The CMMC 2.0 final rule under 32 CFR Part 170 took effect on December 16, 2024, and the companion DFARS rule under 48 CFR became effective in 2025, kicking off the phased rollout of CMMC requirements in new DoD contracts. The 2026 contract year is the first in which Level 2 and Level 3 requirements are appearing in solicitations with regularity, and the supply chain expectations within these levels are where many contractors are now spending preparation time. This post is a working guide to what serious preparation looks like in 2026.
The framing point worth restating: CMMC is the assessment and certification scheme layered on top of NIST SP 800-171 Rev 2 for Level 2, with Rev 3 expected to apply in future contract years. Level 3 adds a subset of NIST SP 800-172 enhanced controls. The substantive security requirements are not new; what is new is the assessment rigor, the third-party assessor involvement at Level 2, and the contractual consequences of misrepresentation.
What is the current phased rollout schedule?
Phase 1 of the DFARS rollout began with new contracts after the effective date and requires self-assessment for most Level 1 and Level 2 requirements, with affirmation submitted to SPRS. Phase 2 adds third-party C3PAO assessment for Level 2 requirements where the contract specifies CUI handling. Phase 3 extends to Level 3 for the smaller set of contracts involving sensitive CUI. The phases are spaced over three years, with full implementation targeted for late 2027.
The implication for contractors is that the timing depends on the contracts you are pursuing. A contractor bidding on a Phase 2 contract in 2026 needs to be prepared for a C3PAO assessment as part of award. A contractor with existing contracts that are renewed or extended will see CMMC requirements flow down on the renewal cycle. The SPRS score that has been required since 2020 remains the baseline, and a low SPRS score remains a meaningful disqualifier even before the formal CMMC requirements apply to a given contract.
How does NIST 800-171 supply chain map to CMMC assessments?
NIST 800-171 Rev 2 has supply chain elements scattered across multiple control families, most notably 3.13.2 supporting engineering principles, 3.14.1 through 3.14.5 system and information integrity, and the configuration management family at 3.4. The Rev 3 update consolidates and strengthens these and adds explicit supply chain risk management requirements that align with NIST 800-53 SR controls. The transition from Rev 2 to Rev 3 will eventually flow through CMMC, though Rev 2 remains the operative reference for 2026 assessments.
For 2026 the practical assessment expectation is that the contractor has a process for identifying, assessing, and managing the security posture of software and hardware components used to process or store CUI. This includes commercial software, open source dependencies, and contracted services. The C3PAO will sample components from the contractor's environment and ask for the assessment artifacts. A contractor that cannot produce evidence of having reviewed a critical dependency is not going to pass the relevant control.
What does a defensible SSP look like in 2026?
The System Security Plan remains the central document for CMMC assessments, and the prevailing failure pattern is SSPs that describe controls in abstract terms without identifying the implementation specifics. A defensible SSP names the systems in scope, the boundary, the specific controls implemented, the responsible parties, and the evidence sources. It is read in conjunction with the POA&M for any controls not fully implemented at the time of assessment.
For supply chain content specifically, the SSP should describe how the contractor identifies its software dependencies, assesses them for risk, monitors them for vulnerabilities, and responds to identified issues. The plain-English description should be testable: a C3PAO should be able to read the SSP, ask for the corresponding evidence, and verify the described process is operating. SSPs written at high abstraction without testable specifics consistently generate findings.
How are contractors handling the prime-subcontractor flow-down?
Prime contractors are now flowing CMMC requirements down to subcontractors with increasing rigor, and the supply chain conversation is shifting from "what is your SPRS score" to "show me your SSP, your POA&M, and your most recent assessment." Subcontractors that handle CUI must meet the same CMMC level as the prime for the relevant contract, and primes are increasingly verifying this rather than relying on attestation alone.
The operational implication for subcontractors is that they need their own CMMC preparation in motion regardless of whether they have a direct contract with DoD. Primes are unwilling to absorb subcontractor compliance risk when the contractual penalties under the False Claims Act for misrepresentation are now well-established. A subcontractor that is six months behind on CMMC preparation is increasingly being replaced rather than carried along, and the prime-subcontractor relationships are reorganizing accordingly.
How Safeguard Helps
Safeguard provides the evidence streams that 2026 CMMC assessments are testing for supply chain and configuration management controls. SBOMs are produced on every build for the systems in your CMMC scope, with the dependency-level inventory NIST 800-171 expects. Griffin AI runs reachability analysis to support the risk-based prioritization of vulnerabilities in your dependencies, which feeds the system and information integrity control family. Policy gates in CI enforce your SSP-defined criteria at the build stage, producing testable evidence of operating effectiveness. TPRM scoring of dependencies addresses the supply chain risk assessment expectations, and zero-CVE base images reduce the surface area your POA&M has to track across the assessment cycle.