Free trial Contact us

Thought leadership series: Exploring CMMC 2.0 identity requirements

About the Author

Naveed Mirza

Senior Solutions Architect

Naveed is a Senior Solutions Architect focusing on the DoD and Federal customer base. He has worked in cybersecurity since leaving the US Navy in the late 1990s. Before coming to Okta, Naveed was a consultant for several DoD customers, and he continues to offer advice via active participation in the DoD community. He grew up in Stafford, Virginia, and upon returning from active duty, took up residence there once more. In his free time, he enjoys beer brewing, gaming, and the occasional date night with his wife.

Jason Ruby

Senior Solutions Engineer, Federal

08 May 2024 Time to read: ~

Topics

Cybersecurity, Compliance

Table of Contents

The Defense Industrial Base (DIB) is under constant attack from sophisticated nation-state threat actors. These aren't always noisy, large-scale takedown events; often, they are “low-and-slow” attacks designed to quietly steal sensitive data that, in aggregate, can compromise national security. The recent attack on Stryker, a major medical device manufacturer with U.S. government contracts, is a stark reminder that every link in the supply chain is a target. Now more than ever, it is clear that the DIB must elevate its defenses for Controlled Unclassified Information (CUI).

To address this, the U.S. Department of War (DoW) is mandated to extend its own rigorous security standards to the entire supply chain of contractors entrusted with sensitive information. Protecting this CUI—whether from a malicious data breach or simply improper internal handling—is a direct and imperative part of defending the Nation.

The Cybersecurity Maturity Model Certification (CMMC) is the DoW's framework for ensuring this protection. Now, CMMC 2.0 is a compliance and verification mandate designed to ensure all contractors and subcontractors have implemented the required NIST cybersecurity standards. Now, achieving the right CMMC certification level will be a non-negotiable condition for being awarded a DoW contract.

The Series: Your Blueprint for CMMC Success

While CMMC encompasses a broad range of security domains, the entire framework is built on a Zero Trust foundation, and the bedrock of Zero Trust is Identity. Okta is the leading independent partner for Identity management, which is why we are uniquely positioned to help our customers conquer the critical Access Control (AC) and Identification and Authentication (IA) CMMC domains.

Furthermore, Okta can serve as the central integration plane for your entire security ecosystem. Through our robust APIs and the Okta Integration Network, we enable you to connect your identity platform with the other security tools you rely on, creating a cohesive, powerful defense that also aligns with CMMC requirements across multiple domains.

Over the course of this multi-part blog series, we will break down the key families of NIST SP 800-171, which form the basis for CMMC Level 2, and NIST SP 800-171, which form the basis for CMMC Level 3. We will show you not just that Okta can help, but how—providing a practical blueprint you can use to design your CMMC-compliant architecture and detailing the specific evidence you can present to an assessor to prove your compliance.

  1. Identification and Authentication (IA) Overview

Understanding the Stakes: CMMC Scoring

It's critical to understand that not all CMMC controls are created equal. The DoW uses a weighted scoring system in which controls are worth 1, 3, or 5 points based on their importance. This means:

  • A perfect score is 110 points.
  • An organization may be eligible for a conditional certification with a minimum score of 88, provided all remaining gaps are for 1-point controls and are documented in a Plan of Action & Milestones (POA&M).
  • Crucially, you will fail your assessment, regardless of your score, if even a single one of the high-value "Big Rock" controls (worth 3 or 5 points) is "Not Met." All of these must be fully compliant at the time of the audit.

A significant number of these "Big Rocks" are identity-related, making your choice of an identity provider one of the most important decisions you will make on your CMMC journey. Stay with us through this series to learn how to master them.

See the table below for information on how Okta helps customers meet these requirements.

Note: This table only covers the CMMC 2.0 controls that Okta can meet or support.

 

FamilyLevel 1 IdentifierLevel 2 IdentifierLevel 3 IdentifierScoreOkta ScopeSupporting Product
Access Control (AC)AC.L1-3.1.1
Authorized Access Control

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).		  5MeetUniversal Directory, Okta Identity Governance
AC.L1-3.1.2
Transaction and Function Control

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.		  5MeetUniversal Directory, Okta Identity Governance, Identity Threat Protection
  AC.L3-3.1.2E
Organizationally Controlled Assets

Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.		 MeetUniversal Directory, Okta Device Access, Adaptive Multifactor Authentication
 AC.L2-3.1.3
Control CUI Flow

Control the flow of CUI in accordance with approved authorizations.		 1SupportUniversal Directory, Okta Identity Governance
  AC.L3-3.1.3E
Secured Information Transfer

Employ secure information transfer solutions to control information flows between security domains on connected systems.		  Universal Directory, Okta Identity Governance, API Access Management
 AC.L2-3.1.4
Separation of Duties

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.		 1SupportUniversal Directory
 AC.L2-3.1.5
Least Privilege

Employ the principle of least privilege, including for specific security functions and privileged accounts.		 3MeetUniversal Directory, Okta Identity Governance, Identity Threat Protection
 AC.L2-3.1.6
Non-Privileged Account Use

Use non-privileged accounts or roles when accessing nonsecurity functions.		 1MeetUniversal Directory
 AC.L2-3.1.7
Privileged Functions

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.		 1MeetUniversal Directory
 AC.L2-3.1.8
Unsuccessful Logon Attempts

Limit unsuccessful logon attempts.		 1MeetUniversal Directory
 AC.L2-3.1.9
Privacy & Security Notices

Provide privacy and security notices consistent with applicable CUI rules.		 1SupportUniversal Directory
 AC.L2-3.1.10
Session Lock

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity		 1SupportOkta Device Access
 AC.L2-3.1.11
Session Termination

Terminate (automatically) a user session after a defined condition.		 1MeetUniversal Directory, Identity Threat Protection, Okta Device Access
 AC.L2-3.1.13
Remote Access Confidentiality

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.		 5SupportUniversal Directory
 AC.L2-3.1.15
Privileged Remote Access

Authorize remote execution of privileged commands and remote access to security-relevant information.		 1SupportOkta Identity Governance
 AC.L2-3.1.18
Mobile Device Connection

Control connection of mobile devices.		 5MeetUniversal Directory
Audit and Accountability (AU) AU.L2-3.3.1
System Auditing

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.		 5MeetUniversal Directory, Identity Threat Protection
 AU.L2-3.3.2
User Accountability

Ensure that the actions of individual system users, can be uniquely traced to those users so they can be held accountable for their actions.		 3MeetUniversal Directory, Identity Threat Protection
 AU.L2-3.3.3
Event Review

Review and update logged events.		 1SupportUniversal Directory, Identity Threat Protection
 AU.L2-3.3.5
Audit Correlation

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.		 5SupportUniversal Directory, Identity Threat Protection
 AU.L2-3.3.6
Reduction & Reporting

Provide audit record reduction and report generation to support on-demand analysis and reporting.		 1SupportUniversal Directory, Identity Threat Protection
 AU.L2-3.3.7
Authoritative Time Source

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.		 1MeetUniversal Directory
 AU.L2-3.3.8
Audit Protection

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.		 1MeetUniversal Directory, Identity Threat Protection
 AU.L2-3.3.9
Audit Management

Limit management of audit logging functionality to a subset of privileged users.		 1MeetUniversal Directory, Identity Threat Protection
Configuration Management (CM) CM.L2-3.4.1
System Baselining

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.		 5SupportUniversal Directory, Adaptive Multifactor Authentication, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection, Okta Device Access
 CM.L2-3.4.2
Security Configuration Enforcement

Establish and enforce security configuration settings for information technology products employed in organizational systems.		 5SupportUniversal Directory, Adaptive Multi-factor Authentication, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection, Okta Device Access
  CM.L3-3.4.2E
Automated Detection & Remediation		N/ASupportAdaptive Multifactor Authentication
 CM.L2-3.4.5
Access Restrictions for Change

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.		 5SupportUniversal Directory, Okta Identity Governance
Identification and Authentication (IA)IA.L1-3.5.1
Identification

Identify information system users, processes acting on behalf of users, or devices.		  5MeetUniversal Directory
  IA.L3-3.5.1E
Bidirectional Authentication

Identify and authenticate systems and system components, where possible, before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.		N/ASupportOkta Device Access
IA.L1-3.5.2
Authentication

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.		  5MeetUniversal Directory
 IA.L2-3.5.3
Multifactor Authentication

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.		 1MeetUniversal Directory
  IA.L3-3.5.3E
Block Untrusted Assets

Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.		N/ASupportUniversal Directory, Okta Device Access, Adaptive Multifactor Authentication
 IA.L2-3.5.4
Replay-Resistant Authentication

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.		 1MeetUniversal Directory
 IA.L2-3.5.5
Identifier Reuse

Prevent the reuse of identifiers for a defined period.		 1MeetUniversal Directory
 IA.L2-3.5.6
Identifier Handling

Disable identifiers after a defined period of inactivity.		 1MeetUniversal Directory, Okta Identity Governance, Workflows
 IA.L2-3.5.7
Password Complexity

Enforce a minimum password complexity and change of characters when new passwords are created.		 1MeetUniversal Directory
 IA.L2-3.5.8
Password Reuse

Prohibit password reuse for a specified number of generations.		 1MeetUniversal Directory
 IA.L2-3.5.9
Temporary Passwords

Allow temporary password use for system logons with an immediate change to a permanent password.		 1MeetUniversal Directory
 IA.L2-3.5.10
Cryptographically-Protected Passwords

Store and transmit only cryptographically protected passwords.		 5MeetUniversal Directory, Adaptive Multi-factor Authentication
 IA.L2-3.5.11
Obscure Feedback

Obscure the feedback of authentication information.		 1MeetUniversal Directory
Incident Response  IR.L3-3.6.1E
Security Operations Center		N/ASupportUniversal Directory, Workflows
  IR.L3-3.6.2E
Cyber Incident Response Team		N/ASupportUniversal Directory, Identity Threat Protection, Workflows
Maintenance (MA) MA.L2-3.7.5
Nonlocal Maintenance

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.		 5MeetUniversal Directory, Adaptive Multi-factor Authentication, Okta Identity Governance
Media Protection (MP) MP.L2-3.8.9
Protect Backups

Protect the confidentiality of backup CUI at storage locations.		 1SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
Personnel Security (PS) PS.L2-3.9.2
Personnel Actions

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.		 5MeetLifecycle Management
  PS.L3-3.9.2E
Adverse Information

Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI.		N/ASupportUniversal Directory, Okta Device Access, Identity Threat Protection, Workflows
Risk Assessment (RA) RA.L2-3.11.2
Vulnerability Scan

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.		 5SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
  RA.L3-3.11.2E
Threat Hunting

Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.		N/ASupportUniversal Directory, Identity Threat Protection, Workflows
  RA.L3-3.11.3E
Advanced Risk Identification

Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.		N/ASupportUniversal Directory, Identity Threat Protection, Workflows
  RA.L3-3.11.5E
Security Solution Effectiveness

Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat information, or in response to a relevant cyber incident, to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.		N/ASupportUniversal Directory, Identity Threat Protection, Workflows, Okta Identity Governance
  RA.L3-3.11.6E
Supply Chain Risk Response

Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.		N/ASupportUniversal Directory, Identity Threat Protection, Workflows, Okta Identity Governance
  RA.L3-3.11.7E
Supply Chain Risk Plan

Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan at least annually, and upon receipt of relevant cyber threat information, or in response to a relevant cyber incident.		N/ASupportUniversal Directory, Identity Threat Protection, Workflows, Okta Identity Governance
Security Assessment (CA) CA.L2-3.12.1
Security Control Assessment

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.		 5SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
 CA.L2-3.12.2
Plan of Action

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.		 3SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
 CA.L2-3.12.3
Security Control Monitoring

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.		 5SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
System and Communications Protection (SC)SC.L1-3.13.1
Boundary Protection

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.		  5SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
 SC.L2-3.13.2
Security Engineering

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.		 5SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
 SC.L2-3.13.3
Role Separation

Separate user functionality from system management functionality.		 1MeetUniversal Directory
 SC.L2-3.13.4
Shared Resource Control

Prevent unauthorized and unintended information transfer via shared system resources.		 1SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
  SC.L3-3.13.4E
Isolation

Employ physical isolation techniques or logical isolation techniques or both in organizational systems and system components.		N/ASupportUniversal Directory, Okta Identity Governance, Org2Org
 SC.L2-3.13.8
Data in Transit

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.		 3SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
 SC.L2-3.13.11
CUI Encryption

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.		 1MeetUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
System and Information Integrity (SI)  SI.L3-3.14.1E
Integrity Verification

Verify the integrity of security critical and essential software using root of trust mechanisms or cryptographic signatures.		N/ASupportUniversal Directory
 SI.L2-3.14.3
Security Alerts & Advisories

Monitor system security alerts and advisories and take action in response.		 5SupportUniversal Directory, Adaptive Multifactor Authentication, Okta Device Access, API Access Management, Okta Identity Governance, Workflows, Identity Threat Protection
  SI.L3-3.14.6E
Threat-Guided Intrusion Detection

Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.		N/ASupportUniversal Directory, Identity Threat Protection

To learn more about how Okta can help your organization meet CMMC requirements, download our CMMC Discovery Guide at https://www.okta.com/resources/datasheet-okta-cmmc-discovery-guide/ or contact us at okta.com/contact-sales/.

While this article discusses certain legal concepts, it does not constitute legal advice and should not be construed as such. It is provided for informational purposes only. For legal advice regarding your organization's compliance needs, please consult your organization's legal department. Okta makes no representations, warranties, or other assurances regarding the content of this article. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.

About the Author

Naveed Mirza

Senior Solutions Architect

Naveed is a Senior Solutions Architect focusing on the DoD and Federal customer base. He has worked in cybersecurity since leaving the US Navy in the late 1990s. Before coming to Okta, Naveed was a consultant for several DoD customers, and he continues to offer advice via active participation in the DoD community. He grew up in Stafford, Virginia, and upon returning from active duty, took up residence there once more. In his free time, he enjoys beer brewing, gaming, and the occasional date night with his wife.

Jason Ruby

Senior Solutions Engineer, Federal

Continue your Identity journey

Get hands on with the free trial today, or get in touch with our team to discuss your unique needs.

Get started
Talk to us