Step-by-Step Guide to Getting Your Access Management Ready for CMMC Level 2 C3PAO Certification by November 2026

If you build or support anything for the U.S. Department of Defense (DoD) and handle Controlled Unclassified Information (CUI), November 10, 2026 is now a concrete compliance milestone-not a distant date.

CMMC 2.0 Phase 2 begins November 10, 2026, when DoD can require third-party CMMC Level 2 (C3PAO) certifications for new CUI contracts as a condition of award^{1governmentcontractslawblog.com}. For aerospace, defense, and manufacturing suppliers, your access management will determine your ability to win or keep work.

This guide walks you step-by-step through preparing your access management for a CMMC Level 2 C3PAO assessment:

• What Phase 2 changes
• The precise least-privilege and MFA requirements that challenge teams
• How to design and automate access controls across complex, hybrid environments
• How to build the audit trail your C3PAO will actually require
• How to fit all of this work into a realistic 6-18 month timeline

Throughout, we'll highlight where SSO-only and manual processes create regulatory gaps-and where a complete IGA platform like Iden eliminates both risk and manual effort.

Before You Start: What You Need in Place

You don't need a perfect environment, but you do need these basics:

• Executive sponsorship from your CISO, CIO, or Head of IT
• Clarity on scope: which networks, systems, and apps process CUI
• An SSO or IDP baseline (e.g., Okta, Entra ID), even if coverage is partial
• A current asset and application inventory-even if incomplete
• Clear CMMC Level 2 ownership (often shared by Security, IT, and Compliance)
• Budget for tooling and remediation, especially if you rely heavily on manual processes

If you meet these, you can proceed with the following steps.

Step 1: Understand What CMMC Phase 2 Actually Changes

Before revising access policies, make sure you target the right requirements.

1.1 Know what Level 2 really is

CMMC Level 2 consists of 110 practices mapping to the security requirements in NIST SP 800-171 Rev. 2^{2artifact-factory.com}. These requirements cover 14 control families, including Access Control (AC), Identification and Authentication (IA), and Audit and Accountability (AU), all central to access management.

Two Level 2 controls are most critical for your access design:

• AC.L2-3.1.5 requires least privilege for privileged accounts and specified security functions^3syncdog.com
• IA.L2-3.5.3 mandates multifactor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts^{4dodcio.defense.gov}

If your current model is "everyone in engineering gets broad access" plus "MFA on VPN," you have significant updates ahead.

1.2 Understand the Phase 2 enforcement model

Under the final rule, CMMC phases in over three years. For access management, Phase 2 is pivotal:

• Phase 1 (from Nov 10, 2025): Level 1 and Level 2 self-assessments may appear in contracts; usage is discretionary.
• Phase 2 (Nov 10, 2026-Nov 9, 2027): DoD can require Level 2 third-party certifications (C3PAO) in applicable CUI contracts.^{1governmentcontractslawblog.com}

Primes are already signaling that by late 2026, most CUI work will expect a completed Level 2 C3PAO certification-or at least a scheduled assessment.

Common mistake Treating November 10, 2026 as the start of your Level 2 journey. For most, that's the latest you want your audit report in hand, not when to begin preparation.

Step 2: Map Where CUI Lives and Who Can Access It

You can't enforce least privilege or MFA if you don't know what you're protecting.

2.1 Build a CUI access map

For each program or contract with CUI:

1. List systems storing/processing CUI:
   • PLM/PLM vaults, CAD repositories, MES, ERP (e.g., SAP), portals
   • Source code repos for export-controlled software
   • Secure file shares and collaboration tools
2. Document user access paths:
   • AD login, VPN, jump hosts, SSO, local/shared admin accounts
3. Inventory human and non-human identities:
   • Employees, contractors, partners
   • Service accounts, CI/CD bots, machine IDs

This is your scoping baseline for NIST 800-171 and CMMC.

2.2 Expose your SSO and automation gaps

Most mid-market defense suppliers run Okta or Entra ID. The issue is coverage:

Iden's customers consistently find that SSO and SCIM automate only a fraction of critical CUI systems-especially long-tail SaaS, on-prem manufacturing systems, and legacy tools. The rest still depend on manual provisioning, spreadsheets, and ticket queues.

As you map systems, tag each:

• SSO + automated provisioning (SCIM/API)
• SSO only (centralized login, manual permissions and lifecycle)
• No SSO / local accounts

Where you see "SSO only" or "No SSO," expect CMMC access risk and audit complexity.

Tip Don't assume "behind VPN" puts systems out of scope. If CUI ever flows through a system, it and its users fall under Level 2-even dusty line-of-business apps.

Step 3: Design and Enforce Least-Privilege Roles for CUI

C3PAOs need to see a rational, enforced access model-not a blanket "engineers need broad access" justification.

3.1 Define CUI-relevant roles and entitlements

For each in-scope system:

• Define business roles (e.g., NC programmer, quality engineer, subcontract manager)
• Map each role to precise entitlements:
  • Which projects, repositories, or workspaces
  • What permissions (read, change, approve, administer)
  • Segregation of Duties requirements (e.g., no single user can both author and approve changes)

Document these in a central catalog-not buried in AD groups or admin tribal knowledge.

3.2 Configure systems to enforce least privilege

AC.L2-3.1.5 is about enforced system behavior-not a written policy.^{5cuicktrac.com}

• Default roles with minimal CUI access
• Avoid shared admin accounts unless justified by technical constraints
• Break-glass access must be time-bound and logged
• Regularly review and remove stale privileges

Iden's fine-grained controls manage permissions at channel, repo, and project level-even where SSO can only assign broad group access.

Common mistake Using a single "CUI" group to grant broad access. It's fast to set up and nearly impossible to defend under AC.L2-3.1.5 once auditors review users and roles.

Step 4: Close MFA Gaps Across Your CUI Boundary

MFA is one of the most visible-and misunderstood-Level 2 requirements.

4.1 Know exactly what IA.L2-3.5.3 requires

Restating for emphasis:

IA.L2-3.5.3 requires multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts^{4dodcio.defense.gov}

This generally means:

• MFA on all remote access paths to CUI environments (VPN, ZTNA, VDI, jump hosts)
• MFA for all privileged accounts-even local logins
• MFA for standard users accessing network or cloud resources handling CUI (e.g., SSO into SaaS apps)

4.2 Design an MFA strategy that covers edge cases

Address scenarios such as:

• Local admin logins on engineering workstations
• Technicians accessing shop-floor systems via RDP
• Cloud collaboration and email touching CUI
• Break-glass accounts for incident response

You need a single, documented MFA policy enforced consistently-ideally via your IDP and endpoint controls.

Tip C3PAOs increasingly expect conditional access or equivalent policies that prove MFA is enforced by design. Capture screenshots and export policy definitions for your evidence.

Step 5: Automate Joiner/Mover/Leaver Flows and Admin Access

You can't demonstrate least privilege or timely revocation if changes depend on tickets and memory.

5.1 Joiners: birthright access and just-in-time elevation

For hires and role changes:

• Birthright access: baseline CUI access automatically provisioned on day one per role/location
• Just-in-time access: elevated permissions granted briefly with approvals and logs

Wire your HRIS and IDP to your access management platform so role changes and terminations update every system.

Iden connects to HRIS and SSO sources of truth, then executes policy-based provisioning in every app-even those without SCIM or APIs.

5.2 Leavers: eliminate orphaned and zombie accounts

Assessors emphasize offboarding. An active account for a departed engineer on a CUI system is an easy non-conformity.

Iden automates deprovisioning across all connected apps as soon as HR or your IDP marks a user as terminated-including systems SSO can't automate. This is crucial evidence for AC and CM controls.

Teams using Iden typically see 80% fewer manual access tickets within 60 days as provisioning and deprovisioning requests are automated. That's the difference between "we meant to remove their access" and "here's the log showing it happened 30 seconds after HR processed termination."

Common mistake Assuming "disable in AD" means "access revoked everywhere." Many CUI systems (PLM, MES, on-prem ERP, specialized SaaS) have their own user stores. If you don't orchestrate those, your offboarding is incomplete.

Step 6: Build Continuous Access Reviews and Evidence for Your C3PAO

CMMC is shifting from documentation-based to evidence-based compliance. Your C3PAO cares less about written policies than about real operating evidence.

6.1 Understand the evidence window

Many C3PAOs want to see 3-6 months of operating evidence-logs, tickets, and review records-before recommending CMMC Level 2 certification^{6cispoint.com}. Standing up controls just before assessment risks remediation and delays.

Plan for "controls-live" status by early 2026 if you're targeting a late-2026 audit.

6.2 Automate user access reviews and attestation

Level 2 requires:

• Periodic review of CUI system access
• Removal or justification of excessive privileges
• Audit trails of reviews

Manual reviews via exports and spreadsheets don't scale and are difficult to defend.

Iden automates user access reviews, routes them to managers, enforces decisions, and stores the complete audit trail. User access reviews that once took 120 hours per quarter are now automated with full evidence available on demand. This provides ongoing assurance and simplifies audits.

6.3 Centralize logs and tie them to identities

You need to answer questions like:

• "When was User X granted access to System Y, and who approved it?"
• "When did access change or get revoked?"
• "Show admin activity on CUI systems over the last 90 days."

This typically requires:

• An identity governance system (like Iden) tracking approvals and lifecycle events
• A SIEM or log platform recording authentication and admin actions

Tip Build a "C3PAO binder" (digital is fine) now: screenshots of policies, role definitions, sample tickets, IGA workflows, and representative logs. Update monthly so you're ready for assessment anytime.

Step 7: Back-Plan from November 2026 and Line Up Your C3PAO

The hardest part of CMMC isn't the assessment week-it's the calendar math.

7.1 Be realistic about readiness timelines

Recent studies and advisories agree:

Achieving CMMC Level 2 readiness typically takes 6-12 months for most organizations, and up to 18 months for complex environments^{7cispoint.com}

This includes:

• Gap analysis and scoping
• Technical remediation (MFA, segmentation, logging, hardening)
• Process and documentation (SSP, policies, procedures)
• Evidence collection over several months

7.2 Account for C3PAO backlogs

On top of your work, plan for auditor availability.

2026 timeline analyses note C3PAO assessment backlogs are already 6-12 months and will grow as Phase 2 nears^{8cmmcfirst.com}. Many contractors are booking 2026 assessments in 2025.

Work backward from your goals:

• To have signed C3PAO certification by Q4 2026, you need:
  • Controls and evidence in place by Q1 2026
  • C3PAO contract and date locked by mid-2025

Common mistake Treating the C3PAO engagement as a last-mile task. Scheduling often determines your program's timeline. Book early and use pre-assessment workshops to test your system before the audit.

Key Takeaways and Next Steps

You can't control the CMMC timeline-but you can control your readiness.

Key takeaways:

• Phase 2 on November 10, 2026 makes C3PAO Level 2 certification a contract requirement for CUI work.
• Least privilege (AC.L2-3.1.5) and MFA (IA.L2-3.5.3) require system configuration, not just written policies.
• Manual provisioning, SSO-only automation, and spreadsheet-based reviews will not pass a C3PAO inspection in 2026.
• A realistic 6-18 month plan, starting now with early C3PAO scheduling, is what keeps contractors in the DoD ecosystem.

Iden is purpose-built for resource-constrained teams needing comprehensive identity governance across all systems-SCIM, API, or neither-plus automated evidence for auditors. Iden automates governance for 175+ SaaS apps, including non-SCIM tools like Slack, Notion, Figma, Linear, and GitHub, without requiring enterprise upgrades. For teams pursuing CMMC, SOC 2, ISO 27001, and sector-specific requirements, Iden's universal coverage and continuous audit trail prevent compliance sprawl.

Next steps this quarter:

• Finalize your CMMC Level 2 scope and CUI access map
• Complete your MFA and least-privilege access design
• Pilot an identity governance platform that automates joiner/mover/leaver flows, offboarding, and access reviews for all in-scope apps-not just SCIM-ready ones

FAQ: CMMC Phase 2, Level 2, and Access Management

1. Do we really need a C3PAO Level 2 certification by November 2026?

Not every DoD contract will require Level 2 immediately in Phase 2, but any work involving CUI may include Level 2 (C3PAO) as a requirement from November 10, 2026.^{1governmentcontractslawblog.com} Many primes already plan to require certified subcontractors to manage risk.

If any significant share of your pipeline depends on CUI contracts, plan to need Level 2 by late 2026. Being ready early has little downside; missing a bid window because your assessment is delayed can be costly.

2. Is SSO plus VPN-level MFA enough to meet Level 2 access requirements?

Usually not.

VPN MFA rarely satisfies IA.L2-3.5.3, which expects MFA for both privileged and network access to CUI environments-including cloud services.^{4dodcio.defense.gov} You'll typically need:

• MFA through your IDP for all CUI-relevant SaaS and web apps
• MFA for local and remote admin logins
• Documented policies and technical controls showing how MFA is enforced-not just that it exists

SSO is foundational, but without identity governance and app-level controls, you won't meet Level 2 requirements.

3. How is "CMMC Level 2" different from "NIST 800-171 compliant"?

Level 2 is essentially NIST 800-171 with evidence.

The technical baseline is the same, but under CMMC, you:

• Complete an independent third-party assessment (for most Level 2 contracts) rather than self-attesting
• Demonstrate control maturity over time with evidence, not just point-in-time settings
• Face contract consequences for misrepresentation

If you truly meet all 110 NIST 800-171 requirements and can supply months of evidence, you're close to Level 2. But most "800-171 compliant" organizations struggle with least privilege, MFA coverage, and access governance on review.^9nrlabs.com

4. How can a small IT team run CMMC-grade access governance?

Scale through automation-not headcount.

Manual tickets, spreadsheets, and ad-hoc scripts don't scale and are tough to justify to a C3PAO. Resource-constrained teams that succeed at Level 2:

• Use a central IGA platform to orchestrate provisioning, deprovisioning, and approvals
• Automate user access reviews and evidence collection
• Use SSO for authentication, but not for governance alone

Iden is built for 50-2,000 employee teams in this situation: it automates joiner/mover/leaver flows, handles non-SCIM and legacy apps, and supplies continuous exportable evidence-no need for a dedicated IAM admin or lengthy deployment.

5. When should we bring in a tool like Iden versus trying to "get compliant" first?

Starting with an IGA platform usually speeds your Level 2 journey:

• It enforces least-privilege and MFA policies across apps, raising your security posture
• It builds your audit trail as you remediate, so evidence accumulates naturally
• It reduces manual work during remediation-vital if you're tackling other frameworks like SOC 2 or ISO 27001

Due to C3PAO backlog and the Phase 2 deadline, trying to go manual then automate later is typically slower and riskier.