CMMC Level 2 Is Enforced. Here's What Your Code Has to Show.
CMMC 2.0 Level 2 enforcement is active for DoD contracts. Most compliance failures trace back to code, not policy. Here's the control mapping every developer on a defense program needs to understand.
Prepare your codebase for a CMMC Level 2 assessment
- Run the CMMC preset scan against your codebase. Use a scanner that ships an explicit CMMC 2.0 / NIST 800-171 Rev 2 preset. The scan should cover all 110 practices that translate to code, not only the OWASP Top 10 subset.
- Map every finding to its NIST 800-171 practice number. Each finding must reference the specific practice (for example, SI.L2-3.14.1 or AC.L2-3.1.3). 'CWE-89 is a CMMC issue' is not assessment-grade evidence; 'CWE-89 maps to SI.L2-3.14.2' is.
- Triage and remediate the AC, IA, SI, and CA findings first. These four control families are where C3PAOs spend the most assessment time. Closing them produces the highest assessment-readiness lift per developer-hour.
- Export SARIF with control metadata for the C3PAO package. Use a single command like `dsc scan --preset cmmc --export sarif --output cmmc-evidence.sarif`. The SARIF file becomes the appendix to your SSP for the technical-evaluation requirement.
- Keep all scans local so CUI never leaves the build environment. Run the scanner and any AI-assisted fix generation on-device. Any cloud-AI completion that includes CUI source code is a CUI handling violation, regardless of provider policy.
CMMC 2.0 Level 2 Is Live, And Your Code Is the Evidence
The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 is no longer aspirational. As of late 2025, contracts touching Controlled Unclassified Information (CUI) require certified compliance, and third-party assessors (C3PAOs) are conducting real assessments.
Most organizations focus on policy documentation and network controls. Assessors increasingly look at the artifact that's hardest to fake: the code itself.
What Level 2 Requires at the Code Level
CMMC Level 2 maps to all 110 practices in NIST SP 800-171 Rev 2. A subset of those practices directly translate to software vulnerabilities:
AC.L2-3.1.3: Control CUI Flow
CWE mapping: CWE-284 (Improper Access Control), CWE-200 (Exposure of Sensitive Information)
If your application logs, transmits, or stores CUI without encryption or access gating, this practice is unmet. Regardless of what your SSP says. Assessors now ask for code evidence: show me the encryption call, show me the authorization check.
IA.L2-3.5.3: Multi-factor Authentication
CWE mapping: CWE-306 (Missing Authentication for Critical Function)
Authentication bypass vulnerabilities (CWE-306) are a direct AC/IA control failure. The check is not "do you have MFA enabled in your IdP". It is "does your code enforce authentication on every path that touches CUI."
SI.L2-3.14.1: Identify and Manage Information System Flaws
CWE mapping: CWE-1352 (OWASP Top 10 2021. Vulnerable and Outdated Components)
Supply chain vulnerabilities in your dependency tree count as unmanaged flaws. If you have a known-CVE package in production and no evidence of triage, that's a Level 2 gap.
CA.L2-3.12.1: Periodically Assess Security Controls
This is the audit evidence requirement. You need artifacts showing you scanned, found issues, and remediated them. A SARIF export from a code scan is exactly this artifact.
The Assessment Reality
C3PAO assessors have reported that most Level 2 failures are not policy failures. They're code and configuration failures that the policy claimed were handled. The gap between "we have a WAF" and "our input validation code is correct" is exactly what CMMC Level 2 tests.
How Deva Addresses This
Deva maps every finding to its CMMC control. Not the framework name, but the specific practice number. When a scan surfaces CWE-89 (SQL injection) in your codebase, Deva shows you: SI.L2-3.14.2 · CA.L2-3.12.3. When you remediate it, the fix is generated against the active CMMC preset so the remediation doesn't introduce a different control violation.
Export to SARIF, and you have audit-ready evidence showing detection, triage, and fix. Exactly the artifact assessors need.
dsc scan --preset cmmc --export sarif --output cmmc-evidence.sarif
The scan runs locally. No code leaves the machine. That matters for CUI.
Frequently asked questions
What is CMMC Level 2?
Which CMMC controls live in code, not policy?
Do C3PAO assessors actually look at code?
Can Deva run air-gapped for CMMC assessments?
Matthew Conrad
Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.
Related Articles
HHS Wants Annual Pentests in the HIPAA Security Rule. Here's What That Looks Like.
HHS proposed updates to the HIPAA Security Rule in early 2025 that would make penetration testing an explicit requirement for covered entities. Here's what the proposed rule says and how to prepare.
Read moreNIST CSF 2.0: Govern Got the Headlines, ID.AM-07 Will Cost You the Audit
NIST released Cybersecurity Framework 2.0 with a new Govern function and expanded scope beyond critical infrastructure. Here's what the update means at the code level.
Read morePCI-DSS v4.0 Requirements That Live in Your Code, Not Your Network
PCI-DSS v4.0 has been the only valid revision since March 2025. Requirements 6.2 and 6.3 are the ones developers own, and they are stricter than v3.2.1 in ways most teams have not yet absorbed.
Read more