How Okta can help meet CMMC 2.0 Identity and Access Management requirements

Building one single-seat F-22 Raptor aircraft requires hundreds of suppliers employing thousands of people. While the real ratio is unknown, any one of these individuals could be targeted in an Identity-based attack, demonstrating the need to manage disruptions proactively.

Regulations require the U.S. Department of Defense (DoD) to extend its supply chain security to contract service suppliers entrusted with sensitive unclassified information, including the fighter jet’s tire manufacturer. Protecting this information — whether from improper internal management or malicious data breaches — is imperative to defending the Nation.

The Cybersecurity Maturity Model Certification (CMMC) is a compliance mandate that, once codified through rulemaking, will ensure DoD contractors and subcontractors have implemented the applicable security protections set forth in DFARS 252.204-7012 and other cybersecurity program evaluations. It will also be a condition of receiving an award of a DoD contract.

How Okta can help

Okta’s core mission is Identity, so, naturally, we support our customers' journeys in meeting the Access Control (AC) and Identification and Authentication (IA) CMMC controls. Okta also supports the other CMMC domains and practices with our open API framework, application ecosystem, and trust frameworks for easy integration with other vendors supporting other CMMC practice requirements.

See the below table for information on AC and IA CMMC critical domains and how Okta helps customers meet these requirements.


Level 1

Level 2

How Okta can help

Access Control


AC.L1-3.1.1 Authorized Access Control


Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).


A formal access registration and initial provisioning process for employees and authorized third parties is in place for Okta to assign access rights for all user types to all systems and services, in alignment with policy and standards.

AC.L1-3.1.2 Transaction and Function Control


Limit information system access to the types of transactions and functions that authorized users are permitted to execute.



Control CUI Flow

Control the flow of CUI in accordance with approved authorizations.

Organizational communication and data flows are mapped and enforced. Data discovery methodologies can be used to identify, classify, and track sensitive data. Sensitive data flows are governed by enterprise-defined information-control policies.



Separation of Duties

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Okta employs the principle of least privilege and separation of duties. Authorized access is allowed for users (or processes acting on behalf of users)  assigned to tasks in accordance with organizational missions and business functions.



Least Privilege

Employ the principle of least privilege, including for specific security functions and privileged accounts.



Non-Privileged Account Use

Use non-privileged accounts or roles when accessing nonsecurity functions.



Privileged Functions

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Logs are configured to capture actions taken specifically by individuals with administrative user privileges. Logs are secured and reviewed to identify and detect misused accounts. Discrepancies are investigated and remediated.


Privileged user access is established and administered on a controlled basis, and is limited to only what is required for users and services to undertake their duties. Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access.



Unsuccessful Logon Attempts

Limit unsuccessful logon attempts. 

Lock-out features are enabled to restrict access after a certain amount of failed login attempts or user inactivity. The account is locked out for a specific duration or until an administrator enables the user account. The user is notified upon successful/unsuccessful logon.



Privacy & Security Notices

Provide privacy and security notices consistent with applicable CUI rules.

Personal data processing activities requiring or relying on consent are identified, and processes are in place to prevent the collection of such data without consent. Mechanisms to obtain, document, track, and manage consent are defined and implemented in accordance with applicable regulations, including withdrawal of consent.



Session Lock

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Lock-out features are enabled to restrict access after a certain amount of failed login attempts or user inactivity. The account is locked out for a specific duration or until an administrator enables the user account. The user is notified upon successful/unsuccessful login.



Session Termination

Terminate (automatically) a user session after a defined condition.



Control Remote Access

Monitor and control remote access sessions.

Remote access is controlled, monitored, and allowed via an Okta-approved VPN client.



Remote Access Confidentiality

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.



Remote Access Routing

Route remote access via managed access control points.



Privileged Remote Access

Authorize remote execution of privileged commands and remote access to security-relevant information.



Wireless Access Authorization

Authorize wireless access prior to allowing such connections.




Wireless Access Protection

Protect wireless access using authentication and encryption.




Mobile Device Connection

Control connection of mobile devices.




Encrypt CUI on Mobile

Encrypt CUI on mobile devices and mobile computing platforms. 

Okta protects organizationally classified data types at rest through security controls, including encryption and cryptographic controls, to align with security standards.


External Connections

Verify and control/limit connections to and use of external information systems.





Portable Storage Use

Limit use of portable storage devices on external systems.



Control Public Information

Control information posted or processed on publicly accessible information systems.



Identification and Authentication (IA)



Identify information system users, processes acting on behalf of users, or devices.


Secure authentication methods are used for access to systems and applications.



Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.



Multi-Factor Authentication

Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Multi-factor authentication methods are implemented so employees, administrators, and authorized third parties can access the network and information systems.



Replay-Resistant Authentication

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Secure authentication methods are used for access to systems and applications.



Identifier Reuse

Prevent the reuse of identifiers for a defined period.




Identifier Handling

Disable identifiers after a defined period of inactivity.




Password Complexity

Enforce a minimum password complexity and change of characters when new passwords are created.

Password configurations are established, implemented, and enforced in alignment with industry, government, and other compliance requirements. Password management systems are interactive and ensure quality passwords.



Password Reuse

Prohibit password reuse for a specified number of generations.



Temporary Passwords

Allow temporary password use for system logins with an immediate change to a permanent password.



Cryptographically-Protected Passwords

Store and transmit only cryptographically protected passwords.



Obscure Feedback

Obscure the feedback of authentication information. 

Secure authentication methods are used for access to systems and applications.

To learn more about how Okta can help your organization meet CMMC requirements, download our CMMC Discovery Guide at or contact us at

While this article discusses certain legal concepts, it does not constitute legal advice and should not be construed as such. It is provided for informational purposes only. For legal advice regarding your organization's compliance needs, please consult your organization's legal department. Okta makes no representations, warranties, or other assurances regarding the content of this article. Information regarding Okta's contractual assurances to its customers can be found at