CMMC Phase 2, explained: Requirements, deadlines, and who’s affected
New GSA contracts now require NIST SP 800-171 controls with no phase-in period
The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Phase 2 is approaching quickly. By November 10, 2026, companies pursuing certain Department of Defense contracts will need to pass a third-party audit and achieve CMMC Level 2 certification as a condition of contract award.
Who needs to pay attention?
CMMC applies broadly across the defense supply chain. Any organization that handles Controlled Unclassified Information or supports DoD contracts is in scope. This includes defense contractors, software vendors, and companies entering the federal market for the first time.
The GSA requirement extends this further. Organizations working on civilian agency contracts involving CUI are now required to meet the same NIST 800-171 baseline.
For companies with a mixed federal portfolio, the distinction between DoD and non-DoD compliance is becoming nonexistent. CMMC compliance presents the new standard.
What CMMC Level 2 actually requires
CMMC Level 2 is built on NIST SP 800-171. The goal is to ensure that systems handling CUI are secure, continuously monitored, and auditable.
At a practical level, organizations must implement controls such as:
Multi-factor authentication for users
Encryption of CUI in transit and at rest
Continuous vulnerability scanning and remediation
Removal of unsupported or end-of-life systems
Independent assessments and documented evidence of compliance
These controls must be maintained over time and supported by documentation that withstands third-party review.
Why organizations struggle to meet these controls
When operationalizing the CMMC checklist, two areas create the most friction:
FIPS-validated cryptography: FIPS-validated cryptography is required across systems that handle sensitive data. This is not a one-time configuration. Every component and every update must use validated modules, and organizations must be able to prove it during an audit.
Vulnerability management: Modern software development environments change constantly, which means every image, dependency, and runtime component must be continuously scanned and remediated to prevent and address CVEs.
Both of these requirements generate significant audit overhead. Organizations must produce SBOMs, STIG scan reports, FIPS CMVP certificates, and system security documentation before an assessor ever begins their review.
For teams building this internally, the effort is often greater than expected and competes directly with product development priorities.
Organizations must certify for covered contracts
The DoD timeline is fixed. Phase 2 enforcement begins November 10, 2026, and organizations without certification will not be eligible for covered contracts.
Preparation for a C3PAO assessment takes time. Engineering work, documentation, and audit readiness all need to be completed well in advance. Delays increase the risk of missing the certification window.
This makes the situation complicated because GSA requirements are already in effect for new contracts. There is no transition period. Organizations that have not implemented NIST 800-171 controls may already be out of compliance.
Taken together, these timelines create immediate pressure rather than a distant deadline.
How Chainguard helps: FIPS-validation, STIGs, zero CVEs
Chainguard focuses on the most complex parts of CMMC Level 2 and NIST 800-171 implementation.
Chainguard Containers is built with:
FIPS 140-2 and 140-3 validated cryptography
STIG-aligned base configurations
Zero known critical vulnerabilities
They also include the documentation required for audits, including SBOMs, STIG scan reports, and FIPS CMVP certificates.
This reduces the amount of engineering work required to achieve compliance and shortens the path to audit readiness. Teams can focus on integrating compliant components rather than building and maintaining them from scratch.
Treating compliance as an ongoing capability is key
CMMC Phase 2 changes compliance from a self-attestation exercise into a verified requirement tied directly to contract eligibility. At the same time, NIST 800-171 is already being enforced across new GSA contracts. The same controls now apply across much of the federal landscape.
Organizations that treat compliance as an ongoing capability will be better positioned to meet both requirements. Those who delay may find the preparation timeline is shorter than expected.
Learn more about how Chainguard can help you achieve CMMC compliance.
Share this article
Articles connexes
- sécurité
Chainguard artifacts safe from npm supply chain attack targeting SAP developer dependencies with 2.25M+ monthly downloads
Quincy Castro, CISO
- sécurité
Mythos pulls zero-days forward. Here's what you need to know now.
Patrick Smyth, Principal Developer Relations Engineer
- sécurité
Chainguard customers safe from elementary-data compromise
Quincy Castro, CISO
- sécurité
Chainguard customers safe from new npm worm and xinference supply chain attack
Quincy Castro, CISO
- sécurité
2026: The year of AI-assisted attacks
Patrick Smyth, Principal Developer Relations Engineer
- sécurité
AI is finding vulnerabilities faster than anyone can patch them. Now what?
Ed Sawma, VP of Product Marketing