GOVCON / CMMC 2.0
CMMC 2.0 is now an award condition. Here’s the AI story that passes.
In short
CMMC 2.0’s phased rollout began in November 2025 with Phase 1 self-assessments already appearing in DoD contracts, and Phase 2 — third-party C3PAO certification at Level 2 — becomes an award condition around November 2026. For AI tools that touch CUI, that means any workflow routing controlled unclassified information through a commercial multi-tenant LLM is a compliance violation pattern, not a gray area. A compliant implementation runs inside your accreditation boundary — sovereign infrastructure, full audit logging, and data that never leaves your environment to train someone else’s model.
Why AI vendors fail CMMC
The pattern that fails
Most AI tools sold into GovCon are commercial SaaS: your data — including CUI — leaves your environment and lands on shared, multi-tenant infrastructure you don’t control and can’t fully audit. That’s the exact pattern CMMC 2.0 and NIST 800-171 are built to catch. It doesn’t matter how good the model is if the boundary is broken.
The pattern that passes
Cabrillo runs on AWS GovCloud. Every implementation we build — proposal automation, opportunity intelligence, compliance workflows — executes inside your environment, not ours. There is no step where CUI is transmitted to a third-party commercial model. The audit trail exists because the boundary was never crossed.
What we implement
Three modules, one sovereign substrate. Our first customer — a defense contractor running ProposalOS and our AI products under CMMC 2.0 / NIST 800-171 — is a ~$400K first-year engagement built entirely inside their boundary.
Proposal automation
ProposalOS — CUI-safe CRM, a 9-gate execution system, and AI compliance checking that never routes your capture data outside your environment.
Opportunity intelligence
Signals — federal opportunity tracking, competitive intelligence, and CMMC compliance monitoring across SAM.gov, the Federal Register, and 15+ sources.
Compliance workflows
Deployment architecture and governance model for VPC, on-premise, or air-gapped environments — the boundary controls your CMMC assessor actually checks.
Free tool
Not sure where your gaps are? Start with the free CMMC readiness assessment.
Twelve questions across the NIST 800-171 control families, instant gap analysis, and actionable next steps — no sales call required to see where you stand.
Questions defense contractors ask
Does using ChatGPT break CMMC?
If controlled unclassified information (CUI) goes into a commercial multi-tenant LLM — ChatGPT, generic Copilot, or any tool without a signed boundary agreement covering that data — that is a compliance violation pattern under NIST 800-171, not a gray area. The data has left your accreditation boundary and you can no longer attest to where it was processed or trained on.
Can we use AI at Level 2?
Yes — AI is not prohibited at CMMC Level 2. What's required is that the tools handling CUI run inside your boundary, on infrastructure you can audit, with logging that proves it. That's the difference between a SaaS AI tool and an in-boundary implementation: same capability, different accreditation posture.
What's the deadline reality?
CMMC 2.0's phased rollout began in November 2025 with Phase 1 self-assessments already showing up as contract requirements. Phase 2 — third-party C3PAO certification at Level 2 — becomes an award condition around November 2026. If your AI tooling isn't in-boundary by then, it's a live risk to contract eligibility, not a future one.