CMMC 2.0 is no longer a future obligation. For tens of thousands of defence contractors, it is a present and pressing reality — and the gap between what most organisations have deployed and what the standard actually requires is wider than they realise.
What CMMC 2.0 Actually Requires
The Cybersecurity Maturity Model Certification programme, now at version 2.0, establishes three maturity levels for organisations in the Defence Industrial Base. Level 1 covers basic cyber hygiene for Federal Contract Information. Level 2 — the level that applies to most contractors handling Controlled Unclassified Information — maps directly to all 110 practices in NIST SP 800-171. Level 3 adds practices from NIST SP 800-172 for the most sensitive programmes.
The finalised CMMC rule, published in the Federal Register in late 2024, begins phasing into DoD contracts. Contractors who cannot demonstrate compliance will be ineligible for contracts that include CUI. For many organisations, that means a significant portion of their DoD revenue is contingent on achieving and maintaining CMMC Level 2.
The practical implication is significant. NIST 800-171 covers 110 controls across 14 families. The access control family alone — AC — contains 22 practices. Identity and authentication — IA — adds another 11. These are not documentation exercises. They require demonstrable technical controls that operate effectively, continuously, and in a way that can be verified by a C3PAO assessor.
Where Most Contractors Fall Short
The most common gaps we see in CMMC readiness assessments cluster around a small number of control families.
Multi-factor authentication (IA.3.083). CMMC Level 2 requires MFA for local and network access to organisational systems — including privileged accounts and all access to CUI systems. Many contractors have MFA deployed for their primary email and VPN, but not for the internal applications, legacy systems, and administrative interfaces where CUI actually lives. An assessor who looks past the perimeter will find authentication gaps almost immediately.
Least privilege (AC.2.006). The requirement to limit system access to authorised users and the minimum necessary access is straightforward in principle. In practice, most contractors have accumulated years of over-broad permissions. Service accounts with domain admin rights. Shared credentials for legacy applications. Users with access to entire network drives when they need two folders.
Remote access governance (AC.3.012). Monitoring and controlling remote access sessions requires more than a VPN log. Assessors want to see per-session authentication, device compliance validation, and an audit trail that shows who accessed what and when — not just who connected to the network.
Legacy application coverage. The controls apply to all systems that process, store, or transmit CUI. That includes the legacy ERP system, the thick-client programme management tool, and the forms-based application that the programme office built in 2009. If those systems cannot demonstrate MFA and access logging, the gap is real regardless of how well-controlled the modern applications are.
Why TAC Is Particularly Well-Suited to CMMC
Total Access Control addresses the CMMC access control and authentication requirements architecturally rather than through policy overlays. Because TAC operates as a reverse proxy, it can enforce MFA, device posture checks, and access logging for any application — including legacy systems that cannot natively support modern authentication — without modifying the application itself.
This matters enormously for CMMC compliance because the standard does not make exceptions for legacy systems. If a system processes CUI, it must meet the requirements. TAC closes the gap that every other authentication platform leaves open.
For the audit evidence requirements, TAC’s unified audit trail provides a single record of every access event across every protected system — user identity, device, location, application, and policy decision. C3PAO assessors reviewing access control and audit accountability controls can work from a single source rather than correlating logs across multiple systems.
The Timeline Pressure Is Real
CMMC assessments take time. Finding a C3PAO, scheduling an assessment, going through the process, and remediating findings is a multi-month exercise at minimum. Contractors who start that process after CMMC requirements appear in their contracts are already behind.
The organisations that will be best positioned are those that treat CMMC readiness as an ongoing operational state rather than a point-in-time compliance exercise. The controls that CMMC requires — MFA, least privilege, continuous device posture, access logging — are the same controls that reduce actual security risk. Implementing them properly delivers security value independent of the compliance requirement.
TAC maps directly to CMMC 2.0 Level 2 access control and authentication requirements. Read the full NIST alignment guide or speak with a PortSys compliance specialist. Read the NIST guide →