Part of a Series
Identification and Authentication in CMMC: How to Verify User Identities and Secure Access (Updated for Final 48 CFR Rule)
Identification and Authentication under CMMC: What Contractors Must Know for Compliance with the Final 48 CFR Rule
Key Takeaways
Identification and Authentication controls are essential for securing access to sensitive DoD data, forming a mandatory foundation for CMMC Level 2 compliance.
The final 48 CFR acquisition rule makes Multi-Factor Authentication and account management controls contractually required and non-negotiable for certification.
Proper implementation involves documented evidence, robust authentication methods, and continuous monitoring to avoid disqualification or loss of certification.
Introduction
Identification and Authentication (IA) controls represent the gateway for protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from unauthorized access in defense contracting. The recently finalized 48 CFR rule crystallizes IA practices as critical requirements, not just best practices, that directly affect a contractor’s eligibility for Department of Defense (DoD) contracts.
For an overview of how CMMC requirements integrate with the 48 CFR Final Rule and defense contractor obligations, see our detailed guide [/blog/cmmc-48-cfr-final-rule-defense-contractors].
In this article, you will discover why IA controls such as Multi-Factor Authentication (MFA) now hold the status of non-deferrable contract conditions, what CMMC Level 2 requires from your organization, and how to ensure your certifications remain in good standing with proper documentation and evidence management.
Understanding CMMC Levels and IA Obligations
| CMMC Level | Framework Reference | Focus Area | Assessment Type |
|---|---|---|---|
| CMMC Level: Level 1 | Framework Reference: FAR 52.204-21 | Focus Area: Basic protection of FCI | Assessment Type: Annual self-assessment |
| CMMC Level: Level 2 | Framework Reference: NIST SP 800-171 Rev 2 | Focus Area: Protection of CUI | Assessment Type: Triennial C3PAO or self-assessment |
| CMMC Level: Level 3 | Framework Reference: NIST SP 800-172 | Focus Area: High security for critical programs | Assessment Type: Government-led assessment (DIBCAC) |
Most contractors dealing with controlled DoD information must adhere to Level 2 standards, which mandate 110 security practices, including a family of six essential IA controls.
The Six Pillars of Identification and Authentication (NIST SP 800-171 Rev 2)
The final acquisition rule demands full implementation of these six IA practices. These form the backbone of verifying and controlling user access:
| Control | Requirement Summary |
|---|---|
| Control: IA.L2-3.5.1 | Requirement Summary: Identify individual users and link their actions to them. |
| Control: IA.L2-3.5.2 | Requirement Summary: Authenticate users prior to granting system access. |
| Control: IA.L2-3.5.3 | Requirement Summary: Use Multi-Factor Authentication for local and network access. |
| Control: IA.L2-3.5.4 | Requirement Summary: Manage account identifiers and prevent credential reuse. |
| Control: IA.L2-3.5.5 | Requirement Summary: Disable inactive accounts promptly (within a defined timeframe). |
| Control: IA.L2-3.5.6 | Requirement Summary: Use cryptographic methods to secure authentication data. |
These controls are no longer optional checkpoints but mandatory contract conditions. Any omission, especially around MFA or account management, jeopardizes contract eligibility.
"The Department of Defense deems Multi-Factor Authentication a critical control, deferrals or plans to fix after certification are not allowed."
Why MFA is a Non-Negotiable Element of Compliance
Multi-Factor Authentication sits at the heart of modern access control strategies, requiring users to provide two or more independent credentials before access:
Something you know (password or PIN)
Something you have (CAC, PIV card, hardware security key)
Something you are (biometric data)
Under the updated 48 CFR regulation:
MFA is critical for all privileged user accounts and any network access involving CUI.
MFA implementation must cover local, remote, and cloud-based environments where controlled information resides.
Approved MFA methods should meet FIPS 140-3 security standards, such as CAC, PIV cards, and FIDO2 keys.
Evidence of MFA enforcement must be clearly recorded in your System Security Plan (SSP) and verified during assessments.
Noncompliance with MFA instantly raises findings during assessments and may result in loss of Conditional Certification and contract disqualification.
Compare Google Workspace and Microsoft GCC High cloud platforms for meeting CMMC requirements and selecting proper secure environments [/blog/google-workspace-vs-gcc-high-cmmc-compliance].
Authentication Methods and Practical Guidance
PIV and CAC cards: Commonly used government-issued hardware providing secure credentials, especially for privileged users.
Hardware-based FIDO2 security keys: Emerging zero-trust solutions offering strong protection against phishing and credential theft.
Authenticator apps or OTP tokens: Alternative where hardware keys are impractical; ensure they comply with security policy.
Complement hard authentication with sound policies aligned with NIST SP 800-63B:
Enforce password complexity, expiration, and forbidding credential reuse.
Prohibit generic or shared user accounts to maintain accountability.
Configure automatic account lockout and timely disabling of inactive accounts.
Maintain centralized identity directories to efficiently manage user lifecycles.
Regularly conduct access reviews to uphold least privilege principles.
Logging, Documentation, and Evidence Retention—Securing Your Assessment
Verification of IA controls depends heavily on evidence demonstrating effective enforcement:
Keep audit logs detailing MFA usage, failed sign-ins, and account alterations for at least 12 months.
Store evidence securely in a Security Information and Event Management (SIEM) system or equivalent.
Tie audit logs to SSP descriptions ensuring a clear narrative during C3PAO or DIBCAC assessments.
Continuously archive screenshots, account management records, and related policies.
This robust evidence trail differentiates compliant organizations from those facing assessment failures.
Explore comprehensive CMMC Level 2 evidence requirements and templates that support successful audits [/blog/cmmc-level-2-poam-evidence-reviews-templates].
For deeper insights, visit our Understanding the 14 CMMC Domains Explained post, and explore related topics like Access Control (AC) and System and Communications Protection (SC) domains.
Common Challenges and How to Overcome Them
| Compliance Challenge | Consequences | Recommended Strategy |
|---|---|---|
| Compliance Challenge: Use of shared or generic accounts | Consequences: Fails user attribution leading to assessment failure | Recommended Strategy: Enforce unique user IDs and eliminate shared logins |
| Compliance Challenge: Lack of MFA on administrative or network access | Consequences: Critical control violation risking certification | Recommended Strategy: Deploy MFA on all privileged and sensitive access points |
| Compliance Challenge: Inactive accounts not disabled | Consequences: Opens risk of unauthorized access | Recommended Strategy: Establish and follow strict account inactivity timeframes (30-60 days) |
| Compliance Challenge: Weak password policies | Consequences: Decreases authentication reliability | Recommended Strategy: Adopt NIST SP 800-63B compliant password rules |
| Compliance Challenge: Insufficient evidence documentation | Consequences: Triggers assessment deficiencies | Recommended Strategy: Maintain thorough and organized logs and system documentation |
Maintaining Certification Under the Final Rule
Submit annual compliance affirmations in the Supplier Performance Risk System (SPRS).
Monitor authentication logs and test MFA implementations regularly.
Conduct internal audits before triennial reassessments.
Track account changes and MFA settings to prevent configuration drift.
Update the System Security Plan and Plan of Action & Milestones (POA&M) as needed for IA controls—notably ensuring critical controls like MFA are never deferred.
Frequently Asked Questions
Which CMMC levels mandate Identification and Authentication controls?
Levels 2 and 3 require IA controls. Level 2 follows NIST SP 800-171 Rev 2, while Level 3 implements enhancements from NIST SP 800-172.
Does MFA apply to all users or just admins?
MFA is mandatory not only for privileged (admin) accounts but for any user accessing CUI over network connections.
Can IA-related gaps be deferred on a POA&M?
No. Under the final rule, critical IA controls such as MFA and account management must be fully implemented before certification.
What MFA solutions meet the DoD’s requirements?
FIPS 140-3 validated solutions such as CAC, PIV, and FIDO2 hardware tokens qualify as compliant MFA options.
What are common reasons for failing an IA audit?
Shared accounts, missing MFA on admin/network access, stale inactive accounts, weak password policies, and poor evidence documentation are typical failure points.
Conclusion
Identification and Authentication controls are the cornerstone of CMMC Level 2 compliance and safe management of DoD contracts. The enforcement of Multi-Factor Authentication and stringent account management, as stipulated by the final 48 CFR acquisition rule, underscores the DoD’s commitment to robust cybersecurity postures.
Contractors aiming to maintain certification must prioritize IA controls as essential contract conditions — not optional practices. This means implementing proven authentication methods, documenting evidence meticulously, and conducting ongoing verification to remain assessment-ready.
Ready to simplify IA compliance and stay ahead of DoD requirements? The CMMC Dashboard offers a streamlined solution for mapping controls, managing evidence, and monitoring MFA enforcement in one centralized platform.
Get Started Free with the CMMC Dashboard
Ensure ongoing compliance effortlessly by using the CMMC Dashboard platform to map controls, manage evidence, and monitor MFA enforcement. Start a free trial today to streamline your Identification and Authentication compliance journey.
"References: - 32 CFR Part 170 – CMMC Program Rule (Final), Federal Register, 2025. - 48 CFR / DFARS 252.204-7021 Acquisition Rule. - NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information. - NIST SP 800-172, Enhanced Security Requirements. - DoD CMMC Assessment Guide v2.13. - NIST SP 800-63B, Digital Identity Guidelines."