CMMC has settled into its operational form, and Level 2 assessments are now a regular feature of the defense industrial base's compliance calendar. The 110 practices Level 2 inherits from NIST SP 800-171 cover a wide ground, and the supply chain dimension reaches further into them than many organizations initially anticipate. The practices that explicitly carry SR designations get most of the attention, but the evidence pattern bleeds into configuration management, system and information integrity, and risk assessment as well.
Defense contractors handling controlled unclassified information face a population of assessors trained to look for specific evidence shapes. The C3PAO that walks into the assessment is not negotiating the scope of the practices. They are testing whether the implementation produces the artifacts the assessment objectives describe.
What Level 2 expects of the supply chain
The practices that carry the most direct supply chain weight at Level 2 sit in the configuration management family, the system and information integrity family, and where they overlap with the SR-family expectations from SP 800-161 that have crept into assessor expectations through the federal alignment effort.
CM.L2-3.4.1, which covers establishment and maintenance of baseline configurations, draws on inventory evidence. The configuration baseline must be specific enough that an assessor can compare a deployed system against it. For software systems, that specificity often comes from the SBOM, which is the most precise inventory available.
CM.L2-3.4.9 covers software installation policies. Defense contractors must control the installation of software, which means having a defensible answer to the question of what software is permitted, how that determination is made, and how unauthorized software is detected. SBOMs and policy gates are the operational expression of this control.
SI.L2-3.14.1 covers identification, reporting, and correction of system flaws. Vulnerabilities in third-party components are flaws under this practice, and the evidence of identification, reporting, and correction has to be produced for the population of flaws that affected the assessment scope.
SI.L2-3.14.3 covers the monitoring of security alerts and advisories. The advisories include those from upstream component sources, and the evidence has to show that the contractor's response to relevant advisories was timely.
The tip of the SR iceberg
Beyond the explicitly mapped Level 2 practices, the SP 800-161 supply chain controls increasingly influence assessor expectations. The cleanest way to handle this is to treat the SR controls as a parallel evidence track, with artifacts that align to both Level 2 practices and the SR family. The investment compounds for organizations that will eventually pursue Level 3 or that operate under FedRAMP and DoD JAB programs.
SR-3 on supply chain risk management policy and procedures is satisfied by the written program, the cadence records, and the management of exceptions. SR-4 on provenance is satisfied by the build attestations and the verifications performed before components enter the boundary. SR-5 on acquisition strategies is satisfied by the policy gates that govern component selection. SR-6 on supplier assessments is satisfied by the supplier risk records.
The shape of the evidence pack
A Level 2 supply chain evidence pack typically follows the structure the assessor uses to walk through the practices. For each practice in scope, the pack identifies the practice, the implementation, the evidence, and the population the evidence covers.
For CM.L2-3.4.1, the evidence is the SBOM history, the configuration baseline that draws on it, and the records of baseline reviews. The assessor will sample releases and ask for the SBOM, the baseline, and the comparison.
For CM.L2-3.4.9, the evidence is the policy that governs software installation, the gates that enforce the policy, and the logs that record each evaluation. The assessor will sample evaluations and ask for the inputs, the policy, and the outcome.
For SI.L2-3.14.1, the evidence is the vulnerability finding flow, the triage records, and the remediation timelines. The assessor will sample findings and ask for the source, the assessment, the action taken, and the timing.
For SI.L2-3.14.3, the evidence is the advisory monitoring records and the response timelines for advisories that affected the scope. The assessor will sample advisories and ask for the awareness time, the assessment, and the action.
How Safeguard supports the assessment
Safeguard captures the supply chain artifacts at the points where they are produced and retains them in a form designed for assessment use. SBOMs are generated on every build and stored against the release, with content hashes, timestamps, and links to the source code that produced them. Configuration baselines drawn from SBOMs are versioned and reviewable.
Policy gates enforce the software installation controls. When a build attempts to introduce a component that does not meet the installation policy, the gate blocks the build and logs the evaluation. When an exception is granted, the exception is recorded with the user, the rationale, and the expiration. The aggregate of these records demonstrates that the control operated, not just that it was defined.
Vulnerability findings are recorded against the SBOMs that contained them, with severity, exploitability, and the affected components. Triage decisions are logged with the rationale, the user, and the linked artifacts. Remediation timelines are captured, and the policy windows for action are enforced through the gates.
For advisory monitoring, Safeguard's continuous scanning treats new advisories as inputs and produces findings against the relevant SBOMs as soon as the advisories are correlated. The awareness time is captured, the response is logged, and the assessor can sample the population on demand.
The shared responsibility question
Many defense contractors operate in environments that include cloud services, managed databases, and other external dependencies. The shared responsibility between the contractor and the service provider has to be clear in the evidence pack, because the assessor will ask which controls the contractor implements and which the provider implements on their behalf.
For supply chain evidence specifically, the contractor remains responsible for the components introduced by the contractor's own software. Where the cloud service provider contributes components or services, the contractor's evidence pack should describe the boundary and reference the provider's attestations or shared responsibility documentation.
Safeguard's project and product structure can model the boundary by separating contractor-managed components from provider-managed services, with clear delineation in the reporting. The assessor sees a coherent picture of what the contractor controls and what the contractor inherits.
The Level 3 horizon
Level 3 assessments add NIST SP 800-172 enhanced security requirements, with stronger expectations for advanced persistent threat detection and supply chain monitoring. Contractors planning to pursue Level 3, or already operating in environments where Level 3 expectations are emerging informally, should treat the Level 2 evidence pack as a foundation rather than a destination.
The continuous evidence pattern that satisfies Level 2 also supports the additional rigor Level 3 implies. The richer the artifact base, the smaller the gap between Level 2 and Level 3 evidence requirements, and the cleaner the eventual transition.
Documentation and the assessment cadence
CMMC assessments operate on a triennial cadence, with annual self-affirmation in between. The evidence base needs to remain current across that period, and the artifacts have to be retrievable for the full assessment window.
Continuous evidence generation handles the cadence question by ensuring artifacts are produced on every release rather than at assessment time. The triennial assessment becomes a sampling exercise across an existing population, rather than a reconstruction project.
For contractors that have lived through assessment windows where the documentation was assembled in the weeks before the assessor arrived, the difference is significant. The evidence is no longer something the team produces for the assessor. It is something the team produces for itself, and the assessor benefits from the same records.
The bottom line
CMMC Level 2 is increasingly the floor for participation in the defense industrial base. The supply chain dimension of the assessment is one of the more demanding parts, because it requires the contractor's program to extend beyond their own perimeter. Building the evidence pack on continuous, structured, durable artifacts is the most reliable path through the assessment, and it is the foundation for whatever the contractor's compliance trajectory looks like next.