CMMC 2.0: what defense contractors ask SaaS vendors

TL;DR

• CMMC 2.0 requires defense contractors to assess every vendor that touches Controlled Unclassified Information (CUI), which means SaaS vendors are receiving formal security questionnaires at a growing rate.
• The most common topics: CUI handling, access control, incident response, audit logging, and system and communications protection, all drawn from NIST SP 800-171's 110 requirements.
• CMMC 2.0 and SOC 2 are not the same framework. Vendors with a SOC 2 report have a head start but will encounter significant gaps when they sit down to answer a CMMC questionnaire for the first time.
• Preparing a knowledge base of accurate, policy-backed answers before any questionnaire arrives is the single most effective way to reduce response time and maintain consistency across multiple assessments.
• Wolfia helps security teams build a CMMC-mapped knowledge base that stays current, so answers to CUI handling, access control, and incident response questions are ready when a questionnaire lands.

The CMMC 2.0 final rule took effect in December 2024, and the DoD began phasing it into new contracts in 2025. If your company sells software to any organization that holds a DoD contract, that organization now has a compliance obligation that flows directly to you.

Prime contractors must demonstrate that their suppliers protect CUI at the same level they do. Sending a security questionnaire is typically the first step. For many SaaS vendors, this is unfamiliar ground: they've handled SOC 2 audits and the occasional CAIQ, but CMMC questionnaires go deeper into operational security and require specificity that generic security profiles don't cover.

The volume is only going up. DoD spending is increasing, the number of companies subject to CMMC 2.0 is expanding, and most prime contractors are building out their vendor assessment programs now.

CMMC 2.0 has three levels. The overwhelming majority of defense contractors and their vendors fall under Level 2. Level 2 maps directly to NIST SP 800-171, which contains 110 security requirements across 14 domains.

Vendors who process, store, or transmit CUI on behalf of a defense contractor are typically assessed against Level 2. Vendors with no contact with CUI may be assessed against Level 1, which is far simpler. The problem is that many SaaS vendors handle CUI without realizing it. Project management tools, communication platforms, document storage systems, and HR software all have the potential to touch CUI depending on how a defense contractor uses them.

Before you can answer a CMMC questionnaire accurately, you need to know whether your product is in scope for CUI. That determination shapes every answer you give.

While each defense contractor writes their own questionnaire, the underlying requirements are the same. Most questionnaires draw most heavily from these five NIST SP 800-171 domains:

• Access Control (22 requirements)
• Incident Response (3 requirements)
• Audit and Accountability (9 requirements)
• System and Communications Protection (16 requirements)
• Configuration Management (9 requirements)

Vendors with a SOC 2 Type II report have a head start because they've already documented controls in several of these areas. The gap between SOC 2 and CMMC 2.0 often surprises security teams when they encounter a CMMC questionnaire for the first time, particularly around FIPS 140-2 cryptographic requirements and CUI boundary documentation.

Practically every CMMC questionnaire starts here. Defense contractors want to know where CUI is stored in your environment, who can access it and under what conditions, whether it's encrypted at rest and in transit (and to what standard), how it's disposed of when no longer needed, and whether it ever leaves your controlled environment through integrations, exports, or third-party subprocessors.

The tricky part for SaaS vendors is that CUI boundaries in a multi-tenant environment are not always obvious. If a defense contractor's employees store files in your platform, those files may contain CUI. If your platform integrates with third-party tools, CUI could flow into systems you don't fully control.

Answering these questions well requires more than a legal review. The answers need to be technically accurate and consistent with your actual architecture. Security teams, not just compliance managers, need to be involved in the response process.

NIST SP 800-171's Access Control domain has more requirements than any other. Defense contractors ask vendors about how access to CUI is granted and revoked, whether role-based access control is enforced, multi-factor authentication requirements for both standard and privileged accounts, session timeout and lock policies, and how access is reviewed and audited over time.

Single sign-on integrations are often relevant here. If your platform delegates authentication to a customer's identity provider, you'll need to explain the trust relationship and what access controls your platform enforces independently.

Contractors sometimes ask whether least-privilege access is enforced in practice, not just in policy. That means your answer needs to describe actual configuration, not just what the policy document says.

CMMC 2.0 incident response requirements are relatively compact at Level 2, but the questions vendors receive tend to go well beyond the baseline. Contractors want to understand how incidents involving CUI are identified and escalated internally, how quickly the contractor will be notified after a suspected breach (many expect 72 hours or less), what documentation is produced during and after an incident, and whether your incident response plan has been tested in the past year.

The notification timeline question gets particular attention. A contractor subject to DFARS 252.204-7012 must report cyber incidents to the DoD within 72 hours. They will typically require their vendors to notify them within a window that gives them time to meet that obligation. Vendors whose incident response plans don't address customer notification timelines will need to update them before the next questionnaire arrives.

This domain covers encryption, network segmentation, and data in transit. Common questions include whether FIPS 140-2 validated cryptographic modules are used, how data is encrypted in transit (TLS version and certificate management), whether remote access sessions use encryption and how they're monitored, and how your network is segmented to limit lateral movement.

FIPS 140-2 is a specific requirement that catches many vendors off guard. SOC 2 does not require it, and many SaaS vendors use encryption libraries that are not FIPS validated. Discovering this mid-questionnaire is a painful experience. Getting ahead of it before questionnaires arrive is much easier than explaining the gap after the fact.

Defense contractors want evidence that your platform logs security-relevant events and that those logs are protected and retained. They typically ask what events are logged, including authentication attempts, access to CUI, configuration changes, and privilege escalation. They also ask how long logs are retained, whether logs are protected from modification or deletion, and whether logs are reviewed regularly with a process for flagging anomalies.

Log retention requirements under NIST SP 800-171 are not prescriptive about specific timeframes, but most contractors land on either one year or three years depending on their own policies. Vendors who retain logs for 90 days may need to address that gap directly in their response.

The biggest mistake security teams make is treating CMMC questionnaires as one-time events. If you have one defense contractor customer, you'll likely have more, and the questionnaire from the second customer will cover the same ground as the first.

The teams that handle this well build a knowledge base of documented, accurate answers mapped to NIST SP 800-171 controls. That knowledge base becomes the source of truth for every questionnaire that follows. The process of building it also surfaces inconsistencies: if your access control policy says one thing and your actual configuration does another, documenting answers for a questionnaire will catch that before a contractor does.

Preparation also means getting legal, IT, and security aligned on answers before any questionnaire is in flight. CUI handling questions in particular require input from people who understand actual data flows in your product, not just the policy layer.

Wolfia helps security teams build and maintain a knowledge base mapped to frameworks like CMMC 2.0 and NIST SP 800-171, so the work of answering repetitive questions doesn't start from scratch every time.

When a CMMC questionnaire arrives, Wolfia's Questionnaire Automation module pulls answers from the knowledge base, cites the source document for each response, and flags any questions that require human review. The source citations matter: CISOs and compliance leads can verify exactly where each answer came from before submitting, which carries weight when the questionnaire goes to a defense contractor's security or legal team.

The knowledge base is self-maintaining. When a policy document is updated or a new control is implemented, the knowledge base reflects the change without requiring a manual library cleanup. That's a meaningful difference from tools that require security teams to tag, categorize, and regularly groom every document.

Wolfia's Trust Center module lets defense contractors access a pre-built portal where they can review certifications, security documentation, and completed assessments without sending a questionnaire at all. For contractors willing to accept a standardized security profile, this can shorten the process considerably and reduce back-and-forth.

The Portal Agent extension handles questionnaires submitted through platforms like OneTrust, ServiceNow, and Ariba, so answers flow directly into the contractor's portal without manual copy-paste. When a questionnaire requires legal or contractual review alongside the security review, Wolfia's legal review module keeps that work in the same workflow rather than splitting it across email chains and shared drives.

CMMC 2.0 has turned vendor security assessments into a routine part of doing business with the defense supply chain. SaaS vendors who haven't received a CMMC questionnaire yet will soon. The frameworks are public, the questions are predictable, and the companies that respond well are the ones that prepared their answers before any questionnaire arrived. A documented, maintained, accurate knowledge base is the most durable investment a security team can make in this space.