TL;DR: Phase 2 of CMMC begins on November 10, 2026 with mandatory third-party Level 2 assessments for prioritized contracts, pushing defense contractors to prove access control, segmentation, logging, and identity enforcement in live environments, according to Appgate. The practical shift is from documented intent to auditable execution, which makes implicit-trust access models harder to defend.
NHIMG editorial — based on content published by Appgate: CMMC phase 2 makes access security a proof point, not a policy
By the numbers:
- Phase 2 of the Department of Defense’s CMMC rollout takes effect on November 10, 2026, introducing mandatory third-party CMMC Level 2 assessments for prioritized contracts.
- CMMC Level 2 aligns directly with the 110 security requirements outlined in NIST SP 800-171.
- The framework aligns closely with NIST SP 800-171 requirements and introduces a streamlined three-level maturity model.
Questions worth separating out
Q: What breaks when broad VPN access is used for CMMC readiness?
A: Broad VPN access often breaks the assessment story because it proves authentication, not least privilege.
Q: Why do access controls matter so much under CMMC Phase 2?
A: Access controls matter because Phase 2 moves CMMC from paper compliance to third-party validation of operational enforcement.
Q: How do security teams know whether segmentation is actually working?
A: Segmentation is working when users can only reach the systems explicitly required for their role, and when logs show that denied paths stay denied.
Practitioner guidance
- Map CMMC controls to observable access paths Document how each privileged and standard access path reaches protected resources, then test whether the path can be explained to a third-party assessor without relying on trust assumptions or informal approvals.
- Replace broad VPN reach with identity-scoped access Limit users, subcontractors, and vendors to explicitly authorised applications and data stores, and verify that network reach does not exceed the least-privilege intent for CUI environments.
- Build assessment evidence into logging design Ensure access logs, policy decisions, and segmentation events are retained in a way that supports audit review, incident reconstruction, and control validation under CMMC Level 2 assessment.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- How the CMMC 2.0 mapping guide aligns ZTNA capabilities to access management, authentication, and system integrity requirements.
- Why Appgate's direct-routed architecture is presented as a fit for remote access and hybrid environments under assessment pressure.
- The specific control areas the vendor links to mTLS, SPA, and segment-of-one access.
- Practical remediation themes for organisations replacing broad VPN reach with identity-centric access.
👉 Read Appgate's analysis of CMMC Phase 2 access control and ZTNA readiness →
CMMC phase 2 and access control: are your controls assessment-ready?
Explore further
CMMC Phase 2 turns access control into an evidence discipline. The operating question is no longer whether a contractor has policies aligned to NIST SP 800-171. It is whether those policies can be shown to work consistently across real users, real devices, and real third-party connections under assessment pressure. That changes identity governance from documentation management to proof management, which is a materially different control expectation for DIB programmes.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when subcontractor access fails CMMC review?
A: Accountability sits with the organisation holding the contract, even when access is provided by vendors, subcontractors, or external providers. That means ownership of onboarding, access scope, logging, and revocation must be clearly assigned and evidenced. If the contractor cannot show control over third-party access, the assessment risk remains theirs.
👉 Read our full editorial: CMMC phase 2 makes access security a proof point, not a policy