TL;DR: Phase 2 of CMMC begins on November 10, 2026 with mandatory third-party Level 2 assessments for prioritized contracts, pushing defense contractors to prove access control, segmentation, logging, and identity enforcement in live environments, according to Appgate. The practical shift is from documented intent to auditable execution, which makes implicit-trust access models harder to defend.
At a glance
What this is: CMMC Phase 2 shifts Level 2 readiness from policy preparation to operational proof across access control, authentication, segmentation, and auditability.
Why it matters: IAM, PAM, and NHI teams supporting defense contractors now need controls that can withstand third-party assessment, especially where remote access, subcontractors, and legacy trust models expand exposure.
By the numbers:
- Phase 2 of the Department of Defense’s CMMC rollout takes effect on November 10, 2026, introducing mandatory third-party CMMC Level 2 assessments for prioritized contracts.
- CMMC Level 2 aligns directly with the 110 security requirements outlined in NIST SP 800-171.
- The framework aligns closely with NIST SP 800-171 requirements and introduces a streamlined three-level maturity model.
👉 Read Appgate's analysis of CMMC Phase 2 access control and ZTNA readiness
Context
CMMC Phase 2 is not just another deadline for defense contractors. It is the point where access control, authentication, and auditability must be demonstrated operationally to third-party assessors, not merely described in policy.
That matters because many environments handling Controlled Unclassified Information still rely on broad trust, especially through legacy VPN access, subcontractor connectivity, and distributed infrastructure. For IAM and NHI programmes, the question becomes whether identity enforcement can be shown consistently across users, devices, services, and third-party access paths.
This is a governance problem as much as a technical one. If a control cannot be evidenced across real operational conditions, it will fail the assessment moment even if it looked adequate on paper.
Key questions
Q: What breaks when broad VPN access is used for CMMC readiness?
A: Broad VPN access often breaks the assessment story because it proves authentication, not least privilege. Users may gain network visibility far beyond what CMMC expects for CUI handling, which makes segmentation, monitoring, and audit evidence harder to defend. The control failure is not connectivity itself, but the absence of resource-level enforcement and demonstrable boundaries.
Q: Why do access controls matter so much under CMMC Phase 2?
A: Access controls matter because Phase 2 moves CMMC from paper compliance to third-party validation of operational enforcement. Assessors will look for evidence that access is restricted by identity and context, monitored in real time, and limited to authorised resources. If the organisation cannot show that consistently, control intent will not translate into compliance proof.
Q: How do security teams know whether segmentation is actually working?
A: Segmentation is working when users can only reach the systems explicitly required for their role, and when logs show that denied paths stay denied. In practice, teams should test whether lateral movement is blocked, whether third-party access is constrained, and whether the evidence trail clearly shows policy enforcement rather than informal network trust.
Q: Who is accountable when subcontractor access fails CMMC review?
A: Accountability sits with the organisation holding the contract, even when access is provided by vendors, subcontractors, or external providers. That means ownership of onboarding, access scope, logging, and revocation must be clearly assigned and evidenced. If the contractor cannot show control over third-party access, the assessment risk remains theirs.
Technical breakdown
Why legacy VPN access breaks CMMC assessment expectations
Traditional VPN designs often grant broad network reach after login, which means authentication is treated as a one-time gate rather than an ongoing control. Under CMMC Phase 2, that model creates a mismatch between documented intent and observable enforcement. Assessors will look for least-privilege access, segmentation, and auditability, not just successful user sign-in. In practice, the issue is that authenticated users may still see too much, move too far, and generate too little evidence for a defensible control story.
Practical implication: replace broad network trust with identity-scoped access paths that can be evidenced during assessment.
How zero trust access supports access control and segmentation
Zero Trust Network Access shifts the control point from the network perimeter to identity, device posture, and policy. That matters for CMMC because the requirements emphasise limiting lateral movement, monitoring access activity, and restricting access based on need. In a well-structured ZTNA model, users are not placed onto the network by default. They are granted access only to explicitly authorised resources, which reduces exposed infrastructure and gives assessors a clearer trail of enforcement decisions.
Practical implication: map each protected resource to a specific identity and policy boundary before your next readiness review.
Why auditability is now part of the access control design
CMMC Phase 2 increases the value of evidence. It is no longer enough to say that access is restricted, monitored, or segmented. Organisations must be able to show it through logs, policy records, and consistent enforcement across users, subcontractors, and third-party connections. That makes auditability a design property, not a reporting afterthought. When access decisions are identity-centric and continuously enforced, the evidence trail becomes much easier to defend under third-party review.
Practical implication: build logging and access review evidence into the control itself, not as a separate compliance activity.
NHI Mgmt Group analysis
CMMC Phase 2 turns access control into an evidence discipline. The operating question is no longer whether a contractor has policies aligned to NIST SP 800-171. It is whether those policies can be shown to work consistently across real users, real devices, and real third-party connections under assessment pressure. That changes identity governance from documentation management to proof management, which is a materially different control expectation for DIB programmes.
Broad network access is now an assessment liability, not just an architectural choice. The article shows why implicit trust models struggle when the assessor wants to see segmentation, least privilege, and audited access boundaries. Legacy VPN patterns can still authenticate users, but they often cannot demonstrate that access was constrained tightly enough for CUI handling. Practitioners should treat broad reachability as a governance gap because it weakens both control enforcement and evidentiary clarity.
Identity-centric segmentation is the named concept that matters here. CMMC Phase 2 rewards access paths that are tied to specific identities, devices, and authorised resources rather than network membership. That aligns access security with operational proof, which is what third-party assessors will actually test. The implication for practitioners is to model access by resource and trust boundary, not by user convenience or historic network design.
Defense suppliers need to reclassify remote access as part of compliance scope. The article makes clear that remote work, subcontractor connectivity, and hybrid infrastructure are not side issues. They are where assessment evidence will be hardest to produce and easiest to dispute. Organisations that still treat remote connectivity as an IT convenience will struggle to present a coherent CMMC story under third-party validation.
Phase 2 is accelerating convergence between IAM, PAM, and boundary protection. Access decisions, session visibility, and network segmentation are now converging into one operational control plane. That means security teams can no longer isolate identity work from infrastructure design. The practical conclusion is that CMMC readiness will increasingly depend on whether identity governance can be demonstrated across the full access path, not just at login.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- From our research: See also The State of Non-Human Identity Security for the 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps.
What this signals
Identity programmes that cannot produce evidence will struggle under CMMC Phase 2. The compliance burden is moving from design intent to operational proof, which means access reviews, logging, and segmentation need to be testable in real environments. The organisations that treat evidence as part of the control architecture will be better positioned for third-party assessment and later remediation cycles.
Broad trust models will become harder to justify as CUI environments grow more distributed. Remote work, subcontractors, and hybrid systems are no longer edge cases. They are the normal case, and that makes identity-centric access boundaries the practical baseline for defence suppliers.
Access evidence is becoming a board-level governance topic, not an IT detail. CMMC Phase 2 exposes whether the programme can explain who had access, why they had it, and how that access was constrained at the moment it mattered. That is a governance test as much as a technical one.
For practitioners
- Map CMMC controls to observable access paths Document how each privileged and standard access path reaches protected resources, then test whether the path can be explained to a third-party assessor without relying on trust assumptions or informal approvals.
- Replace broad VPN reach with identity-scoped access Limit users, subcontractors, and vendors to explicitly authorised applications and data stores, and verify that network reach does not exceed the least-privilege intent for CUI environments.
- Build assessment evidence into logging design Ensure access logs, policy decisions, and segmentation events are retained in a way that supports audit review, incident reconstruction, and control validation under CMMC Level 2 assessment.
- Review third-party access as part of readiness scope Treat subcontractor and external provider connectivity as first-class assessment material, with documented onboarding, access boundaries, and revocation evidence tied to contract and role changes.
Key takeaways
- CMMC Phase 2 shifts the burden from having controls to proving they work consistently in live environments.
- Broad VPN access and implicit trust are increasingly difficult to defend when assessors expect segmentation, least privilege, and auditability.
- Defense contractors should treat identity-centric access evidence as part of CMMC readiness, not as a separate compliance exercise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access restriction and least privilege are central to CMMC Phase 2 readiness. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege underpins the assessment issues raised by broad VPN access. |
| NIST Zero Trust (SP 800-207) | Section 3.2 | Identity-centric access and segmentation align with zero trust principles. |
| CIS Controls v8 | CIS-6 , Access Control Management | Access control management directly maps to the operational enforcement focus in Phase 2. |
Review privileged and standard access against AC-6 and remove unnecessary network reach.
Key terms
- Controlled Unclassified Information: Controlled Unclassified Information is sensitive government information that is not classified but still requires protection. In CMMC contexts, it raises the standard for access control, monitoring, and auditability because contractors must prove that handling practices work consistently, not just exist on paper.
- Zero Trust Network Access: Zero Trust Network Access is an access model that grants users reach only to explicitly authorised resources after evaluating identity, device posture, and policy. For CMMC readiness, it matters because it reduces broad network exposure and creates clearer evidence of enforced least privilege.
- Third-party assessment: Third-party assessment is an external validation process where an accredited assessor reviews whether controls are implemented and operating effectively. In this article's context, it shifts the burden from internal documentation to demonstrable enforcement across real access paths and operational evidence.
- Identity-centric segmentation: Identity-centric segmentation is the practice of limiting access by identity, device, and authorised resource rather than by network location alone. It is especially relevant to defence environments because it reduces lateral movement and produces a clearer audit trail for compliance review.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- How the CMMC 2.0 mapping guide aligns ZTNA capabilities to access management, authentication, and system integrity requirements.
- Why Appgate's direct-routed architecture is presented as a fit for remote access and hybrid environments under assessment pressure.
- The specific control areas the vendor links to mTLS, SPA, and segment-of-one access.
- Practical remediation themes for organisations replacing broad VPN reach with identity-centric access.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org