The CMMC Phase 2 milestone — widely targeted for late 2026 — is approaching fast. Under the final CMMC 2.0rule (32 CFR Part 170, effective December 16, 2024) and the related DFARS acquisition rule amending DFARS 252.204-7021, DoD will require third-party assessment organization (C3PAO) certification for contracts involving Controlled Unclassified Information (CUI) once Phase 2 of the phased rollout takes effect — approximately one year after the DFARS rule’s effective date, currently estimated for late 2026. If your organization handles CUI and competes for DoD work, the clock is running — and most 200–800 FTE defense contractors are materially behind on the controls that matter most: those governing AI systems.
CISOs and Chief Compliance Officers at defense contractors face a specific problem: AI systems create compliance exposure that traditional CMMC readiness programs were never designed to catch. What follows covers what Phase 2 requires, where AI systems generate distinct gaps, and how to sequence remediation before a C3PAO walks through the door.
What the CMMC Phase 2 Milestone Actually Requires
Phase 2 of CMMC 2.0 implementation covers Level 2 — the tier that maps directly to the 110 security practices in NIST SP 800-171 Rev. 2. Every contractor that stores, processes, or transmits CUI must achieve Level 2 certification to remain eligible for covered DoD contracts under the phased rollout schedule DoD published in 32 CFR Part 170.
What changed from the interim rule: self-attestation is no longer sufficient for most Level 2 contracts. DoD’s final rule requires a C3PAO assessment for contracts where CUI is involved in critical programs. The assessment produces a score against all 110 practices, and any practice scored as “not implemented” generates a Plan of Action and Milestones (POA&M) that must be resolved within 180 days of contract award — not before award.
That POA&M window sounds forgiving. It is not. Primes are already flowing down certification requirements to subcontractors via contract clauses, and many are requiring evidence of assessment readiness before they will include a sub on a bid. The practical readiness date for most contractors is 6–9 months earlier than the Phase 2 effective date.
The scope question that trips up most contractors: CMMC Level 2 AI compliance 2026 obligations apply to any system that touches CUI — including AI systems used for contract deliverable generation, logistics optimization, or engineering analysis. If the model ingests or outputs CUI, it is in scope.
How AI Systems Are Evaluated Under CMMC Level 2
Traditional CMMC Level 2 assessments focus on access control, configuration management, audit logging, incident response, and system and communications protection. AI systems introduce three control domains that assessors are increasingly scrutinizing beyond the standard checklist.
Access control for model endpoints. Practice 3.1.1 and 3.1.2 require that system access is limited to authorized users and that transactions are controlled by authorized users. For AI systems, this extends to API endpoints, inference interfaces, and any retrieval-augmented generation (RAG) pipeline that can surface CUI. Assessors are asking for documented access control lists specific to model endpoints — not just the underlying infrastructure.
Audit logging for AI-generated outputs. Practice 3.3.1 requires that user activity and system events are logged. For AI systems, “user activity” includes prompts submitted to a model and outputs returned. If your logging architecture captures infrastructure events but not model-layer interactions, you have a gap that will surface in assessment.
Model integrity and supply chain risk. Practice 3.14.1 (identify and correct information system flaws) and the broader supply chain risk management practices under CA and RA families apply to model weights, fine-tuning datasets, and third-party model providers. If you are using a commercial foundation model via API and that provider is not documented in your System Security Plan (SSP) as a third-party component, assessors will flag it.
Benchmarking your AI control posture against a CMMC AI compliance benchmark before assessment is not optional at this stage — it is the only way to know whether your SSP accurately reflects your actual control implementation.
Readiness Assessment: Where Most Contractors Fall Short
Pre-assessment reviews conducted across mid-market defense contractors consistently surface the same categories of failure. Understanding these gaps is the starting point for any credible CMMC AI readiness assessment.
SSP coverage of AI systems is incomplete. The SSP is the foundational document for a C3PAO assessment. Most contractors have SSPs that describe traditional IT infrastructure in reasonable detail but treat AI systems as a footnote or omit them entirely. Assessors will ask for the system boundary, data flows, and control implementation statements for every system in scope. If your AI tools are not documented, they are not compliant — regardless of the underlying controls.
No documented AI governance policy. CMMC Level 2 requires policies for each practice family. Many contractors have acceptable use policies that predate their AI deployments and have never been updated. A policy that does not address AI system use, model selection criteria, output review requirements, or CUI handling in AI contexts will not satisfy assessors reviewing the CA and PL practice families.
Logging gaps at the model layer. Infrastructure logging is typically in place. Model-layer logging — capturing what was submitted to an AI system and what was returned — is almost universally absent in first-pass assessments. This is a direct gap against 3.3.1 and 3.3.5.
Third-party model providers not in the SSP. If your team uses Microsoft Copilot, AWS Bedrock, or any other managed AI service in a context where CUI could be present, that provider must appear in your SSP as an external system or service. Most contractors have not done this mapping.
No evidence of periodic AI governance review. AI governance best practices defense-sector assessors look for include documented periodic reviews of AI system configurations, access rights, and output quality. The absence of any review cadence — even informal — signals to assessors that controls are not operationally maintained.
A Phased Remediation Roadmap to CMMC Phase 2 Readiness
Given the practical timeline — C3PAO scheduling backlogs are running 4–6 months — contractors who have not started remediation need to move now. Assign a program manager to own the sequence below, with CISO and CCO accountability at each gate.
Phase 1: Governance foundation (Months 1–2)
Update your AI governance policy to address CUI handling, model selection, output review, and incident reporting for AI-specific events. Assign ownership of AI system compliance to a named individual — not a team. Document your position against the AI governance maturity model defense-sector assessors use: defined policies, assigned roles, and a review cadence.
Conduct an inventory of every AI system, tool, and API integration that could touch CUI. This inventory becomes the input to SSP updates.
Phase 2: SSP and control documentation (Months 2–4)
Update the SSP to include all AI systems identified in Phase 1. For each system, document the system boundary, data flows, access control implementation, logging configuration, and third-party dependencies. Write control implementation statements that are specific — “we use Azure AD with MFA” is not sufficient; the statement must describe how the control is implemented for the specific AI system.
Implement model-layer logging where it is absent. This is typically a configuration change in the AI platform or a middleware logging layer, not a multi-month infrastructure project.
Phase 3: Evidence collection and pre-assessment (Months 4–6)
Compile the evidence package: policies, SSP, access control logs, model-layer logs, third-party agreements, and records of periodic reviews. Conduct an internal CMMC AI compliance audit preparation review against all 110 practices, with specific attention to the AI-specific gaps identified in Phase 1. Engage a Registered Practitioner Organization (RPO) for a mock assessment before scheduling the C3PAO. The mock assessment will surface remaining gaps and give you a defensible POA&M if any practices remain partially implemented.
Phase 4: C3PAO assessment (Months 6–9 before deadline)
Schedule the C3PAO assessment no later than Q1 2026 to allow time for any POA&M remediation before the Phase 2 milestone. Assessment scheduling is competitive — do not wait until summer 2026.
AI governance best practices defense contractors should operationalize include quarterly access reviews for AI system endpoints, annual policy reviews tied to the AI system inventory, and a documented change management process for model updates or new AI tool adoption.
Before the Implementing Rules Land
The remediation roadmap above requires tooling and partner decisions that most contractors have not made. Selecting the wrong platform or the wrong RPO at this stage creates rework.
For partners, the distinction between an RPO and a C3PAO matters for sequencing. RPOs can help with gap analysis, SSP development, and mock assessments — they cannot issue the certification. C3PAOs issue the certification but are prohibited from providing consulting to organizations they assess. Engaging an RPO first, then a separate C3PAO, is the correct order. When evaluating either, ask specifically about their experience assessing AI systems under CMMC Level 2. Many RPOs have strong traditional IT assessment capability and limited AI-specific depth.
A CMMC AI readiness assessment from a qualified RPO should produce three deliverables: a scored gap analysis against all 110 practices with AI-specific annotations, a prioritized remediation list, and a draft POA&M. A CMMC AI compliance benchmark comparison — your control posture against assessed peers — is a reasonable additional deliverable to request. If the engagement does not include all three core outputs, the assessment is incomplete.
C3PAO capacity is finite and the Phase 2 milestone applies to every defense contractor handling CUI simultaneously. Contractors who begin their CMMC AI readiness assessment in Q3 or Q4 2025 will have time to remediate, run a mock assessment, and schedule a C3PAO without competing for the last available slots in 2026.