependencies (control 3.11.2)
Remediate on SLATrack flaw remediation timelines and evidence (control 3.14.1)
Baseline configurationsDocument and enforce secure configuration (control 3.4)
Prepare the SSP and POA&MKeep a System Security Plan and Plan of Action & Milestones current
Affirm and assessSubmit SPRS scores and schedule self- or C3PAO assessment

How Safeguard helps

Safeguard directly supports the software-integrity and risk-assessment controls that CMMC assessors will test. SBOM Studio maintains a live inventory of every component in your in-scope applications, giving you the configuration-management baseline that control family 3.4 requires. Software composition analysis continuously scans those components so a newly disclosed vulnerability in a CUI-handling system surfaces as a tracked finding with the timeline evidence a C3PAO expects for control 3.11.2 and 3.14.1.

Griffin AI prioritizes findings by whether they are actually reachable in your code, so remediation effort concentrates on the flaws that genuinely threaten CUI rather than an undifferentiated CVE list. Our compliance pages map these capabilities to specific NIST SP 800-171 requirements, so you can show an assessor which control each piece of evidence supports and fold the output straight into your System Security Plan.

CMMC rewards organizations that can prove, not just assert, that their software is under control. Building that evidence trail now — before a contract puts you on the clock — is the difference between a smooth assessment and a scramble.

Frequently Asked Questions

Does CMMC 2.0 replace NIST SP 800-171? No. CMMC 2.0 is the verification mechanism, while NIST SP 800-171 (currently Revision 2) supplies the underlying 110 security requirements assessed at Level 2. CMMC adds the certification, assessment, and affirmation process on top of the standard you were already contractually obligated to meet under DFARS 252.204-7012.

Can we self-assess, or do we need a C3PAO? It depends on your level and contract. Level 1 and a defined subset of Level 2 allow annual self-assessment with a senior-official affirmation. Most Level 2 contracts require a triennial assessment by an accredited C3PAO, and Level 3 is assessed by the government. Check the specific solicitation.

When do CMMC requirements actually appear in contracts? Through a phased rollout tied to the companion 48 CFR acquisition rule, expanding over roughly three years from that rule's effective date. Because the exact phase dates have shifted during rulemaking, verify current status against official DoD sources rather than a fixed timeline.

Do we need an SBOM to pass a CMMC assessment? CMMC does not name SBOMs as a line-item control, but the configuration-management, vulnerability-scanning, and flaw-remediation requirements are difficult to evidence without one. A current component inventory is the practical foundation for demonstrating those controls to an assessor.

Ready to build CMMC-ready evidence for your software supply chain? Create a free account or read the Safeguard documentation to connect your first repository.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.