CMMC 2.0 and Software Supply Chain Security: A Practical Guide

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for ensuring that defense contractors and subcontractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). If you're in the defense industrial base—or if your software ends up in defense supply chains—CMMC 2.0 compliance is becoming a contract requirement.

The model has been refined from the original CMMC 1.0's five levels down to three, but the expectations for software supply chain security remain substantial. Here's what matters.

CMMC 2.0 Structure

Level 1: Foundational

• 17 practices aligned with FAR 52.204-21
• Self-assessment
• Applies to organizations handling FCI
• Annual self-assessment with annual affirmation

Level 2: Advanced

• 110 practices aligned with NIST SP 800-171
• Third-party assessment for prioritized acquisitions; self-assessment for non-prioritized
• Applies to organizations handling CUI
• Triennial assessment with annual affirmation

Level 3: Expert

• 110+ practices aligned with NIST SP 800-172
• Government-led assessment
• Applies to organizations handling CUI for highest-priority programs
• Triennial assessment with annual affirmation

Most software vendors in the defense supply chain will need Level 2 certification, which requires implementing all 110 security requirements from NIST SP 800-171.

Supply Chain Security in CMMC

CMMC 2.0 doesn't have a standalone supply chain domain—instead, supply chain security requirements are distributed across several practice domains. Here's where they appear:

System and Information Integrity (SI)

• SI.L2-3.14.1 — Identify, report, and correct system flaws in a timely manner
• SI.L2-3.14.2 — Provide protection from malicious code at designated locations
• SI.L2-3.14.3 — Monitor system security alerts and advisories and take action

For software supply chains, these controls mean:

• Tracking vulnerabilities in software dependencies (flaws to identify and correct)
• Scanning for malicious code in dependencies (malicious code protection)
• Monitoring vulnerability databases and security advisories for affected components (alerts and advisories)

Configuration Management (CM)

• CM.L2-3.4.1 — Establish and maintain baseline configurations
• CM.L2-3.4.2 — Establish and enforce security configuration settings
• CM.L2-3.4.3 — Track, review, approve/disapprove, and log changes

Baseline configurations must include software component inventories. Configuration management applies to the full software stack, including dependencies. Changes—including dependency updates—must be tracked and approved.

Risk Assessment (RA)

• RA.L2-3.11.1 — Periodically assess the risk to organizational operations, assets, and individuals
• RA.L2-3.11.2 — Scan for vulnerabilities periodically and when new vulnerabilities are identified
• RA.L2-3.11.3 — Remediate vulnerabilities in accordance with risk assessments

Risk assessment must include supply chain risk. Vulnerability scanning must cover the full software stack, not just custom code. Remediation timelines must be defined and enforced.

System and Communications Protection (SC)

• SC.L2-3.13.1 — Monitor, control, and protect communications at external boundaries and key internal boundaries

This extends to communications initiated by software dependencies—analytics, telemetry, update checks, and API calls made by third-party components.

The SBOM Connection

While CMMC 2.0 doesn't explicitly require SBOMs by name, the underlying NIST SP 800-171 requirements effectively require SBOM capabilities:

• You can't maintain baseline configurations without knowing what software components are deployed
• You can't scan for vulnerabilities in dependencies without an inventory of those dependencies
• You can't track changes to the software stack without tracking dependency changes
• You can't assess supply chain risk without knowing what's in your supply chain

SBOMs are the practical mechanism for meeting these requirements. Assessors evaluating CMMC compliance will want to see evidence that organizations track their software components—and SBOMs are that evidence.

Assessment and Compliance

Self-Assessment (Level 1 and some Level 2)

Organizations must honestly assess their compliance against CMMC requirements and affirm their status in the Supplier Performance Risk System (SPRS). For supply chain security, this means:

• Documenting your software inventory practices
• Demonstrating vulnerability scanning and remediation processes
• Providing evidence of change management for software components
• Maintaining records of risk assessments that include supply chain considerations

Third-Party Assessment (Level 2 prioritized acquisitions)

CMMC Third-Party Assessment Organizations (C3PAOs) will evaluate compliance. For software supply chain security, expect assessors to examine:

• How you inventory software components
• Your vulnerability management process for dependencies
• Evidence of timely vulnerability remediation
• Change management processes for dependency updates
• Supply chain risk assessment documentation

Plan of Action and Milestones (POA&M)

CMMC 2.0 allows limited use of POA&Ms—organizations can achieve conditional certification with some requirements on a remediation plan. However, certain requirements are not POA&M-able, meaning they must be met at the time of assessment.

Flow-Down Requirements

CMMC requirements flow down through the defense supply chain. Prime contractors must ensure their subcontractors meet appropriate CMMC levels. For software vendors:

• If your software processes CUI on behalf of a defense contractor, you likely need Level 2 certification
• Prime contractors will include CMMC requirements in subcontracts
• Your CMMC compliance status will affect your competitiveness for defense work

Timeline and Implementation

CMMC 2.0 is being phased into contracts through DFARS rulemaking. The timeline is:

• Phase 1: Self-assessment requirements in contracts
• Phase 2: Third-party assessment requirements for Level 2
• Phase 3: Full implementation including Level 3 assessments
• Phase 4: Complete CMMC inclusion in all applicable contracts

Organizations should not wait for contract requirements to begin implementing CMMC practices. Building mature supply chain security capabilities takes time, and the competitive advantage goes to organizations that are ready early.

Practical Steps

1. Assess your current state. Map your existing practices against NIST SP 800-171 requirements. Identify gaps, particularly in supply chain security.

2. Implement SBOM generation. Automate SBOM generation for all software products. This supports multiple CMMC requirements across several domains.

3. Deploy vulnerability monitoring. Continuous scanning of your dependency tree is essential for meeting SI and RA requirements.

4. Formalize change management. Ensure dependency updates go through documented change management processes.

5. Build assessment evidence. Maintain documentation that demonstrates your supply chain security practices. Assessors need evidence, not just claims.

How Safeguard.sh Helps

Safeguard.sh maps directly to CMMC 2.0's supply chain security requirements. The platform generates comprehensive SBOMs that serve as baseline configuration documentation, provides continuous vulnerability scanning that satisfies SI and RA controls, and tracks dependency changes with full audit trails for CM compliance. For defense contractors preparing for CMMC assessment, Safeguard.sh provides the tooling, evidence, and documentation that C3PAOs need to verify supply chain security practices—accelerating the path from gap analysis to certification readiness.