CMMC Phase 2

Exposure Sovereignty Evidence Mechanisms vs. SaaS GRC

CMMC Phase 2 · 10 Nov 2026 · 174 days

DoD contract continuity inside your Azure tenant.

Continuous, sovereign, C3PAO-defensible CMMC Level 2 evidence. The Microsoft Security signals you already produce, converted into the methodology a C3PAO recognizes — before the bid window closes.

Deploy in your tenant Read the architecture brief

○ 110 NIST 800-171 controls · native○ C3PAO-recognized methodology○ Microsoft-native · in-tenant

Solicitation ledger · in-tenant

forecast horizon · Q2 2026 → Q1 2027

Prime A · IDIQ Recompete

bid window · Jun 2026

PRE-PHASE 2

110/110 · ready

Subcontract · Aerospace OEM

bid window · Jul 2026

PRE-PHASE 2

110/110 · ready

Federal · Engineering Svcs

bid window · Sep 2026

PRE-PHASE 2

110/110 · ready

Prime B · CUI flow-down

bid window · Oct 2026

PRE-PHASE 2

110/110 · ready

10 Nov 2026 · Phase 2 Enforcement

DoD · Sustainment Recompete

bid window · Dec 2026

PHASE 2 · LIVE

110/110 · ready

Prime C · New Award · CUI

bid window · Feb 2027

PHASE 2 · LIVE

110/110 · ready

NIST 800-171 · DFARS 252.204-7021posture · continuous · C3PAO-defensible

The exposure

On 10 November 2026, the C3PAO bottleneck closes the bid window.

CMMC Phase 2 begins on that date. C3PAO-assessed Level 2 becomes the default for any DoD contract that touches Controlled Unclassified Information. Self-assessments stop counting.

Roughly 99% of the defense industrial base is uncertified six months out from Phase 2. Under 600 assessors operate nationally. Six-month wait times. Twelve-month typical readiness cycles. Companies starting today are realistically looking at certification in mid-to-late 2027 — well past the Phase 2 default.

The financial exposure isn't November 10. It's every solicitation cycle between now and then where your prime asks for CMMC evidence and your team can't produce it without a fire drill.

DIB readiness · Feb 2026source · Cyber AB

1.4%

of the defense industrial base is C3PAO-certified at Level 2.

~1,100 of ~76,000 orgs · 98.6% remain

certified · 1,100uncertified · ~74,900

Compounding pressures

Prime flow-down

32 CFR §170.23 · before phase, regardless

Assessor scarcity

<600 nationally · 6+ month waits

Readiness lead time

12–14 months typical · cannot backfill

FCA exposure

DFARS 252.204-7021 · personal affirmation

76,000orgs

DIB needing Level 2 · DoD estimate

~1,100completed

As of Feb 2026 · Cyber AB Town Hall

< 600assessors

CMMC-AB assessor registry · 6-month waits

$52Mrecovered

DoJ Civil Cyber-Fraud Initiative FY2024

Sovereign by design · required for CUI

Your tenant. Your data. Your CUI boundary.

CUI handling under NIST 800-171 imposes specific data-residency and access-control discipline. Sovereignty is not a preference for defense contractors — it's a control requirement. Kyudo inherits it from the architecture, not from terms in an MSA.

Customer Azure tenant · CUI boundary

Entra · Purview · Defender · honored

Compliance Graph

typed entities · CUI-classified

Evidence pipeline

Defender · Sentinel · Purview

AI inference

Sensei · in-tenant reasoning

Audit ledger

hash · lineage · confidence

private endpoints only · no public internet path

Vendor cloud · sub-processor✕ no path

I.boundary

No cross-tenant data plane

Every Kyudo service runs inside your Azure subscription. CUI evidence does not reach vendor infrastructure because no path exists for it to. Sovereignty is structural, not contractual.

II.network

Private endpoints on every service

Application services, storage, Key Vault, SQL, identity, and AI inference expose private endpoints only. CUI evidence never traverses the public internet — even within your own tenant.

III.ai-plane

Tenant-scoped AI inference

Prompts, retrieved context, and AI responses execute inside your tenant. Reasoning over CUI does not leave your data boundary. The AI evidencing your controls inherits the residency of the controls themselves.

IV.third-party

Sub-processor removed from the risk register

A SaaS GRC vendor handling CUI evidence is a sub-processor. Kyudo is not, because nothing leaves your tenant. The contractual data-protection liability that attaches to extracted CUI evidence does not exist.

Microsoft-native evidence

Your security stack already produces the operational truth a C3PAO assessor wants to see.

Kyudo converts Microsoft Security signals you already pay for into continuous, governed CMMC evidence. Read-only access, least privilege, system-assigned managed identity. No new attack surface for CUI.

Microsoft signal
Becomes governed CMMC evidence
NIST 800-171 family

Defender XDR

endpoint · identity · email · cloud

Detection signals become control-validation evidence with chain-of-custody lineage. Each alert is typed against the controls it operates on.

AU.L2-3.3IR.L2-3.6

Defender for Cloud

CSPM · workload protection

CSPM findings map to controls. Drift surfaces as control regression in the graph, not as orphan alerts in a queue.

RA.L2-3.11CM.L2-3.4

Sentinel

SIEM · SOAR telemetry

Telemetry becomes continuous evidence of control operation. Hash and lineage preserved on ingestion.

AU.L2-3.3SI.L2-3.14

Purview

DLP · classification · CUI labels

DLP and classification events become CUI-protection evidence, automatically mapped to media-protection and transmission-protection controls.

MP.L2-3.8SC.L2-3.13

Entra ID

identity · conditional access

Identity posture and conditional-access evaluations feed access-control assurance continuously. Affected control is the same identity boundary your tenant already enforces.

AC.L2-3.1IA.L2-3.5

Azure Policy

configuration management

Policy evaluations become real-time configuration-management evidence. Compliance state is a property of the resource, not a quarterly export.

CM.L2-3.4CA.L2-3.12

Total · NIST 800-171

110controls native14control families6signals · 0 agents

CMMC-specific mechanisms

The methodology a C3PAO recognizes.

Five mechanisms make Kyudo's CMMC outputs defensible — not because we promise they are, but because the architecture forces them to be. Every mechanism is reviewable by the assessor on request.

01

110-control NIST 800-171 native mapping

Every control is a typed entity in the Compliance Graph. Each is scored for completeness on a 0–100 scale and capability maturity on a 1–5 scale by CMCAE on every Microsoft Security signal — not on a quarterly review cadence.

Recalculation cadence

on-signal · 110 controls · CMCAE ML 1–5

02

STRM crosswalking · NIST IR 8477

CMMC Level 2 maps to SOC 2, ISO 27001, NIST 800-53, and the broader SCF on one control fabric, so a single signal evidences multiple frameworks. The semantic strength of each mapping is a graph property, not a manual annotation.

Crosswalk

CMMC L2 ↔ SOC 2 · ISO 27001 · 800-53 · SCF

03

Continuous evidence with provenance

Every artifact carries hash, lineage, and confidence score. Sensei reasoning surfaces the retrieval trace on demand. An assessor can reproduce the trace on every query, deterministically, against a typed graph.

Per-artifact properties

hash · lineage · confidence · timestamp · graph-cited

04

Senior-official affirmation, defensibly backed

The annual affirmation under DFARS 252.204-7021 is a personal statement. Backing it with continuous, cited evidence rather than snapshot exports is a different liability profile under the False Claims Act — and a different conversation with your D&O carrier.

Affirmation backing

continuous · cited · reproducible inside tenant

05

C3PAO-recognized methodology

The methodology is the same one a C3PAO recognizes during a Level 2 engagement. Documented and reviewable by the assessor on request. Continuous evidence is what an assessor expects to see — not a quarterly export.

Reviewable on request

methodology document · graph schema · reasoning trace

Compared with the SaaS GRC alternative

For CUI handling, the architectural diff is a regulatory diff.

Where a SaaS GRC platform concentrates liability — at the sub-processor, in the contract, and on a snapshot — Kyudo removes it at the architecture layer. Same audit, different liability profile.

Surface
SaaS GRC · concentrated liability
Kyudo · liability removed

data residency

Your CMMC evidence becomes subject to a sub-processor’s data-protection terms.

Kyudo deploys inside your Azure subscription. There is no sub-processor on CUI evidence. Evidence stays inside your boundary.

architecture

Sovereignty is contractual, not structural — a problem when CUI handling is a regulatory requirement.

Sovereignty is architectural. Private endpoints, managed identities, and the absence of a cross-tenant data plane make it structural by default.

affirmation

Senior-official affirmation depends on snapshot evidence the vendor produces from extracted data.

Affirmation is backed by continuous, cited evidence reproducible on demand inside your tenant. False Claims Act exposure on the affirmation drops materially.

methodology

C3PAO methodology depends on the SaaS vendor’s assessment alignment.

Methodology is the same one a C3PAO recognizes. Documented and reviewable by the assessor on request, against the typed graph that produced the evidence.

Where you are right now

Three roles. Three exposures. One platform that addresses all of them.

Pick the role you're answering to today. Kyudo meets you there — and the work you do for one role compounds across the others, because the underlying control set and evidence pipeline are shared.

CFO · revenue continuity

DoD revenue at stake

CMMC posture as a revenue-protection metric.

Forecastable across solicitation cycles. Decrementable against your existing Microsoft Azure consumption commitment where MACC applies. The award becomes a forecastable line item, not a quarterly scramble.

MACC drawdownBid-window forecastMultiple-driverFY 2026 actuals

CRO / COO · flow-down

32 CFR §170.23

Flow-down compliance, on a normal supplier-management cadence.

Primes are flowing CMMC requirements down to subcontractors now, regardless of phase. Continuous, cited evidence answers a prime’s vetting deadline without a fire drill — and protects the prime award the sub depends on.

Prime vettingSubcontractor cadenceContinuous evidenceAudit RFI

General Counsel · affirmation

DFARS 252.204-7021

Affirmation backed by continuous, cited evidence.

Senior-official affirmation under DFARS 252.204-7021 is a personal statement. Backing it with continuous, cited evidence rather than snapshot exports is a different liability profile under the False Claims Act — and a different conversation with your D&O carrier.

FCA exposureTreble damagesD&O postureWhistleblower

Readiness as the operating condition

You don't bid on the next solicitation hoping your CMMC posture will hold.

You bid because your CMMC posture is a continuous condition, already true inside your Azure tenant, already cited, already C3PAO-defensible. The award becomes a forecastable line item, not a quarterly scramble.

Six months before Phase 2 enforcement is enough time to deploy continuous Level 2 evidence inside your Azure tenant. Six months after is not.

Deploy in your tenant Read the architecture brief

See the Microsoft signal → control mapping →

○ Inside your Azure tenant○ Microsoft Solutions Partner · MISA member○ Methodology a C3PAO recognizes