How Okta Can Help Meet CMMC Identity and Access Management Requirements

If your organization provides products or services to the U.S. Department of Defense either as a prime contractor or a subcontractor, then you’ve probably heard a lot about CMMC lately.

In this post, I’ll provide some background about what CMMC is and share a breakdown of how using Okta can help your organization meet specific controls required by CMMC.

What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified framework released by the Department of Defense that outlines cybersecurity requirements for organizations that contract, subcontract, or work within the defense industrial base (DIB). The certification is made up of 5 maturity levels across 17 capability domains encompassing 43 capabilities. These elements are derived from the [Defense] Federal Acquisition Regulation Supplement (FARS/DFARS) - Controlled Unclassified Information (CUI) regulation and NIST SP 800-171.

The purpose of the CMMC is to establish clear technical and operational parameters for contractors that handle sensitive government information and serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

Organizations contracting within the defense industry will need to adequately meet the technical requirements outlined in CMMC.

How Okta can help

Okta provides its customers with access control, auditing, accountability, identification, and authentication tools that can help them meet CMMC requirements (See the DFARS Interim Rule presented here).

See the below table for information on key CMMC controls within these categories, as well as details around how Okta helps customers meet these requirements.

Please Note: The Control column contains blank gray areas in which there are no established requirements for that particular CMMC level.  Please review all CMMC levels to determine where the system is compliant.


CMMC Level 1

CMMC Level 2


Control Description

How Okta can Help

Control Description

How Okta Can Help

Access Control

Establish system access requirements
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Okta offers sophisticated lifecycle entitlement management that can help organizations manage the right level of access to the right applications through a set of centrally managed policies.

Administrators can easily set access and entitlement rules based on attributes, such as user group membership.

Okta provides visibility into who has access to what data via simple access governance that offers the ability to see all users who have access to specific applications.


Provide privacy and security notices consistent with applicable CUI rules.

The Okta customer portal offers the ability to configure an access banner and notification through the Okta Admin panel for when the Technical Operations administrator attempts to SSH into the associated IDaaS production infrastructure host(s).


Control internal system access

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Privileged users can be placed into a group, and control around accounts and resources can be provided within this group.

Defined users can be assigned to established groups and be provided access to applications and services by group.

Employ the principle of least privilege, including for specific security functions and privileged accounts.

Use non-privileged accounts or roles when accessing nonsecurity functions.

Limit unsuccessful logon attempts.

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Authorize wireless access prior to allowing such connections.

Privileged users can be placed into a group, and control around accounts and resources can be provided within this group.

Defined users can be assigned to established groups and provided access to applications and services by group.

Okta’s Single Sign-On (SSO) and Multi-Factor Authentication (MFA) solutions allow IT admins to manage unsuccessful log-on attempts in accordance with the organization's policy.


Control remote system access


Monitor and control remote access sessions.

Route remote access via managed access control points.

Okta’s IAM and MFA solutions offer a non-disruptive, non-intrusive, easily integrated solution that works with your Virtual Private Network (VPN), Remote Desktop Protocol (RDP), and Secure Shell (SSH).

Okta’s IAM maintains logs for monitoring and the ability for initial access with MFA for remote sessions.


Limit data access to authorized users and processes

Verify and control/limit connections to and use of external information systems.

Control information posted or processed on publicly accessible information systems.

Okta’s SSO and MFA solutions can verify and control connections to external systems.

While customers are responsible for managing the disclosure of their own sensitive information, Okta's internal Corporate Communications team reviews all content on the Okta public website quarterly to ensure nonpublic information is not posted.

Control the flow of CUI in accordance with approved authorizations.

The flow of information within Okta information systems and between interconnected systems (as applicable) is enforced via approved authorizations configured on the principle of least privilege. As a result, there must be a legitimate business need, and access is further limited to the least amount of privilege necessary to complete the required task.

Auditing and Accountability


Define audit requirements


Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.

Okta requires unique User IDs assigned to individuals.

Okta uses system clocks to generate audit logs. Okta system clocks are synchronized using NIST Time Protocol (NTP) servers with the AWS Stratum 1 time source and can be mapped to UTC. Clock synchronization is configured with Chef recipes to ensure that system clocks are checked at least hourly and maintain minimal drift.


Perform auditing


Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.


Identify and protect audit information



Review and manage audit logs


Identification and Authentication

Grant access to authenticated entities
Identify information system users, processes acting on behalf of users, or devices.
Okta’s identity-led security framework can help organizations with their IAM control challenges by centralizing identity integration with Active Directory and LDAP to verify and manage users accessing corporate resources.

Enforce a minimum password complexity and change of characters when new passwords are created.

Okta’s centralized management console allows IT professionals to adjust password lengths and complexities and update schedules in keeping with current NIST guidelines.
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Policy guidance is set by the organization, but Okta’s flexible policy framework allows for step-up authentication to verify users before they access accounts and services using Okta’s SSO and MFA. IA.2.079
Prohibit password reuse for a specified number of generations.
Password policies can be established to ensure a user does not match previous passwords in accordance with the organization's policy guidance. Using common password detection can help you meet compliance guidelines by detecting and preventing users from defining weak or breached passwords.
Allow temporary password use for system logons with an immediate change to a permanent password.

Okta provides customers with the ability to set strong password policies supported by MFA.

The customer is responsible for setting up unique IDs and passwords for all users of the IDaaS front-end portal, as well as creating and maintaining the policies and procedures for the creation, modification and deletion of all user identification and authentication credentials.

Store and transmit only cryptographically-protected passwords.
While Okta stores and transmits only cryptographically-protected passwords, customers are responsible for doing the same to meet this requirement.
Obscure feedback of authentication information.
Authentication to the management console requires an associated IAM account. When entering the associated password into IAM, only bullets are displayed on the screen, obscuring the authenticator feedback.

To learn more about how Okta can help your organization meet CMMC requirements, contact us here.

While this article discusses certain legal concepts, it does not constitute legal advice.  It is provided for informational purposes only.  For legal advice regarding your organization's compliance needs, please consult your organization's legal department.  Okta makes no representations, warranties, or other assurances regarding the content of this article.  Information regarding Okta's contractual assurances to its customers can be found at