On November 10, 2025, the CMMC program entered its phased rollout. Twelve months later — November 10, 2026 — that rollout reaches the date the defense industrial base has been circling in red. And the control that decides whether a contractor passes is one almost no compliance program has actually closed: where its workforce's data goes when an employee opens an AI tab.
The November 10, 2026 inflection
The Department of Defense's CMMC schedule is explicit. Phase 1, which began on November 10, 2025, focuses "primarily on CMMC Level 1 and Level 2 self-assessments." Phase 2 begins exactly one year later: "where applicable," solicitations will then require Level 2 Certification — an independent third-party assessment — rather than a self-attestation. CMMC, per the DoD CIO, "assesses defense contractor compliance with existing information safeguarding requirements for federal contract information (FCI) and controlled unclassified information (CUI)," and contractors "entrusted with FCI or CUI must achieve a specific CMMC level as a condition of contract award."
The bar at Level 2 is concrete: the 110 security requirements of NIST SP 800-171 Revision 2, required by DFARS clause 252.204-7012 and verified by an authorized CMMC Third-Party Assessment Organization (C3PAO) every three years for contracts handling sensitive CUI. Those requirements flow down — the program "outlines protection requirements for information flowed down to subcontractors" — so a sub two tiers deep handling CUI inherits the same obligation as the prime. CMMC "is expected to apply to the entire defense industrial base," the Crowell & Moring government-contracts team notes. For most of the DIB, Phase 2 is the moment certification stops being a roadmap item and becomes a bid-eligibility gate.
What the 110 controls quietly assume
Every requirement in NIST SP 800-171 — the baseline behind Level 2 — assumes one fact about your environment: that you know the boundary of where CUI lives. A CMMC assessment is scoped to the contractor information systems that "process, store, or transmit" CUI. You draw that boundary, you harden it, and you affirm annually that it holds.
A browser tab dissolves the boundary. When an engineer pastes a controlled spec, a contract data requirements list, or a fragment of technical data into a consumer ChatGPT, Claude, or Gemini session to "clean up the wording," they have just created a transmit event into a system that sits entirely outside the assessment scope — one no one inventoried, that no one can log, and that no one can attest to. The control didn't fail because a firewall was misconfigured. It failed because the data left through a surface the assessment boundary never contemplated.
The CUI propagation problem
It gets worse on the way back. As the Bradley government-contracts group puts it, "AI-generated outputs present a CUI propagation problem that few contractors have operationalized. Where a model is trained on CUI, its outputs — including summarizations, pattern extractions, and derived analyses — may themselves constitute CUI requiring the same marking, handling, and protection obligations as the underlying data." The summary the model hands back, pasted into a proposal draft or a chat channel, can carry the same obligation as the source. One ungoverned paste can seed CUI across systems that were never scoped to hold it.
This is also where CMMC's attestation model turns a hygiene gap into legal exposure. Level 2 requires an annual affirmation of compliance. If shadow AI is quietly moving CUI outside the scoped boundary while that affirmation is signed, the affirmation is inaccurate — and the Department of Justice has been pursuing exactly this kind of misstatement under its Civil Cyber-Fraud Initiative, which Bradley notes has been "extended in practice to cover AI-related misrepresentations in government contracts."
The tool choice itself is now a compliance act
The FY2026 NDAA pushed the boundary further. Section 1532 prohibits contractors from using "Covered AI" during performance of DoD or Intelligence Community contracts — and the statutory definition reaches any AI "subject to ownership, control, or influence by" a covered nation, currently China, Russia, North Korea, and Iran. Which AI tab an employee opens is therefore no longer a productivity preference; it is a contract-compliance decision that runs to every commercial API, open-source foundation model, and cloud inference service touched during performance. You cannot enforce a prohibition you cannot see.
A CMMC-for-AI regime is already being built
None of this is static. Section 1513 of the FY2026 NDAA directs DoD to build a dedicated cybersecurity and physical-security framework for AI/ML technologies and to fold it into the DFARS and the CMMC program as, in the statute's words, "an extension or augmentation" of existing frameworks. Congress directed that it augment — not replace — the CMMC program, and DoD owes Congress a status update on implementation by June 16, 2026. The trajectory is unambiguous: the data crossing the AI boundary is becoming a named, assessable object in defense cybersecurity rules, not an unwritten assumption. Contractors who waited until CMMC came into force found themselves in expensive remediation; the same delay on the AI boundary will be no cheaper.
Where the control has to live
The common thread from Level 2 today to the Section 1513 regime tomorrow is the same: governance has to happen at the point where data crosses into an AI system — before it leaves, not reconstructed afterward. That means two controls the certification quietly assumes you already operate:
- Pre-submission enforcement. Whether a piece of CUI ever reaches a model's API is a decision that has to be made in the browser, at submission time, against an organizational policy — not discovered in logs after a leak.
- A user-attributable audit trail across every AI surface. Who submitted what, when, into which tool, against which policy — spanning the sanctioned ChatGPT Enterprise tenant and the personal tab the assessment boundary never knew about.
Containment.AI enforces AI-governance policy at the browser layer across every major AI surface — ChatGPT, Claude, Copilot, Gemini, Grok, and Perplexity — with per-user controls, pre-submission blocking, and an immutable audit trail. It does not make a contractor CMMC-certified; certification is a program, not a product. What it does is close the specific gap the 110 controls assume you have already closed: keeping CUI from leaving the browser in the first place, and producing the user-level evidence an assessor — or a False Claims Act inquiry — will ask for. With Phase 2 a matter of months out, that is the cheapest gap in the DIB to close now and the most expensive to explain later.
Containment.AI gives defense contractors real-time, browser-layer enforcement of AI-usage policy with immutable, per-user audit trails — so CUI doesn't cross into an ungoverned model in the first place. Start a free trial.
Sources: DoD CIO — About CMMC; CMMC Program final rule, Federal Register (Oct. 15, 2024); Crowell & Moring, "CMMC for AI?" (Jan. 8, 2026); Bradley, "Artificial Intelligence in Defense Contracting" (May 4, 2026).