The Department of Defense's supply chain is going through the most consequential compliance overhaul in a decade, and container workloads sit at the center of it. CMMC 2.0's final rule took effect December 16, 2024, and the contract clause requiring it in solicitations is now rolling out in phases through 2028. For the roughly 220,000 companies in the Defense Industrial Base, that means proving — with evidence, not intentions — that Controlled Unclassified Information moving through Kubernetes clusters, CI/CD pipelines, and container registries is actually protected.
A lot of vendors have rushed in with partial answers. Chainguard has built a strong brand around minimal, low-CVE container images, and that's a genuinely useful piece of the puzzle. But CMMC 2.0 isn't a base-image problem — it's a 110-control, full-lifecycle evidence problem that spans build, registry, runtime, and audit. This post breaks down what CMMC 2.0 actually requires for containerized environments, where image-hardening approaches fall short, and what a complete compliance program looks like.
What Is CMMC 2.0 and When Do Contractors Actually Need to Comply?
CMMC 2.0 is the DoD's three-tier cybersecurity certification framework, and the enforcement clock started on December 16, 2024. That's the effective date of the 32 CFR Part 170 final rule, which defines the program itself. The second rule — the 48 CFR contract clause (DFARS 252.204-7021) that actually requires CMMC in solicitations — began phasing in during 2025 and rolls out over three years in four phases, each roughly 12 months apart. Phase 1 introduces Level 1 or Level 2 self-assessment requirements in new contracts; Phase 2 adds mandatory Level 2 third-party certification; Phase 3 extends Level 2 certification requirements broadly and introduces Level 3; Phase 4 makes CMMC a standard requirement across nearly all applicable DoD contracts and subcontracts, expected around 2028.
The three levels scale with data sensitivity: Level 1 (Foundational) covers 17 practices from FAR 52.204-21 for Federal Contract Information, self-assessed annually. Level 2 (Advanced) maps to all 110 security requirements in NIST SP 800-171 Rev 2 and applies to any organization handling CUI — most Level 2 contractors will need a third-party assessment from a C3PAO every three years, with a subset eligible for self-assessment. Level 3 (Expert) layers on 24 additional practices from NIST SP 800-172 and involves a government-led assessment. If your containers process, store, or transmit CUI — engineering drawings, technical data, ITAR-adjacent specs — you're almost certainly a Level 2 organization, which is where container architecture becomes an audit subject rather than an engineering afterthought.
Which CMMC 2.0 Controls Actually Apply to Containerized Workloads?
At least six of the fourteen NIST 800-171 control families reach directly into your container stack, and container-specific evidence gaps are one of the most common reasons DIB contractors fail mock assessments. Configuration Management (CM.L2-3.4.1, 3.4.2) requires a documented, enforced baseline for every image running in production — not just "we use Chainguard images," but proof that the specific digests deployed match an approved, version-controlled configuration. Risk Assessment (RA.L2-3.11.2) requires vulnerability scanning at a defined frequency with documented remediation timelines, which means scan results sitting in a CI log aren't enough — you need retained, queryable evidence across every image, every build. System and Information Integrity (SI.L2-3.14.1, 3.14.5) requires flaw remediation and periodic scans of both the runtime environment and the artifacts running in it. Audit and Accountability (AU.L2-3.3.1) requires logging that ties container events back to identifiable actions. Access Control (AC.L2-3.1.1, 3.1.2) has to extend into registry permissions and Kubernetes RBAC, not stop at the VPN. And Security Assessment (CA.L2-3.12.4) requires a System Security Plan that names the actual controls implemented in your container environment — assessors will ask to see it, not take your word for it.
Why Isn't a Hardened Base Image Enough to Pass a C3PAO Assessment?
A minimal image reduces attack surface, but it doesn't generate the audit trail a C3PAO assessor is looking for. Chainguard's core product — distroless, frequently-rebuilt images built on its Wolfi Linux distribution — genuinely lowers CVE counts at the base-image layer, and the company has built a large business on that value proposition, raising a $356 million Series D in late 2024 at a $3.5 billion valuation. That's a real engineering advantage for the RA.L2-3.11.2 vulnerability-density conversation. But CMMC assessors aren't grading CVE counts in isolation; they're grading whether you can produce continuous evidence across 110 controls, and a low-CVE image is silent on most of them.
Swapping in hardened base images doesn't produce a System Security Plan, doesn't generate the three-year retained scan history an assessor will request, doesn't enforce that only signed, policy-approved images can deploy to a cluster handling CUI, and doesn't map runtime configuration drift back to your approved baseline. Teams that adopt Chainguard images and stop there routinely discover in a mock assessment that they have better images but the same compliance posture — because the gap was never really about CVE counts in the base layer, it was about provable, continuous control coverage across the entire container lifecycle: build, sign, scan, deploy, monitor, and remediate, with a paper trail behind every step.
How Many of the 110 NIST 800-171 Controls Touch the Container Supply Chain in Practice?
In our assessments of DIB contractors running containerized workloads, roughly 35–40 of the 110 Level 2 controls have direct or indirect container-supply-chain evidence requirements. That spans six control families — Access Control, Configuration Management, Risk Assessment, System and Information Integrity, Audit and Accountability, and Security Assessment — and it's a bigger footprint than most engineering teams expect going into their first readiness review. It also explains why "buy a better base image" strategies routinely stall at the SSP-writing stage: someone still has to document, for each of those 35-plus controls, exactly what technical control is in place, what evidence proves it's operating, and who's accountable for it. NIST SP 800-171 Rev 3, expected to formally supersede Rev 2 as the CMMC baseline within the assessment cycle, adds even more organizational and supply-chain-risk-management language, which will only widen this footprint for containerized environments.
What Does a CMMC Audit Actually Look Like for a Kubernetes Environment?
A C3PAO assessment for a containerized environment typically means producing artifact-level evidence for every one of the last 12 months, not a point-in-time snapshot. Assessors work from the CMMC Assessment Guide and expect to see, per control: policy documentation, implementation evidence, and interview corroboration. For container workloads that translates into concrete asks — a signed SBOM for every production image, vulnerability scan results retained on a defined cadence (commonly 30 days for critical findings under most organizational policies) with remediation tickets closed out, a record of which images were promoted from staging to production and by whom, Kubernetes admission-control policies that reject unsigned or non-compliant images, and audit logs correlating deployment events to authenticated identities. Contractors who walk in with screenshots and verbal assurances instead of exportable, timestamped records are the ones who end up with a POA&M (Plan of Action and Milestones) instead of a certification — and POA&Ms now come with closeout deadlines rather than indefinite grace periods under CMMC 2.0's stricter posture.
How Safeguard Helps
Safeguard is built for exactly this gap: the distance between "our images are secure" and "we can prove continuous, control-by-control compliance to a C3PAO." Instead of treating container security as a base-image problem, Safeguard instruments the full software supply chain — build, registry, deployment, and runtime — and maps that telemetry directly to NIST SP 800-171 controls.
In practice, that means Safeguard generates and retains signed SBOMs for every image, automatically mapped to CM.L2-3.4.1/3.4.2 baseline evidence; runs continuous vulnerability scanning with retained, exportable history that satisfies RA.L2-3.11.2 and SI.L2-3.14 without engineering teams building custom log pipelines; enforces provenance and signature verification at admission control so only attested, policy-approved images reach clusters handling CUI; and ties deployment and access events to identity for AU.L2-3.3.1 and AC.L2-3.1 audit trails. Because the evidence is generated continuously rather than assembled before an assessment, Safeguard customers walk into C3PAO reviews with a live, control-mapped System Security Plan and a defensible audit trail instead of a scramble.
Chainguard's hardened images are a reasonable input into that pipeline — Safeguard doesn't require you to rip out a low-CVE base-image strategy. What Safeguard adds is everything CMMC 2.0 actually assesses beyond the image itself: the continuous, cross-control evidence that turns a good container into a certifiable one. If your Level 2 assessment window is on the calendar, that's the difference that determines whether you walk out with a certification or a POA&M.