An EXCI connection that is defined in CICS with ATTACHSEC = LOCAL allows users who are not permitted access to the region to access the system as though they did have the access. If the connection is defined with ATTACHSEC = IDENTIFY, the users are not permitted to sign on to the CICS region. Does this mean that the CICS connections must be defined with ATTACHSEC = IDENTIFY for ACF2 to validate them?

The CICS connection must specify ATTACHSEC=IDENTIFY to get an ACF2 validation of the signon. ATTACHSEC=LOCAL means there is no signon information available, so CICS bypasses signon processing and ACF2/CICS will assign the MRO default id to the connection. Since ACF2/CICS hooks into the signon processing you must have ATTACHSEC=IDENTIFY to initiate signon in CICS and have signon validation by ACF2/CICS.