CMMC Phase 2 Starts November 2026: What It Means for Your AWS IAM Policies
The Cybersecurity Maturity Model Certification (CMMC) program moved from planning to enforcement when the 48 CFR acquisition rule took effect on November 10, 2025. The rollout is phased, and the phase that changes the most for defense contractors is next: Phase 2 begins November 10, 2026. From that date, contracts involving Controlled Unclassified Information (CUI) can require a Level 2 certification assessment by a C3PAO — a third-party assessment organization — rather than the self-assessment that Phase 1 accepted. The Department of Defense has estimated that roughly 80,000 organizations in the defense industrial base will need Level 2 certification.
If your CUI enclave runs on AWS, a meaningful slice of what the assessor examines is not exotic — it is your IAM configuration. This post maps where AWS IAM shows up in a Level 2 assessment and what you can do in the next four months to be ready.
What CMMC Level 2 Actually Requires
CMMC Level 2 assesses the 110 security requirements of NIST SP 800-171 Revision 2. Nothing in that list is new — DFARS 252.204-7012 has contractually required 800-171 for years. What changes in Phase 2 is verification: instead of self-attesting a score into SPRS, an accredited third party walks through your implementation and asks for evidence. A conditional certification also requires a minimum score with any gaps on a POA&M closed out within 180 days.
Under a shared-responsibility model, AWS secures the infrastructure (and offers GovCloud and FedRAMP-authorized services for the hosting side), but the 800-171 requirements about who in your organization can access what are yours. That is IAM.
Where AWS IAM Meets NIST 800-171
The Access Control (AC) family is the largest in 800-171, and several of its Level 2 practices translate directly into properties of your IAM policies:
- AC.L2-3.1.1 — Authorized Access Control. Limit system access to authorized users, processes, and devices. In AWS terms: every IAM principal is accounted for, and no trust policy lets an unintended account or service assume a role into the CUI environment.
- AC.L2-3.1.2 — Transaction & Function Control. Limit access to the types of transactions and functions authorized users are permitted to execute. A policy that grants
s3:*when the workload only reads objects fails this test on its face. - AC.L2-3.1.5 — Least Privilege.The practice assessors most often probe with "show me." Wildcard actions,
Resource: "*", and broad managed policies attached for convenience are exactly the findings this practice exists to surface. - AC.L2-3.1.6 — Non-Privileged Account Use. Use non-privileged accounts for non-security functions. Day-to-day workloads running under admin-grade roles is a common AWS anti-pattern that maps straight to this requirement.
- AC.L2-3.1.7 — Privileged Functions. Prevent non-privileged users from executing privileged functions. In IAM this is about who can reach
iam:*actions,iam:PassRole, and other privilege-escalation paths — capabilities that let a low-privilege principal become a high-privilege one.
Related families reach into IAM too: Audit and Accountability (AU) expects CloudTrail to attribute actions to unique principals, and Configuration Management (CM.L2-3.4.6, least functionality) is hard to demonstrate when infrastructure templates provision over-permissive roles.
The Policy an Assessor Will Flag
This statement, attached to an application role inside a CUI boundary, is a finding for AC.L2-3.1.2 and AC.L2-3.1.5 in one line:
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}It permits deleting buckets, rewriting bucket policies, and reading every object in the account — for a workload that needed to fetch documents from one bucket. The version that survives an assessment names the actions, the resource, and a condition:
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::cui-documents/*",
"Condition": {
"Bool": { "aws:SecureTransport": "true" }
}
}Multiply this review across every role, user, trust policy, and resource policy in the environment and you have the real workload of preparing IAM for Level 2.
Point-in-Time Cleanup Is Not Enough
A C3PAO assessment examines whether practices are implemented, not whether they were true the week you prepared. IAM drifts: new features add permissions, copied snippets reintroduce wildcards, and "temporary" grants outlive their tickets. A one-off cleanup in October 2026 will have decayed by the time an assessor arrives.
The durable answer is to review policies where they change — in pull requests, in CI, and at infrastructure-as-code synth time — so an over-broad grant is caught before it reaches the CUI environment, and so you accumulate a record of continuous review to show for it.
Where Shieldly Fits (and Where It Does Not)
Shieldly is not a CMMC compliance platform. It does not write your SSP, manage your POA&M, score SPRS, or substitute for a C3PAO. What it does is the IAM-shaped part of the work: AI-Powered analysis of IAM policies, trust policies, and CloudFormation templates that flags over-broad actions and resources, privilege-escalation paths like unscoped iam:PassRole, and risky trust relationships — with an explanation of why each finding matters and a scoped-down replacement.
- Preparing: paste a policy into the web app or run the CLI across your policy files to find the wildcards and escalation paths before an assessor does.
- Staying ready: the GitHub Action and CDK Guard construct gate pull requests and CDK synth, so least privilege is enforced on every change rather than re-established before each assessment.
- Privacy: submitted policies are not logged — analysis caching uses a one-way SHA-256 hash of the input.
Four months is enough time to scope down an AWS environment if the review starts now. It is not enough time if it starts after the first Phase 2 solicitation lands.
Find the IAM findings before your assessor does
AI-Powered least-privilege analysis for IAM policies, trust policies, and CloudFormation — free, no credit card.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.