With the first half of 2025 behind us it might be a good idea to look at what will be required before the second half is up. Especially if your company or firm is a part of the defense industrial base. In that case, you have Cybersecurity Maturity Model Certification (CMMC) deadlines looming.
CMMC is the regulatory program that governs cybersecurity readiness for all Department of Defense (DoD) contractors. Who does that cover? Effectively, the entire Defense Industrial Base (DIB): the network of organizations, facilities, and resources that provide the US government––particularly its armed forces––with materials, products, and services for defense purposes. DIB vendors encompass everything from major weapon systems and operational support to commercial products and routine services.
CMMC compliance deadlines for DoD contractors will begin appearing in contracts starting in early to mid-2025, with full implementation expected by 2028. The DoD will embed CMMC requirements into all contracts by 2029.
With these aggressive deadlines it might be forgiven to skim the requirements and not dig into what will actually be tested when audits come around. Especially with regard to your multi factor authentication solution. But as we’ll see, skimming is a bad idea in this case.
What Does CMMC Say About MFA?
CMMC requirements are both dense and layered. You can get all the initial details you need from the government's site, but in essence there are three levels of control for contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI):
- Level 1 (Foundational)
- Level 2 (Advanced)
- Level 3 (Expert)
Each level represents progressively stricter cybersecurity requirements. But they say surprising little using the term MFA. Every level contains a host of requirements covering authentication, with requirements increasing in number and stringency as you ascend from Level 1 to Level 3.
- The Level 1 CMMC assessment guide contains about 20 references to authentication, mostly related to policy, procedures, its role in the system security plan, system design and associated documentation, and audit logs and records. It never mentions how to authenticate and never uses the term multi factor.
- The Level 2 CMMC assessment guide digs a lot deeper:
- more than 120 references to authentication
- nearly 40 references and definitions for the concept of multi factor authentication or MFA
- there are very few details on what is acceptable instead it focuses more on the rudimentary explanation of MFA being made up of "two or more different factors to authenticate” that are defined as “something you know ... something you have ... or something you are (e.g., biometric)"
- The Level 3 CMMC assessment guide dives, as one might expect, into some very specific examples of what needs to be protected and how to do it.
- Bidirectional authentication that is cryptographically based is defined as a requirement
- Replay resistance is highlighted, with an aim to combat eavesdropping attacks, session hijacking, and certain kinds of network attacks.
- It defines how cryptographic keys for authentication transactions must be stored (suitably secure storage like keychain storage, Trusted Platform Module [TPM], Trusted Execution Environment [TEE], or secure element)
But generally, the CMMC docs are focused on what needs to be secured, to what degree, and by when. Other than a few mentions of cryptographic storage, they don't focus much on how. Instead, they point to other sources for their definition of what will pass or fail an authentication audit: three previously published standards from NIST, the National Institute of Science and Technology.
So What Does NIST Say about MFA?
National Institute of Standards and Technology has an impressive and far-reaching site with tons of information (even if fails a little at spell-checking[1]). NIST was borne form George Washington's 1790 message to congress where he called for an organization to assure "Uniformity in the currency, weights, and measures of the United States.” Among other standards it sets, NIST now sets standards for cybersecurity. The NIST standards that continually underpin all CMCM references are:
- NIST 800-53, “Security and Privacy Controls for Information Systems and Organizations." 800-53 provides the language of CMMC. It outlines the names and functions of all cybersecurity categories, as well as the crosswalks that map 800-53 to other standards like the CSF cybersecurity framework or ISO/IEC 27001:2022.
- NIST SP 800-171A covers “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” For CCM, NIST 800-171 defines what federal information must be deemed “controlled unclassified information” or CUI, This publication provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency.
- NIST SP 800-163, Digital Identity Guidelines. 800-63 provides all the technical requirements for federal agencies implementing digital identity services, and focuses heavily on verifying the identity of users accessing digital systems. It is the document that sets standards for identity proofing, authentication practices and identity federation.
It’s in 800-63 that we get to the innermost of the Russian Dolls. It’s in 800-63 that we finally get to the how details. If you’re an identity architect or identity process manager in a DIB entity, it’s 800-63 that tells you what CMMC 2.0 auditors will ask you to prove.
The Innermost Doll: SP 800-63 Digital Identity Requirements
The second volume of this regulation––SP 800-63B––outlines the requirements for multi factor authentication (MFA) in federal agency digital identity systems. It’s the litmus test for all DIB partners, contractors, and providers. 800-63B defines different Authenticator Assurance Levels (AALs) with increasing security requirements, with MFA being mandatory at AAL2 and AAL3. It’s here that we get to the details of which factors are acceptable and how do we expect them to act?
- AAL1: allows both single-factor and multi factor authentication. A wide range of authenticator types are permitted, including memorized secrets and physical authenticators, but very few use cases allow for this lighter assurance.
- AAL2: requires MFA, meaning claimants must prove possession of two distinct authentication factors through secure protocols.
- AAL3: requires MFA with specific, higher-security requirements. This includes a hardware-based authenticator and one that offers verifier impersonation resistance, potentially using the same device.
It’s in Volume B that the standard digs deep into verifier impersonation attacks –– phishing attacks –– where fraudulent verifiers attempt to fool an unwary user into authenticating to an impostor website. It’s in Volume B that we learn that phishing resistance requires that the channel being authenticated is cryptographically bound to the output of the authenticator. In layman’s terms, that strong digital credentials built with cryptographic underpinnings are used to achieve authentication.
This is crucial for phishing resistance. The authentication process should cryptographically bind the authenticator (like a security key) to the specific website or application where authentication is happening[2].
And there are really only two cryptographic binding methods that meet this definition: FIDO passkeys or TLS certificates.
The US Cybersecurity and Infrastructure Security Administration (CISA) makes this abundantly clear (see image above). CISA, a department of the United States Department of Homeland Security, is the government agency focused on national cybersecurity and critical infrastructure protection. Their clear and unequivocable statement: only MFA that leverages PKI-based smart cards using TLS or PKI-based FIDO passkeys can be considered phishing resistant.
Full Circle: CMMC Compliance Will Require Phishing Resistant MFA
Let’s come all the way around to where we started this post: what kind of MFA is required to achieve CMMC compliance?
If I’m an organization, facility, vendor or resource that provides the US government with materials, products, and services for defense purposes, what kind of MFA do my people, services, and applications need to meet fast-approaching CMMC requirements?
So, as CMMC 2.0 requirements become standard in government contracts during this last half of 2025, can anyone achieve compliance without phishing resistant MFA?
If the applicant seeks Level 2 or higher, the answer is no. While Level 1 might pass for some applications and services, any organization handling more sensitive government information––specifically Controlled Unclassified Information or CUI––will require phishing resistant authentication. And frankly, that’s not only where the higher assurance is. If you’re a company in the DIB selling to the government, you know that’s where the money is, too.
CMMC compliance Without the Operational Drag
AxiadConductor streamlines the CMMC credentialing process utilizing your existing tools. It incorporates best practices for phishing resistance and gets you to compliance now. Learn how.
Footnotes:
[1] If you visit the NIST site in Hawaii you’ll learn it’s located in “Kekaha” on Kauai, and not in “Kehaka” as it is consistently called in NIST websites. (See https://www.nist.gov/ofpm/historic-preservation-nist/kehaka-kauai-campus) But NIST.gov also contains many millions of words, so a misplaced letter is forgivable...unless perhaps you’re a student at Kekaha Elementary School in Kekaha.
[2] https://www.nist.gov/blogs/cybersecurity-insights/phishing-resistance-protecting-keys-your-kingdom#:~:text=So%20%E2%80%93%20how%20do%20you%20keep,this%20over%20a%20specific%20connection