CMMC Phase 1 Is Live: What Defense Contractors Need to Know About Change Evidence
Phase 1 enforcement started November 2025 and 99% of contractors are not ready. Here is what NIST 800-171 requires for change evidence and how to automate it before Phase 2 arrives.
CMMC Phase 1 Is No Longer Theoretical
The Cybersecurity Maturity Model Certification program moved from rulemaking to enforcement in November 2025. Phase 1 requires self-assessment for CMMC Level 1 (17 FAR 52.204-21 practices) and allows voluntary third-party assessment for Level 2. Phase 2, arriving November 2026, makes third-party assessment mandatory for Level 2 contracts handling Controlled Unclassified Information. According to industry surveys, 99% of defense contractors have not completed their CMMC preparation. The clock is running and the consequences are real: no certification means no contract award.
Change Evidence Under NIST 800-171
CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2. Several requirements specifically address software change management. Requirement 3.4.3 mandates tracking, reviewing, approving or disapproving, and logging changes to organizational systems. Requirement 3.4.4 requires analyzing the security impact of changes prior to implementation. Requirement 3.4.5 demands defining, documenting, approving, and enforcing physical and logical access restrictions associated with changes. Requirement 3.14.3 requires monitoring organizational systems for unauthorized changes. For organizations that develop software, these requirements translate directly into evidence of controlled change processes: was the change authorized, reviewed, tested, and approved before deployment?
The SPRS Scoring Problem
Every defense contractor must submit a Supplier Performance Risk System score to the DoD SPRS portal. The score starts at 110 and decreases based on unimplemented requirements, with weights of 5, 3, or 1 point per control. Most organizations score between 50 and 70 on their initial self-assessment, well below the thresholds that prime contractors are starting to require. Change management controls are weighted heavily. Requirement 3.4.3 alone carries a 5-point deduction if unmet. Combined with related requirements for impact analysis and access restrictions, weak change evidence can cost 15 or more points on your SPRS score. For organizations currently scoring in the 60 to 80 range, automating change evidence can meaningfully improve their score.
The CUI Environment Constraint
Defense contractors handling CUI face a constraint that commercial SaaS companies do not: source code and development artifacts may themselves be CUI, which means they cannot leave the contractor's network boundary. This eliminates many cloud-based compliance tools that require sending data to a third-party SaaS platform. The solution is a self-hosted evidence collector that runs inside the contractor's network. MergeWhy's open-source collector agent runs as a Docker container in the contractor's environment, evaluates change evidence locally using the same scoring engines as the SaaS platform, signs attestation results with Ed25519 cryptographic signatures, and transmits only structured evidence scores and control pass/fail results. Source code, PR descriptions, review comments, and CI logs never leave the network.
Automated SPRS Score Calculation
MergeWhy includes a built-in SPRS calculation engine that maps your change evidence to the 110 NIST 800-171 requirements. As you automate evidence capture for change management controls, your SPRS score updates automatically. The engine accounts for the weighted scoring system including the conditional deductions for MFA (requirement 3.5.3, which jumps from 5 to 9 points if unmet) and FIPS cryptography (requirement 3.13.11, jumping from 5 to 8 points). Organizations can track their SPRS score improvement over time and generate the documentation needed for portal submission.
Preparing for Phase 2
Phase 2 arrives November 2026 and brings mandatory third-party assessment by a CMMC Third Party Assessment Organization (C3PAO). Unlike self-assessment, third-party assessment requires objective, verifiable evidence for every control in scope. Organizations should begin automated evidence capture now to build a 12-month evidence history before their assessment date. Start with the change management controls (3.4.3, 3.4.4, 3.4.5) where automated capture has the highest ROI. Implement the self-hosted collector if you handle CUI. Register your public signing key with MergeWhy so attestation results can be verified by assessors. The organizations that automate now will have clean, consistent evidence trails when the C3PAO arrives. The organizations that wait will face the same scramble that makes SOC 2 audits painful, but with contract eligibility on the line.
Ready to automate your change evidence?
Install the GitHub App and start capturing compliance evidence from your first PR merge. Free 14-day trial, no credit card.
Get Started Free