Safeguard
Compliance

CMMC compliance for software vendors

CMMC 2.0 is now contractually mandatory across the DoD supply chain. Here's what software vendors must know about levels, deadlines, costs, and SBOMs.

James
Principal Security Architect
7 min read

CMMC 2.0 became a binding acquisition requirement on December 16, 2024, when the Department of Defense's 32 CFR Part 170 final rule took effect. A companion DFARS acquisition rule then began phasing certification language directly into new solicitations, with Phase 1 self-assessment requirements starting in late 2025, Phase 2 introducing third-party Level 2 certification in 2026, and full Phase 4 enforcement across nearly all DoD contracts by around 2028. For the roughly 80,000 companies in the Defense Industrial Base — and every software vendor that sells into it — CMMC is no longer a future project to plan around. It's a gate that determines whether you can bid on, win, or keep a contract.

Software vendors hit a specific wrinkle: CMMC's control set was written for IT environments broadly, but assessors increasingly expect proof that vulnerability management, SBOM practices, and secure development controls are built into the product itself, not just the corporate network. This post covers what CMMC actually requires, when it applies, what it costs, and which controls specifically target your software supply chain.

What is CMMC and who does it apply to?

CMMC (Cybersecurity Maturity Model Certification) is the DoD's framework for verifying that contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level matching NIST SP 800-171. It applies to every company in the defense supply chain that handles FCI or CUI — primes, subcontractors at every tier, and software vendors whose products touch that data, regardless of company size. The requirement flows down contractually through DFARS clause 252.204-7021, which primes are required to insert into subcontracts.

Concretely: if your SaaS product is used by a Tier 2 subcontractor of a company like Lockheed Martin or L3Harris to manage engineering drawings, maintenance logs, or logistics data classified as CUI, your company needs a matching CMMC level — even if you've never held a direct DoD contract. The DoD does not accept "we're just a software vendor" as an exemption; if your product processes, stores, or transmits CUI on behalf of a covered contractor, you're in scope.

What are the three CMMC levels, and which one applies to software vendors?

There are three levels, and most software vendors handling CUI land at Level 2. Level 1 (Foundational) covers 17 basic safeguarding practices drawn from FAR 52.204-21 and requires only an annual self-assessment — it applies to companies that handle FCI but not CUI. Level 2 (Advanced) maps to the full 110 practices and 320 assessment objectives in NIST SP 800-171 Rev 2, and requires either a self-assessment or a third-party C3PAO (Certified Third-Party Assessment Organization) assessment every three years, depending on the sensitivity of the contract. Level 3 (Expert) adds 24 additional practices from NIST SP 800-172 on top of Level 2's 110, for a total of 134, and is assessed directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

A concrete example: a company producing a project-management SaaS platform used by a Tier 1 contractor to track technical data packages containing CUI would need Level 2 certification, most likely via a C3PAO assessment, before that contract is awarded or renewed.

When does CMMC become mandatory, and what's the rollout timeline?

CMMC becomes mandatory in a four-phase rollout tied to the DFARS rule's effective date, and by mid-2026 vendors should already be seeing Level 2 requirements in active solicitations. Phase 1 began with the rule's effective date and requires DoD program offices to include CMMC Level 1 or Level 2 self-assessment requirements in new contracts. Phase 2, roughly one year later, adds the requirement for Level 2 C3PAO certification (not just self-assessment) in applicable solicitations. Phase 3, another year out, expands Level 2 C3PAO certification more broadly and introduces Level 3 requirements for the highest-sensitivity programs. Phase 4, the final year, applies CMMC requirements to all remaining DoD contracts and option periods, including those below the simplified acquisition threshold.

The practical implication for software vendors: contracting officers can include a full CMMC requirement in any solicitation starting in Phase 1 at their discretion, so "we have until Phase 4" is not a safe assumption. Vendors that wait until their prime demands proof of certification are typically 6-12 months too late, given assessment lead times.

Which CMMC controls specifically target software supply chain security?

A concentrated subset of the 110 NIST SP 800-171 controls — mostly in the Configuration Management (CM) and System and Information Integrity (SI) families — directly govern how vendors manage vulnerabilities and third-party code. Control 3.14.1 requires identifying, reporting, and correcting system flaws in a timely manner. Control 3.14.3 requires monitoring security alerts and advisories and acting on them. Control 3.11.2 requires periodic vulnerability scanning, and 3.11.3 requires remediating vulnerabilities in accordance with an organizational risk assessment. Control 3.4.1 requires establishing and maintaining baseline configurations, which increasingly extends to knowing what software components — including open-source dependencies — make up a product.

In practice, C3PAOs are now routinely requesting a current Software Bill of Materials (SBOM) as documentary evidence for 3.4.1 and 3.11.2, because an assessor can't verify vulnerability scanning coverage or configuration baselines for components nobody inventoried. Vendors that show up to an assessment with an ad hoc spreadsheet of dependencies, rather than a generated SBOM tied to a specific release, routinely get flagged with a POA&M (Plan of Action and Milestones) rather than a clean pass.

How much does CMMC certification cost, and how long does it take?

Level 1 self-assessment is mostly internal labor and costs a few thousand dollars, while Level 2 C3PAO certification runs into five figures and up. The DoD's own regulatory impact analysis for the 32 CFR Part 170 rule estimated that a small business pursuing Level 2 certification would spend roughly $100,000 or more across a three-year cycle once assessment fees, gap remediation, and a scoped CMMC-compliant environment are factored in; larger organizations with more complex enclaves routinely spend well beyond that. Timeline-wise, vendors typically need 3-6 months of gap remediation before an assessment and another 1-3 months to schedule and complete the C3PAO engagement itself, meaning a realistic runway from "start of the project" to "certificate in hand" is closer to 6-9 months, not the 4-6 weeks many vendors initially budget.

The single biggest cost driver, in Safeguard's experience with customers going through this, isn't the assessment fee — it's the remediation work uncovered by controls like 3.11.2 and 3.14.1, where vendors discover months of unpatched CVEs and undocumented open-source components only once someone actually goes looking.

How Safeguard Helps

Safeguard maps directly onto the CMMC controls that trip up software vendors most often. Our platform generates SBOMs automatically from your build pipeline and ingests SBOMs from vendors and dependencies, giving assessors the exact 3.4.1 and 3.11.2 documentary evidence they now routinely request. Reachability analysis cuts through CVE noise by determining which vulnerabilities in your dependency tree are actually exploitable in your code paths, so your team spends remediation hours — the real cost driver of Level 2 certification — on the flaws that matter for 3.11.3 and 3.14.1, not the entire raw CVE list. Griffin, Safeguard's AI security analyst, triages new findings against your specific codebase and prioritizes them the way a C3PAO assessor will expect to see documented. And for the fixes that remain, Safeguard opens auto-fix pull requests directly against your repositories, shortening the gap between "vulnerability disclosed" and "flaw corrected" — the exact timeliness standard control 3.14.1 is built around.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.