Compliance deep dive · reviewed 2026-05-22

CMMC Level 2 IAM requirements — the NIST SP 800-171 controls + the 2024 final rule

IAM requirements at CMMC Level 2 — built on NIST SP 800-171 Rev 2 + the 2024 final rule that activated CMMC for defense contractors.

Authority

US Department of Defense (DoD CIO + Cyber-AB)

Effective date

CMMC 2.0 final rule (32 CFR Part 170) effective December 16, 2024. Contract-clause rollout (48 CFR) phased through 2025-2028.

Jurisdiction

United States (Department of Defense supply chain)

Evidence cadence

Level 2 — triennial assessment by an authorized C3PAO (CMMC Third Party Assessment Organization)

Scope

Defense Industrial Base (DIB) contractors and subcontractors handling Controlled Unclassified Information (CUI) — approximately 80,000 entities. Level 2 applies when CUI is involved.

IAM-relevant controls

The controls that matter for IAM.

AC.L2-3.1.1
Authorized Access Control
What it requires: Limit system access to authorized users, processes acting on behalf of authorized users, and devices.
Evidence example
IdP user / device inventory + access control configuration + sign-in logs.
AC.L2-3.1.2
Transaction & Function Control
What it requires: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Evidence example
Role definitions + RBAC enforcement + segregation-of-duties matrix.
AC.L2-3.1.5
Least Privilege
What it requires: Employ the principle of least privilege, including for specific security functions and privileged accounts.
Evidence example
Role mining + access certification + privileged-account inventory in PAM.
AC.L2-3.1.7
Non-Privileged Account Use
What it requires: Prevent non-privileged users from executing privileged functions.
Evidence example
JIT elevation logs + privileged-function audit + UAC / sudo policy.
IA.L2-3.5.1
Identification
What it requires: Identify system users, processes acting on behalf of users, and devices.
Evidence example
IdP user + device + service-account inventory.
IA.L2-3.5.2
Authentication
What it requires: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access.
Evidence example
MFA configuration + sign-in logs + device-trust attestation.
IA.L2-3.5.3
Multifactor Authentication
What it requires: Use multifactor authentication for local and network access to privileged accounts AND for network access to non-privileged accounts.
Evidence example
MFA enforcement on local + network access + phishing-resistant MFA on privileged.
IA.L2-3.5.4
Replay-Resistant Authentication
What it requires: Employ replay-resistant authentication mechanisms for network access to privileged + non-privileged accounts.
Evidence example
TLS + nonce-based protocols + token-binding evidence.
IA.L2-3.5.5
Identifier Reuse
What it requires: Prevent reuse of identifiers for a defined period.
Evidence example
Identity-lifecycle policy + audit showing no UPN reuse within retention window.
AU.L2-3.3.1
System Auditing
What it requires: Create and retain system audit logs + records to the extent needed to enable monitoring, analysis, investigation, and reporting.
Evidence example
SIEM topology + IAM event-source inventory + log retention configuration.
AU.L2-3.3.5
Audit Correlation
What it requires: Correlate audit record review, analysis, and reporting processes for investigation + response.
Evidence example
SIEM correlation rules + investigation runbook + ITDR alerts.

The CMMC compliance arc 2024-2028

CMMC has been a long time coming. The 2024 final rule (32 CFR Part 170) made the program formal — establishing the levels, assessment requirements, and the role of the CyberAB. The companion 48 CFR rule, which actually inserts CMMC requirements into DoD contracts, is being phased in from 2025 through 2028. By 2028, all new DoD contracts requiring CUI handling will include CMMC compliance clauses. Existing contracts get CMMC requirements at modification or renewal.

How CMMC 2.0 differs from CMMC 1.0

CMMC 1.0 (2020) had 5 levels with custom controls. CMMC 2.0 (current) collapsed to 3 levels and aligned each to NIST publications: Level 1 = NIST 800-171 Rev 2 subset (17 controls), Level 2 = full NIST 800-171 Rev 2 (110 controls), Level 3 = NIST 800-171 + subset of NIST 800-172. This alignment dramatically simplified compliance for contractors already on a NIST trajectory.

Assessment economics

A Level 2 assessment by a C3PAO typically costs $30K-$200K depending on scope + complexity. Triennial cycle. Smaller contractors that can't absorb this often partner with primes or pursue Level 2 via self-assessment when contractually permitted.

The IAM controls that move the needle

Defense Industrial Base practitioners report the following IAM controls are most-examined during C3PAO assessments:

IA.L2-3.5.3 (MFA) — verified across all access paths
AC.L2-3.1.5 (least privilege) — role definitions + actual enforcement
AC.L2-3.1.7 (non-privileged users + privileged functions) — JIT or barrier between user roles and admin actions
IA.L2-3.5.4 (replay-resistant) — modern protocols on every authentication
AU.L2-3.3.1 + 3.3.5 (logging + correlation) — IAM events flow into SIEM and trigger investigations

Common findings

IA.L2-3.5.3 — MFA on network access OK but local-access MFA (e.g. workstation logon) not enforced
AC.L2-3.1.7 — privileged-function controls exist but not consistently enforced for cloud admin actions
AU.L2-3.3.5 — log correlation exists for some sources but not end-to-end IAM event chain
IA.L2-3.5.1 — non-human / service-account inventory incomplete
IA.L2-3.5.5 — identifier reuse policy exists but enforcement isn't verifiable for cloud-rebuilt environments

Penalties

No CMMC certification → no DoD contract that requires it. False compliance claims expose contractors to False Claims Act liability ($24K-$28K per claim + treble damages). DOJ's Civil Cyber-Fraud Initiative has actively pursued these cases since 2021.

Evidence cadence

Level 2 — triennial assessment by an authorized C3PAO (CMMC Third Party Assessment Organization). Some contracts may require annual self-assessment. Contractor must maintain continuous evidence between triennial assessments.

Practitioner notes

What the policy doesn’t tell you.

CMMC Level 2 = NIST SP 800-171 Rev 2 (110 practices). Level 3 adds a subset of NIST SP 800-172. Level 1 is 17 basic safeguarding requirements.
The 2024 final rule (32 CFR Part 170) effective December 16, 2024 made CMMC a formal program. Contract clause rollout (48 CFR) is phased 2025-2028 — full DoD coverage by 2028.
Most defense contractors are subject to Level 2 (handling CUI). Level 3 applies to a smaller subset handling the most sensitive CUI.
Self-assessment is allowed for Level 1 + some Level 2 (depending on CUI sensitivity). Most Level 2 contracts require C3PAO assessment.
Identity controls dominate the 110 practices — approximately 20% of CMMC Level 2 controls are explicitly IAM-related (AC + IA families). Add in the AU family and it's closer to 30%.
CMMC is built on NIST 800-171 which is itself a tailored subset of NIST 800-53. The relationship: 800-53 → 800-171 (tailoring for non-federal systems) → CMMC (DoD program).

Need help with this framework?

We deliver IAM control programs for CMMC Level 2 IAM.

Talk to a compliance leadCross-framework crosswalkAudit checklists

The controls that matter for IAM.

AC.L2-3.1.1

Authorized Access Control

What it requires: Limit system access to authorized users, processes acting on behalf of authorized users, and devices.

Evidence example

IdP user / device inventory + access control configuration + sign-in logs.

AC.L2-3.1.2

Transaction & Function Control

What it requires: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

Evidence example

Role definitions + RBAC enforcement + segregation-of-duties matrix.

AC.L2-3.1.5

Least Privilege

What it requires: Employ the principle of least privilege, including for specific security functions and privileged accounts.

Evidence example

Role mining + access certification + privileged-account inventory in PAM.

AC.L2-3.1.7

Non-Privileged Account Use

What it requires: Prevent non-privileged users from executing privileged functions.

Evidence example

JIT elevation logs + privileged-function audit + UAC / sudo policy.

IA.L2-3.5.1

Identification

What it requires: Identify system users, processes acting on behalf of users, and devices.

Evidence example

IdP user + device + service-account inventory.

IA.L2-3.5.2

Authentication

What it requires: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access.

Evidence example

MFA configuration + sign-in logs + device-trust attestation.

IA.L2-3.5.3

Multifactor Authentication

What it requires: Use multifactor authentication for local and network access to privileged accounts AND for network access to non-privileged accounts.

Evidence example

MFA enforcement on local + network access + phishing-resistant MFA on privileged.

IA.L2-3.5.4

Replay-Resistant Authentication

What it requires: Employ replay-resistant authentication mechanisms for network access to privileged + non-privileged accounts.

Evidence example

TLS + nonce-based protocols + token-binding evidence.

IA.L2-3.5.5

Identifier Reuse

What it requires: Prevent reuse of identifiers for a defined period.

Evidence example

Identity-lifecycle policy + audit showing no UPN reuse within retention window.

AU.L2-3.3.1

System Auditing

What it requires: Create and retain system audit logs + records to the extent needed to enable monitoring, analysis, investigation, and reporting.

Evidence example

SIEM topology + IAM event-source inventory + log retention configuration.

AU.L2-3.3.5

Audit Correlation

What it requires: Correlate audit record review, analysis, and reporting processes for investigation + response.

Evidence example

SIEM correlation rules + investigation runbook + ITDR alerts.

The CMMC compliance arc 2024-2028

How CMMC 2.0 differs from CMMC 1.0

The IAM controls that move the needle

Defense Industrial Base practitioners report the following IAM controls are most-examined during C3PAO assessments:

IA.L2-3.5.3 (MFA) — verified across all access paths

AC.L2-3.1.5 (least privilege) — role definitions + actual enforcement

AC.L2-3.1.7 (non-privileged users + privileged functions) — JIT or barrier between user roles and admin actions

IA.L2-3.5.4 (replay-resistant) — modern protocols on every authentication

AU.L2-3.3.1 + 3.3.5 (logging + correlation) — IAM events flow into SIEM and trigger investigations

What the policy doesn’t tell you.

CMMC Level 2 = NIST SP 800-171 Rev 2 (110 practices). Level 3 adds a subset of NIST SP 800-172. Level 1 is 17 basic safeguarding requirements.

The 2024 final rule (32 CFR Part 170) effective December 16, 2024 made CMMC a formal program. Contract clause rollout (48 CFR) is phased 2025-2028 — full DoD coverage by 2028.

Most defense contractors are subject to Level 2 (handling CUI). Level 3 applies to a smaller subset handling the most sensitive CUI.

Self-assessment is allowed for Level 1 + some Level 2 (depending on CUI sensitivity). Most Level 2 contracts require C3PAO assessment.

Identity controls dominate the 110 practices — approximately 20% of CMMC Level 2 controls are explicitly IAM-related (AC + IA families). Add in the AU family and it's closer to 30%.

CMMC is built on NIST 800-171 which is itself a tailored subset of NIST 800-53. The relationship: 800-53 → 800-171 (tailoring for non-federal systems) → CMMC (DoD program).