Safeguard
Compliance

CMMC Level 2 for Software Vendors: A Practical Roadmap

CMMC Level 2 means all 110 NIST SP 800-171 controls, assessed by a C3PAO for most contractors. Here's the scoping, gap-closing, and evidence roadmap for software vendors.

Tomas Lindgren
Platform Engineer
6 min read

CMMC Level 2 requires implementing all 110 security controls from NIST SP 800-171 Rev 2 and, for most defense contractors, passing a third-party assessment by a C3PAO every three years — self-attestation alone no longer cuts it for contracts involving Controlled Unclassified Information (CUI). If you sell software or development services into the defense supply chain, even as a subcontractor two tiers down, Level 2 is probably in your future. The proposed rule published in December 2023 confirmed the structure, and DoD expects the requirement to start appearing in contracts once the final rule lands. Here's the roadmap that actually works, in order.

Step one: scope where CUI lives, then shrink it

Everything in CMMC is priced by scope. The assessment covers every asset that stores, processes, or transmits CUI, plus the security systems protecting them. Before touching a single control, answer: which contracts deliver CUI to us, in what form, and where does it land? For a software vendor the honest answer is often uncomfortable — CUI in Jira tickets, in test data copied to laptops, in an S3 bucket someone made for a demo in 2021.

The highest-leverage move is an enclave: a bounded environment (commonly Microsoft GCC High, AWS GovCloud, or a segmented VPC) where all CUI work happens, keeping your commercial product development out of scope. A 15-person enclave assesses dramatically cheaper than a 300-person company. Document the boundary in your System Security Plan (SSP) with a network diagram the assessor can trace, because scoping disputes are where assessments stall.

Step two: gap-assess against 800-171A, not the control titles

The 110 controls in SP 800-171 decompose into 320 assessment objectives in SP 800-171A, and assessors test objectives, not titles. Control 3.1.1 ("limit system access to authorized users") sounds done because you have SSO; its objectives ask you to prove authorized users are defined, processes are defined, devices are identified, and access is actually limited to all three. Run your gap assessment at the objective level or you'll discover the difference during the real thing.

Score yourself using the DoD Assessment Methodology: start at 110, subtract 5, 3, or 1 points per unimplemented control depending on weight. Scores range from -203 to 110, and your current score already belongs in SPRS (the Supplier Performance Risk System) under DFARS 252.204-7019/7020 — that's been contractually required since 2020. Filing an honest score matters; the False Claims Act cases to date have targeted inflated self-assessments, not imperfect security.

Step three: close the gaps that hit engineering teams

For software vendors, the control families with real engineering weight:

FamilyControls that biteTypical implementation
AC (Access Control)3.1.1, 3.1.5, 3.1.12SSO + least privilege, session controls, remote access via managed VPN
AU (Audit)3.3.1, 3.3.2Centralized logging with user attribution, 90-day+ retention
CM (Configuration Mgmt)3.4.1, 3.4.6, 3.4.8Baseline configs, least functionality, allowlisting
IA (Identification/Auth)3.5.3MFA everywhere CUI is reachable — non-negotiable
RA (Risk Assessment)3.11.2, 3.11.3Vulnerability scanning on a defined cadence, remediation tracking
SI (System Integrity)3.14.1Flaw remediation within defined SLAs

Controls 3.11.2 and 3.14.1 are where dependency management enters: "system flaws" includes vulnerable third-party components in software you build and run inside the boundary. A scheduled SCA scan with tracked remediation tickets satisfies both the control and the assessor's evidence request in one motion. If SBOMs are new to your team, start with the beginner's guide — DoD program offices are increasingly asking for them contractually even before CMMC requires it.

Note what a POA&M can and cannot cover: under the proposed rule, you can carry a Plan of Action for a limited subset of lower-weight controls, must still score at least 88, and must close items within 180 days. The 5-point controls (MFA, FIPS-validated crypto among them) are not deferrable.

Step four: build the evidence package assessors expect

C3PAO assessors want three artifact types per control: policy (you said you'd do it), procedure (how you do it), and operating evidence (proof you did it during the relevant period). The SSP anchors everything — expect 100+ pages for a real environment, and keep it versioned in git like any other artifact. Screenshots age badly; exports from systems of record (IdP, EDR, scanner, SIEM) hold up better. Assessments run roughly one to two weeks with document review beforehand, and pricing quotes for a mid-size scope have ranged from $40,000 to well past $100,000, which is another argument for a small enclave.

Plan the sequence realistically: scoping and gap assessment (4–8 weeks), remediation (typically 6–12 months for a first pass), evidence maturation (assessors want controls operating, not freshly installed), then C3PAO scheduling — and C3PAO capacity is limited, so book early. For the differences between CMMC assessment and plain 800-171 self-attestation, see our CMMC vs NIST 800-171 comparison.

Frequently asked questions

Does CMMC Level 2 always require a third-party assessment?

No — a small slice of Level 2 contracts involving less sensitive CUI will allow annual self-assessment with executive affirmation. DoD has indicated the large majority of Level 2 requirements will specify C3PAO assessment, so plan for third-party unless your contracting officer says otherwise.

We're a subcontractor. Does CMMC still apply?

Yes, requirements flow down to any subcontractor that handles CUI. If you only receive Federal Contract Information and never CUI, Level 1 self-assessment (17 basic controls) may be sufficient — your prime's contract language determines this.

Can open source software be used in a CMMC environment?

Yes, nothing prohibits it. You're accountable for the controls around it: flaw remediation (3.14.1), vulnerability scanning (3.11.2), and configuration baselines apply to open source components exactly as they do to commercial software, so component inventory and scanning are effectively mandatory.

How long does reaching Level 2 actually take?

Organizations starting from a typical commercial security posture usually need 9–18 months from scoping to assessment-ready, mostly consumed by remediation and letting evidence accumulate. An existing ISO 27001 or SOC 2 program shortens this meaningfully but covers perhaps 60–70 percent of the objectives.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.