By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecureframePublished November 26, 2025

TL;DR: CMMC Level 2 requirements are now appearing in Department of Defense contracts, and Redspin says only 28.7% of organisations have completed a Level 2 assessment while nearly 37% are not scheduled or do not know their next step. The gap is no longer theoretical: contractors must evidence control implementation, assessment readiness, and contractual compliance at the pace of procurement, not at the pace of internal planning.


At a glance

What this is: CMMC Level 2 has moved from preparation to contractual enforcement, with assessment readiness lagging across the Defense Industrial Base.

Why it matters: IAM, PAM, and NHI teams matter here because CUI protection depends on access scoping, role-based control, auditability, and revocation discipline, not just policy documentation.

By the numbers:

👉 Read Secureframe's guide to CMMC Level 2 compliance requirements and checklist


Context

CMMC Level 2 is the point where defence supply chain security becomes an enforceable contracting requirement rather than a planning exercise. The key governance problem is not whether organisations know the framework exists, but whether they can prove that access, logging, encryption, training, and assessment evidence all line up with the data they handle. In practice, that means CUI protection has to be operational, not documentary.

For identity teams, the sharpest implication is that CMMC readiness depends on who can access CUI, how access is limited, how quickly it is revoked, and whether those controls can be evidenced to an assessor. That makes CMMC Level 2 as much an identity governance problem as a compliance one, especially where human access, service accounts, and security tooling all touch the same regulated environment.


Key questions

Q: What fails when CMMC Level 2 access control is not tightly governed?

A: CMMC Level 2 breaks down when CUI access is broader than job function, because assessors need evidence that access is least privilege, role-based, and revoked when roles change. Weak identity governance can make a programme look documented but not actually controlled. The failure mode is stale or excessive access that cannot be defended during assessment.

Q: Why do CMMC Level 2 programmes depend so heavily on identity and privilege management?

A: Because CUI protection is only credible when the organisation can show who can reach regulated data, who can administer the systems around it, and how quickly that access disappears when it is no longer needed. IAM and PAM are the mechanisms that convert policy into enforceable scope, which is why they sit at the centre of CMMC readiness.

Q: What do organisations get wrong about CMMC Level 2 readiness?

A: The most common mistake is treating readiness as a document review instead of an operating-state problem. Policies, plans, and diagrams matter, but the assessment tests whether controls work in practice and whether evidence supports that claim. Teams that ignore live access patterns, logging, and remediation discipline usually discover their gaps too late.

Q: Who is accountable when CMMC readiness gaps delay certification?

A: Accountability sits with the programme owner and the control owners who must ensure the environment, evidence, and documentation stay consistent. In practice, compliance cannot be treated as a documentation-only task. Governance needs named owners for scope, evidence quality, remediation tracking, and final assessment readiness.


Technical breakdown

How CMMC Level 2 translates NIST 800-171 into evidence

CMMC Level 2 is built on the 110 requirements in NIST SP 800-171 Rev. 2, but the assessment standard goes beyond policy existence. Assessors evaluate whether controls are implemented correctly, operate as intended, and are backed by traceable evidence. That creates a shift from “we have a policy” to “we can demonstrate enforcement.” In practice, scoping, asset inventory, access boundaries, and evidence collection must be aligned before assessment begins. If the evidence cannot prove control operation, the control does not count in a CMMC review. This is why compliance programmes fail when they treat the assessment as a documentation task rather than a control validation exercise.Practical implication: build evidence packs from live control operation, not static policy documents.

Practical implication: build evidence packs from live control operation, not static policy documents.

Why CUI access control is an IAM and PAM problem

CUI handling requires least privilege, role definition, and revocation discipline, which places identity governance at the centre of compliance. If users, admins, contractors, and security tools all share broad access to CUI repositories or SPAs, the organisation may pass a policy review while failing operational assurance. This is where IAM and PAM intersect with CMMC: access must be demonstrably scoped, privileged access must be controlled, and changes in role or employment status must trigger rapid removal of access. The same logic extends to NHI exposures such as service accounts, integration tokens, and admin automation that touch regulated systems.Practical implication: map every CUI-touching identity, including non-human identities, to a named owner and access boundary.

Practical implication: map every CUI-touching identity, including non-human identities, to a named owner and access boundary.

How SPRS scoring and POA&Ms change the compliance posture

CMMC Level 2 status is not binary in practice. Organisations can land in a conditional posture when they have not yet met all requirements but have documented remediation plans for allowable gaps. That makes SPRS scoring and POA&M discipline central to the programme, because the business outcome is contract eligibility, not only technical uplift. The critical governance issue is whether unresolved findings are short-lived and controlled, or whether they become a standing risk accepted into the contracting posture. In procurement-heavy environments, that distinction determines whether a contractor stays eligible to bid or loses work while remediation drags on.Practical implication: treat conditional status as a tightly managed exception, not a substitute for control maturity.

Practical implication: treat conditional status as a tightly managed exception, not a substitute for control maturity.


Threat narrative

Attacker objective: The objective is to reach regulated information or supporting security assets through access that is broader or less monitored than the organisation can justify.

  1. Entry occurs through weakly scoped access to CUI or security tooling, often where internal roles, third parties, or connected systems are over-privileged.
  2. Escalation follows when those identities retain access beyond their job function, allowing wider exposure of regulated data, logs, or security protection assets.
  3. Impact is contract, operational, and compliance failure, because inability to evidence control operation can block award, renewal, or continued eligibility.

NHI Mgmt Group analysis

CMMC Level 2 is really an evidence problem disguised as a compliance programme. The article correctly frames the shift from preparation to enforcement, but the harder issue is whether organisations can prove control operation under assessment pressure. In CMMC terms, passing is not about drafting procedures, it is about demonstrating that the controls around CUI are repeatable, monitored, and defensible. Practitioners should treat evidence quality as a control in its own right.

Identity governance now sits inside the compliance boundary, not beside it. CUI protection depends on access scoping, revocation, and privileged access handling, which means IAM and PAM teams are no longer support functions for CMMC. The article’s emphasis on role-based controls should be read alongside access review, offboarding, and admin boundary management for both people and non-human identities. Practitioners should map every CUI-facing identity to a control owner and a testable lifecycle.

Conditional compliance can become governance debt if POA&Ms are treated as inventory rather than risk. CMMC’s conditional status model is useful, but only when gaps are time-bound, tracked, and tied to business impact. If organisations let remediation drift, they create a standing exposure window that may satisfy paperwork while failing procurement reality. Practitioners should treat POA&Ms as measurable closure items, not as deferred assurance.

Security protection assets deserve the same scrutiny as the data they defend. The article’s discussion of SPAs is often overlooked, yet those tools and configurations control whether CUI safeguards actually function. That creates a broader governance lesson for the market: identity providers, logging platforms, and security tooling are now part of the regulated control surface. Practitioners should inventory them as operational dependencies, not background infrastructure.

CMMC is pushing defence suppliers toward continuous access assurance. Once contracts depend on verified control state, periodic point-in-time checks are no longer enough. The practical model is continuous scoping, continuous evidence collection, and continuous removal of stale privilege, especially where human access and service automation both touch regulated systems. Practitioners should expect compliance and identity operations to merge operationally.

What this signals

Identity evidence will become a procurement dependency. As CMMC Level 2 moves into contracts, teams should expect access reviews, privileged access records, and offboarding proof to be requested with the same urgency as technical controls. The governance gap is no longer just whether access is least privilege, but whether it is demonstrable at the exact point of procurement.

Conditional status is useful only when remediation is measurable. Once organisations rely on POA&Ms, the programme needs explicit closure dates, control owners, and sign-off criteria that map back to CUI exposure. Without that discipline, conditional compliance becomes a staging area for risk rather than a route to eligibility.

Access to security protection assets is now part of the regulated surface. Identity providers, logging platforms, and administrative automation that support CUI controls should be treated as first-class compliance dependencies, not invisible infrastructure. That is where the next set of audit questions will land.


For practitioners

  • Inventory every CUI-touching identity and system Create a full list of users, admins, contractors, service accounts, and security tools that can access CUI or security protection assets, then assign an owner and system boundary to each. Include connected platforms, not just the data repositories themselves.
  • Align access reviews to role and contract changes Tie joiner, mover, leaver events to immediate access review and revocation for CUI environments, including privileged roles and any non-human identities that support those workflows. This reduces the risk that stale access survives long enough to become a compliance finding.
  • Build an assessor-ready evidence pack Collect proof of implementation for the 110 requirements before the assessment window opens, including screenshots, logs, tickets, training records, and remediation tracking. Organise the material so an assessor can verify operating effectiveness without relying on verbal explanation.
  • Treat POA&Ms as time-bound risk controls Document each gap with an owner, remediation date, and business impact, then review progress as part of compliance governance. Avoid letting conditional status become a long-term operating model for controls that directly affect CUI exposure.

Key takeaways

  • CMMC Level 2 is shifting defence suppliers from policy readiness to provable control operation.
  • The strongest compliance signal is not documentation volume, but whether identity, privilege, and evidence are aligned around CUI.
  • Organisations that cannot prove access boundaries and remediation discipline will struggle to stay eligible for DoD work.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST SP 800-63 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4CMMC access scoping maps closely to least-privilege identity governance.
NIST SP 800-53 Rev 5AC-6Least privilege is central to protecting CUI and security protection assets.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle and privilege hygiene underpin CMMC evidence quality.
NIST SP 800-63SP 800-63BAuthentication strength matters where CUI access depends on verified identities.
ISO/IEC 27001:2022A.5.15Access control governance is directly relevant to contractor environments handling CUI.

Map CUI access to PR.AC-4 and verify role-based access removal at every joiner-mover-leaver event.


Key terms

  • Controlled Unclassified Information: Controlled Unclassified Information is sensitive government information that is not classified but still requires safeguarding. In CMMC contexts, it is the data category that drives scoping, control expectations, assessment rigor, and contractual consequences for contractors and subcontractors that handle it.
  • Security Protection Asset: A Security Protection Asset is a system that protects in-scope assets without necessarily processing CUI itself. Identity platforms, firewalls, SIEM tools, and endpoint controls often fall here, and they still matter because assessors expect them to be documented and aligned with the enclave's governance model.
  • POA&M: A Plan of Action and Milestones is a formal record of security gaps, remediation steps, owners, and target dates. In compliance programmes, it is meant to show controlled risk reduction, but it only works when closure is measurable and tied to the operational impact of the gap.
  • C3PAO: A C3PAO is a Certified Third-Party Assessor Organisation that evaluates whether an organisation meets CMMC requirements. Its role is to validate implementation through documentation, interviews, and testing, which means organisations must be able to demonstrate controls rather than simply describe them.

What's in the full article

Secureframe's full blog covers the operational detail this post intentionally leaves for the source:

  • A full 110-control compliance checklist mapped to CMMC Level 2 requirements and assessment objectives
  • Step-by-step guidance on assessment prep, conditional status, POA&M closure, and annual affirmation
  • Cost estimates for self-assessment versus third-party assessment, including readiness and remediation spend
  • Operational examples of how CUI, SPD, and SPAs should be scoped inside contractor environments

👉 Secureframe's full post covers CMMC levels, assessment timing, cost ranges, and the compliance checklist in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management in the context of operational control. It is designed for practitioners who need to connect identity discipline to broader security and compliance programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org