Introduction: CMMC 2.0 Is No Longer Optional
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework has moved from a theoretical requirement to an active enforcement reality for defense contractors across the United States. With Phase 2 enforcement set to begin in November 2026, every company in the Defense Industrial Base (DIB) that handles Controlled Unclassified Information (CUI) must demonstrate compliance or risk losing access to Department of Defense (DoD) contracts worth billions of dollars annually.
CMMC 2.0 streamlined the original five-level model into three tiers, but the documentation and evidence requirements remain rigorous. At Level 2, which applies to the majority of contractors handling CUI, organizations must implement and document 110 security practices aligned with NIST SP 800-171. Every practice requires verifiable evidence, and that evidence must be retained, organized, and audit-ready for a minimum of 6 years.
Phase 2 Enforcement Timeline and C3PAO Assessments
The DoD finalized the CMMC Phase 2 rule, which means that starting November 2026, CMMC Level 2 certification will appear as a requirement in new DoD solicitations and contracts. Companies that cannot present a valid certification will be ineligible to bid on or continue performing work involving CUI.
The assessment process is conducted by Certified Third-Party Assessment Organizations (C3PAOs), which are accredited by the CMMC Accreditation Body (the Cyber AB). Here is the critical bottleneck: current wait times for a C3PAO assessment are stretching to 18 months. The number of accredited C3PAOs remains limited relative to the roughly 80,000 companies in the DIB supply chain, creating a significant backlog.
Key milestones contractors must plan for include:
- Immediate: Complete a gap assessment against NIST SP 800-171 controls
- Q2 2026: Finalize remediation of all identified gaps and document evidence
- Q3 2026: Schedule and prepare for C3PAO assessment (if not already scheduled)
- November 2026: Phase 2 enforcement begins appearing in contracts
Organizations that have not yet scheduled their assessment should treat this as an urgent priority. The 18-month wait time means that companies scheduling today may not receive their assessment until late 2027, potentially missing contract opportunities.
Document Management Requirements Under CMMC Level 2
CMMC Level 2 requires compliance with all 110 controls in NIST SP 800-171 Revision 2. A significant portion of these controls relate directly to document management, information handling, and records retention. The following control families are particularly relevant:
- Access Control (AC): Documents containing CUI must have role-based access controls, and every access event must be logged
- Audit and Accountability (AU): Organizations must create, protect, and retain system audit logs for a minimum of 6 years, with the ability to trace any action to a specific user
- Configuration Management (CM): All system configurations must be documented, baselined, and change-tracked
- Media Protection (MP): Digital media containing CUI must be encrypted at rest and in transit, with documented procedures for sanitization and disposal
- System and Information Integrity (SI): Organizations must monitor, identify, and document security flaws and take corrective action
The 6-year retention requirement is particularly demanding. Assessors will look for a document management system that maintains the integrity, confidentiality, and availability of all compliance evidence throughout this retention period. Paper-based or ad-hoc filing systems are insufficient.
Building a Compliant Evidence Repository
C3PAO assessors evaluate not just whether controls are implemented but whether there is sufficient evidence to prove consistent implementation over time. This means organizations need a systematic approach to collecting, organizing, and preserving compliance artifacts.
A compliant evidence repository should include:
- System Security Plans (SSP): A comprehensive document describing the security environment, including system boundaries, interconnections, and control implementations
- Plans of Action and Milestones (POA&M): Documented plans for addressing any gaps, with specific timelines and responsible parties
- Policy documents: Written policies for each of the 14 control families, reviewed and updated at least annually
- Training records: Evidence that all personnel with CUI access have completed required security awareness training
- Incident response records: Documentation of any security incidents, investigations, and corrective actions taken
- Audit logs: Preserved system logs demonstrating ongoing monitoring and access control enforcement
Each artifact must be version-controlled, timestamped, and stored in a manner that prevents unauthorized modification. Assessors will specifically check for evidence of tampering or gaps in the record. Organizations should implement immutable storage for critical compliance documents to ensure audit integrity.
Common Pitfalls That Lead to Assessment Failure
Based on early assessment results and feedback from C3PAOs, several common failure patterns have emerged among defense contractors attempting CMMC Level 2 certification:
- Incomplete documentation: Having the technical controls in place but lacking the written policies, procedures, and evidence to prove it
- Inconsistent retention: Audit logs or compliance records with gaps, suggesting that retention practices are not consistently followed
- Shared credentials: Using shared accounts or credentials that make it impossible to trace actions to individual users
- Unencrypted CUI storage: Storing documents containing CUI on systems without FIPS 140-2 validated encryption
- Lack of access reviews: No evidence of periodic reviews of who has access to CUI and whether that access is still appropriate
The documentation burden is often underestimated. Organizations should allocate dedicated resources to compliance documentation management rather than treating it as a secondary responsibility of IT staff.
How Arhivix Helps
Arhivix provides a document management platform purpose-built for regulatory compliance environments like CMMC 2.0. All documents stored in Arhivix are protected with AES-256 encryption both at rest and in transit, meeting the FIPS 140-2 encryption requirements that C3PAO assessors verify. Storage is built on AWS S3 infrastructure, delivering the durability and availability that defense contractors need for their 6-year retention obligations.
Every document action in Arhivix generates a comprehensive audit trail, recording who accessed, modified, or downloaded each file, with timestamps and user identification. This audit trail is immutable and tamper-evident, providing the exact type of evidence that C3PAO assessors look for during CMMC Level 2 evaluations. Role-based access controls, automated retention policies, and version control are built in, helping organizations maintain continuous compliance rather than scrambling before an assessment.
