CMMC 2.0 in Action: Operationalizing Secure Software Practices Across the Defense Industrial Base
By Antoine Harden
5 minute read time
For years, the DoD has lost sensitive Controlled Unclassified Information (CUI) through breaches in the Defense Industrial Base (DIB). Adversaries targeted smaller, less secure subcontractors to steal valuable intellectual property tied to weapons and technology. The Cybersecurity Maturity Model Certification (CMMC) was created to stop these leaks by enforcing a unified cybersecurity standard across the entire defense supply chain.
Enforcement for CMMC 2.0 is slated to begin on November 10, 2025, changing the conversation from "what if" to "what now." It should also serve as a reminder of the uncomfortable truth that adversaries don't work to our calendars. Software supply chains are being tested every day, and the DIB remains a sprawling, uneven landscape of practices, tooling, and readiness levels.
Awareness of CMMC is at an all-time high, but true operational readiness remains low. Many contractors have adopted a "wait and see" approach. According to CyberSheath's State of the DIB report, only about one percent of contractors are audit-ready, and a large portion still lacks basic controls, such as vulnerability management, patch management, and multifactor authentication. Other alarming statistics in the report show that most organizations lack basic cyber hygiene measures, vulnerability management (79%), patch management (78%), and MFA (73%), revealing a wide gap between awareness and action.
Awareness is not the problem. Operationalization is.
As much as this is a technical shift, CMMC 2.0 should also be met with a cultural adjustment. It asks organizations to make security evidence a daily byproduct of building software rather than a sprint to satisfy point-in-time audit requirements. In today's complex development environments, a checklist approach to compliance just cannot reflect the reality of an organization's day-to-day operations. Plus, these gaps between audits when diligence isn't top of mind are where adversaries thrive. Threats accumulate and a foothold can be established to escalate privileges and exfiltrate data before the next audit readiness fire drill begins. CMMC 2.0, especially at Levels 2 and 3, tries to close those gaps by making continuous assurance the norm.
What Operationalized CMMC Looks Like
An SBOM is often treated like a document you produce when asked. In practice, a static SBOM is outdated the moment a new dependency lands in the repo. Instead, organizations need to think of SBOMs as living, dynamic evidence of their software supply chain's integrity. They provide a precise, current inventory, and they let you query exposure in minutes when a new zero-day emerges.
Next, consider secure dependency management. Most modern software is assembled from open source and third-party components. That reality is not going to change. What can change is how rigorously those components are evaluated and controlled before they enter the pipeline. Policy-driven governance, enforced at the point of consumption, blocks known-vulnerable or unapproved packages, prevents license issues from landing in production, and ensures that only components that meet organizational policy are admitted. The practice demonstrates proactive compliance with system integrity and flaw remediation expectations under NIST SP 800-171, which underpins CMMC Level 2.
DevSecOps tooling should create verifiable evidence as a side effect of normal work. When CI/CD runs scans, those results should be captured centrally. When a policy blocks a component, that event should be logged in a way that ties to the build and the person who made the change. When a developer upgrades a library, the system should record the new version, the reason for the change, and the approvals involved. If you approach the next assessment by pulling reports rather than pulling engineers out of sprints, you've operationalized CMMC.
The Federal Shift Toward Secure, Transparent Software Development
This push isn't happening in isolation. The federal ecosystem is aligning around common expectations for how software is built and maintained. NIST SP 800-218, the Secure Software Development Framework, provides a practical roadmap for teams that want to embed security into design, coding, and release practices. The Software Fast Track (SWFT) Initiative points toward acquisition pathways that require supply-chain transparency, including complete SBOMs, traceable components, and continuous monitoring. Contractors that adopt SSDF practices and build toward SWFT expectations aren't just checking a CMMC box. If contractors wait to start compliance until a solicitation requires CMMC, it'll be too late to get certified. Adversaries aren't waiting either. Every day of delay leaves companies exposed to active threats.
From Manual to Machine-Speed Assurance
Manual evidence gathering simply cannot scale due to the complexity and constant change inherent in modern software development. A single application may include hundreds of open source components, each with new versions and vulnerabilities emerging daily. Tracking these manually is challenging for one application and virtually impossible across dozens of projects within a multi-tiered supply chain. The process is too slow, error-prone, and expensive to sustain.
In contrast, machine-speed assurance enables real-time compliance validation directly within the CI/CD pipeline. When a developer commits code, the pipeline automatically scans the code and its dependencies for vulnerabilities, checks them against predefined security policies, and generates an updated SBOM. If all checks pass, the build continues; if not, it fails and the developer is immediately alerted. This fully automated process happens in minutes, producing a complete, auditable record of every action, delivering continuous validation at machine speed.
Understanding the CMMC Level 2 "Modified COTS" Scenario
Many suppliers struggle to determine when their commercial product or service becomes subject to a CMMC Level 2 assessment. The following example clarifies this transition.
Scenario: From Commercial Drone to DoD Asset
A U.S. company builds a successful agricultural drone. The DoD decides the drone, with certain modifications, could support Intelligence, Surveillance, and Reconnaissance (ISR) missions.
The company receives a contract to create a DoD-specific version by:
-
Adding a high-resolution sensor package
-
Developing custom software to manage ISR data securely
-
Modifying the airframe to fit new hardware
This places the company among the approximately 35% of DIB suppliers that are likely to require CMMC Level 2 certification.
Why Level 2 Applies
The company is no longer selling a purely commercial product (CMMC Level 1). By customizing it for the DoD, it now creates and handles Controlled Unclassified Information (CUI), such as:
-
Controlled Technical Information: Updated schematics, blueprints, and 3D models
-
Software Source Code: Custom ISR mission code
-
Performance and Test Data: Flight test results, range, and sensor data
-
DoD-Specific Manuals: Operation and maintenance guides
Because employees now create, access, and store this CUI, the company must comply with the 110 security controls in NIST SP 800-171, the foundation of CMMC Level 2.
CMMC 2.0 Is an Opportunity to Turn Compliance Into a Competitive Advantage
As November 10 approaches, the winners in the DIB will be those who make compliance a byproduct of good engineering and demonstrate readiness without slowing down delivery. They will navigate new mandates with less disruption, because their factories already emit the data those mandates require. And they will be better partners in both routine operations and crisis response.
This article was originally published in Government Technology Insider on November 4th, which can be found here.
Antoine Harden brings 25 years of public-sector technology leadership spanning Oracle, CA Technologies, Google, Elastic, and startups like Imperva and Exabeam, to his current role leading Sonatype's federal efforts. He combines strategic insight into federal procurement and mission requirements ...
Tags
Comply with SBOM Regulations
Meet regulatory requirements with Sonatype SBOM Manager – a single solution for SBOM monitoring, management, and compliance.