CMMC MFA Requirements at a Glance

  • MFA is required at CMMC Level 2: Control IA.L2-3.5.3 requires multi-factor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts.
  • It cannot be deferred: MFA is one of a small number of controls that cannot be placed on a Plan of Action and Milestones (POA&M). It must be fully met before an assessment.
  • Authentication must be replay-resistant: Control IA.L2-3.5.4 requires replay-resistant authentication, which rules out SMS-based codes for full compliance.
  • It is the most commonly failed control: MFA is consistently among the most frequently missed requirements in assessments, usually because local privileged access is overlooked.
  • Phase II has been suspended: On July 13, 2026, the Department of Defense suspended the CMMC Phase II third-party certification requirements that were scheduled for November 10, 2026, pending a 60-day program review.
  • The underlying requirements still apply: The suspension pauses the certification mechanism, not the security obligations. Phase I self-assessments and existing DFARS and NIST 800-171 requirements remain fully in force.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a framework created by the U.S. Department of Defense to verify that companies in the defense industrial base are protecting sensitive government information. It was introduced in 2019 to address a persistent problem: defense contractors were contractually required to protect sensitive data, but there was no consistent mechanism to verify they actually were. CMMC ties cybersecurity verification directly to contract eligibility.
 
CMMC does not create new cybersecurity requirements. Instead, it provides a way to confirm that contractors are implementing the controls already required under federal law, primarily those defined in NIST Special Publication 800-171. The current version, CMMC 2.0, streamlined the original five-level model down to three levels. Level 1 covers basic protection of Federal Contract Information (FCI). Level 2 covers protection of Controlled Unclassified Information (CUI) and aligns with the 110 controls of NIST 800-171. Level 3 addresses the most sensitive CUI against advanced persistent threats.
 
CMMC is mandatory for organizations that want to bid on and hold DoD contracts involving FCI or CUI. It is not a voluntary framework in the way that NIST CSF or ISO 27001 adoption can be. That said, the way CMMC is enforced is currently in flux, as described in the timeline section below.

Understanding the CMMC Phase II Suspension

The way CMMC is rolled out and enforced changed significantly in July 2026, so it is worth understanding the current state before planning your compliance work.
 
CMMC 2.0 was designed to phase in over several years. Phase I began on November 10, 2025, and required contractors to complete self-assessments for CMMC Level 1 and Level 2. Phase II, scheduled for November 10, 2026, would have required many contractors to pass a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) in order to win contracts. Phase III (2027) and Phase IV (2028) would have extended certification requirements further.
 
On July 13, 2026, the Department of Defense announced the immediate suspension of the CMMC Phase II requirements, along with all pending and future CMMC milestones, pending a 60-day review by a newly created CMMC Reform Task Force. The department cited high compliance costs and concerns that the certification model was pushing small and mid-sized businesses out of the defense industrial base. During the review period, the DoD has said it will rely on self-assessments and select government-led assessments rather than mandatory third-party certification.
 
It is important to be precise about what the suspension does and does not change. It pauses the third-party certification mechanism. It does not repeal the underlying security requirements. Phase I self-assessment requirements remain in force, and every defense contractor is still contractually obligated to protect covered information under DFARS 252.204-7012 and to implement the NIST 800-171 controls, including MFA. Solicitations and contracts that already include Level 2 C3PAO or Level 3 assessment requirements are being amended to remove them, but the security controls behind them remain. The practical takeaway is that MFA and the other NIST 800-171 controls are still required, and organizations that use this period to strengthen their security posture will be better positioned regardless of how the program is reformed.

Who Does CMMC Apply To?

CMMC applies to any organization in the defense supply chain that handles Federal Contract Information or Controlled Unclassified Information. This is a broad group that extends well beyond large prime contractors. It includes:

  • Prime contractors: Companies that hold contracts directly with the Department of Defense and handle FCI or CUI.
  • Subcontractors and suppliers: Companies at any tier of the defense supply chain that receive or generate FCI or CUI in the course of their work, including manufacturers and parts suppliers.
  • Service providers: Companies that provide services to the DoD or to other contractors where those services involve access to covered information, including IT and managed service providers.
  • Product and technology vendors: Software and hardware vendors whose products store, process, or transmit CUI within a contractor’s environment.

The level of CMMC that applies depends on the type of information handled. Contractors that handle only FCI generally fall under Level 1. Those that handle CUI fall under Level 2, which is where the full set of NIST 800-171 controls, including MFA, applies. A small number of contractors handling the most sensitive information fall under Level 3.
 
A note for Canadian organizations: CMMC applies to Canadian companies that participate in the U.S. defense supply chain as contractors or subcontractors handling FCI or CUI. Canadian organizations working with the DoD or with U.S. prime contractors should expect the same requirements as their U.S. counterparts, including MFA under Level 2, and should also consider the interaction with Canadian controlled goods and data handling obligations.

What Are the CMMC MFA Requirements?

At CMMC Level 2, the MFA requirements come directly from NIST 800-171. The controls most relevant to authentication are in the Identification and Authentication (IA) domain. The table below maps them to their MFA relevance and how LoginTC supports them.
 

CMMC Control Requirement MFA Relevance LoginTC Relevance
IA.L2-3.5.3 MFA for local and network access to privileged accounts, and network access to non-privileged accounts Mandatory, cannot be deferred MFA for Windows logon, servers, VPN, and applications via RADIUS/LDAP/AD
IA.L2-3.5.4 Replay-resistant authentication for network access to privileged and non-privileged accounts Mandatory Support for replay-resistant factors including FIDO2 and hardware tokens
IA.L2-3.5.2 Authenticate the identities of users, processes, and devices before granting access Foundational Per-user authentication across systems
MA.L2-3.7.5 MFA to establish nonlocal maintenance sessions Mandatory MFA for remote maintenance and administrative sessions
AU.L2-3.3.1 Create and retain audit logs to support monitoring and investigation Audit evidence Detailed authentication logs for assessment support

IA.L2-3.5.3: The Core MFA Requirement

The central MFA control at CMMC Level 2 requires the use of multi-factor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts. Multi-factor authentication means using at least two different types of factor from three categories: something you know, such as a password or PIN; something you have, such as a hardware token or smart card; and something you are, such as a fingerprint or other biometric.
 
The scope of this control is where many organizations stumble. It applies in three distinct scenarios, and missing any one means the requirement is not met. Local access to privileged accounts, such as an administrator logging directly into a server console or workstation, requires MFA. Network access to privileged accounts requires MFA. And network access to non-privileged accounts, meaning regular users connecting over the network, also requires MFA. The local privileged access scenario is the one most often overlooked, because organizations frequently deploy MFA for cloud and network logins while leaving direct server and workstation admin logins protected by a password alone.

IA.L2-3.5.4: Replay-Resistant Authentication

Control IA.L2-3.5.4 requires that authentication mechanisms be replay-resistant for network access. A replay attack is one where an attacker intercepts authentication data and reuses it to gain access. This requirement has a practical consequence: SMS-based one-time codes, while technically a second factor, are generally not considered replay-resistant and do not satisfy this control on their own. Authenticator app codes, FIDO2 security keys, smart cards, and PIV credentials are the accepted approaches.

MFA Cannot Be Placed on a POA&M

CMMC allows organizations to address some gaps through a Plan of Action and Milestones (POA&M), which is a documented plan to remediate a control within a set period. MFA is one of a small number of controls that cannot be handled this way. It must be fully implemented and met before an assessment. An organization cannot achieve conditional certification with an outstanding MFA gap. This makes MFA one of the highest-priority controls to get right early.

Is MFA Required by CMMC?

Yes. MFA is a required control at CMMC Level 2 under IA.L2-3.5.3, and it is one of the controls that cannot be deferred through a POA&M. For any contractor handling Controlled Unclassified Information, MFA is mandatory and must be fully in place before an assessment.
 
This requirement is unchanged by the July 2026 suspension of Phase II. The suspension pauses the third-party certification process, but the underlying NIST 800-171 controls, including MFA, remain contractually required under DFARS 252.204-7012 and are still verified through self-assessment. The Department of Defense has been explicit that it is reducing administrative overhead, not lowering the security baseline.
 
MFA is consistently one of the most commonly failed controls in assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The most frequent reason for failure is incomplete scope. Organizations deploy MFA on their cloud platforms and VPNs but overlook local administrator logins to servers and workstations, which the control also requires. Because MFA cannot be placed on a POA&M, a gap of this kind can be enough to fail an assessment outright.
 
The bottom line for defense contractors is clear. If you handle CUI, MFA is required across privileged accounts and network access, it must be replay-resistant, and it must be complete before you are assessed. The Phase II pause does not change this, and organizations that treat the pause as a reason to stop are taking on both security and contractual risk.

Consequences of CMMC Non-Compliance

Because CMMC ties cybersecurity to contract eligibility, the consequences of non-compliance are primarily commercial and legal rather than a fixed schedule of fines.
 
The most direct consequence is the loss of contract eligibility. Contractors that cannot demonstrate the required level of compliance are not eligible to win or continue performing on applicable DoD contracts. In a competitive defense market, an inability to meet CMMC requirements means being shut out of opportunities and losing ground to compliant competitors. For subcontractors, prime contractors can and do gate awards on compliance, so a gap can cut a company out of the supply chain even without direct DoD action.
 
There is also significant legal exposure. The Department of Justice operates a Civil Cyber-Fraud Initiative that uses the False Claims Act to pursue contractors that misrepresent their cybersecurity compliance. Submitting an inaccurate self-assessment score, or falsely affirming compliance, can lead to substantial financial penalties and legal liability. This risk applies to the self-assessments that remain in force during the Phase II suspension, so the accuracy of a self-attestation carries real weight.
 
Beyond contracts and legal risk, the underlying purpose of CMMC is to prevent sensitive defense information from reaching adversaries. Breaches of contractor networks have already exposed sensitive program data in the past. A security failure that leads to a breach of CUI can bring reputational damage, loss of trust with the DoD and prime contractors, and removal from the supply chain, on top of the direct harm to national security.

How to Implement MFA for CMMC Compliance

1. Define Your CUI and FCI Scope

Start by identifying where Federal Contract Information and Controlled Unclassified Information live in your environment. Determine which systems store, process, or transmit this data, since these systems define your assessment scope. Getting scope right is essential, because it determines which accounts and access points need MFA. An unclear or overly broad scope is a common source of both wasted effort and missed controls.

2. Inventory All Accounts and Access Types

Map every account and how it is accessed. Separate privileged accounts, such as administrators and service accounts, from non-privileged user accounts. For each, identify whether access is local (directly at the device) or over the network. Remember that IA.L2-3.5.3 requires MFA for local and network access to privileged accounts, and for network access to non-privileged accounts, so all three scenarios need to be accounted for. Do not forget service accounts, shared accounts, and emergency break-glass accounts, which are common gaps.

3. Select an MFA Solution That Covers Local and Network Access

Choose a solution that can enforce MFA across all in-scope scenarios, not just cloud and network logins. Local access to server consoles and workstation administrator accounts is the most commonly missed scenario, so confirm your solution can cover it. Look for support for RADIUS, LDAP, and Active Directory to cover the range of systems in a typical contractor environment, and consider whether you need cloud, on-premises, or hybrid deployment. For systems that cannot natively support MFA, such as some legacy or network devices, plan for a privileged access workstation or jump host that enforces MFA before administrative access is granted.

4. Prioritize Replay-Resistant Factors

To satisfy IA.L2-3.5.4, deploy authentication factors that are replay-resistant. FIDO2 security keys, smart cards, PIV credentials, and authenticator app codes are appropriate choices. Avoid relying on SMS-based codes, which are not considered replay-resistant and can undermine compliance even where MFA is otherwise deployed. Phishing-resistant factors such as FIDO2 keys are the strongest option for privileged accounts.

5. Deploy MFA Across the Full Scope

Roll out MFA to every account and access scenario identified in your inventory. Cover cloud platforms, VPNs, network logins, local server and workstation administrator access, and remote maintenance sessions (which fall under MA.L2-3.7.5). Verify that no privileged account or network access path is left on password-only authentication. Aim for complete coverage, since partial coverage is the leading cause of assessment failure on this control.

6. Document and Generate Evidence

CMMC assessments are evidence-based. Document your MFA implementation in your System Security Plan (SSP), including which accounts are covered, how MFA is enforced in each scenario, and how any accounts that cannot support MFA are handled through compensating controls. Ensure your solution generates authentication logs that show enforcement across the environment. Assessors will expect to see policies, an account inventory with MFA coverage, evidence of enrollment, and logs.

7. Test Before You Assess

Before a self-assessment or third-party assessment, test your deployment the way an assessor would. Attempt to access privileged accounts locally and over the network without completing MFA, and confirm that access is denied. Verify that break-glass and service accounts are covered or that documented compensating controls are in place. Finding and closing gaps before an assessment is far less costly than failing one.

CMMC MFA Best Practices

  • Cover local privileged access, not just network logins: The most common reason organizations fail the MFA control is overlooking direct administrator logins to servers and workstations. Confirm that local privileged access requires MFA, not just cloud and VPN access.
  • Use replay-resistant, phishing-resistant factors: FIDO2 security keys, smart cards, and PIV credentials satisfy the replay-resistance requirement and offer strong protection against phishing. Avoid SMS-based codes for compliant MFA.
  • Account for service and break-glass accounts: Privileged service accounts and emergency access accounts are frequently missed. Enforce MFA where feasible, or document compensating controls in your SSP where it is not.
  • Plan for systems that cannot support MFA: Some legacy systems, firewalls, and network devices cannot natively enforce MFA. A privileged access workstation or jump host that requires MFA before granting access to these systems is the standard solution.
  • Treat MFA as a must-fix, not a POA&M item: Because MFA cannot be deferred through a Plan of Action and Milestones, prioritize it early in your compliance work rather than leaving it for later remediation.
  • Keep going during the Phase II pause: The suspension of Phase II pauses third-party certification, not the underlying requirements. Continue to maintain and improve MFA coverage, since self-assessments and DFARS obligations remain in force and False Claims Act exposure applies to inaccurate attestations.

How LoginTC Helps with CMMC MFA Compliance

LoginTC is well suited to the mixed environments common among defense contractors, where MFA needs to reach not only cloud applications and VPNs but also local server and workstation access. LoginTC integrates through RADIUS, LDAP, and Active Directory, so contractors can enforce MFA across the range of systems in scope for CMMC Level 2 without replacing existing infrastructure.
 
For the core requirement in IA.L2-3.5.3, LoginTC enforces MFA for Windows logon, server access, VPN and remote connections, and applications that handle CUI. This includes the local privileged access scenario that organizations most often miss. To satisfy the replay-resistance requirement in IA.L2-3.5.4, LoginTC supports replay-resistant and phishing-resistant factors, including FIDO2 security keys and hardware tokens, which are strong choices for privileged accounts and are practical for staff who cannot use a personal mobile device.
 
For organizations that need to keep authentication infrastructure within their own environment, including those handling CUI under strict data residency expectations, LoginTC offers an on-premises deployment option. Detailed authentication logs and centralized administration provide the evidence needed to document MFA coverage in your System Security Plan and to demonstrate enforcement during a self-assessment or third-party assessment.
 
Explore LoginTC for Government | View All Connectors

Frequently Asked Questions

Yes. MFA is a required control at CMMC Level 2 under IA.L2-3.5.3, which requires multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. It is one of a small number of controls that cannot be deferred through a Plan of Action and Milestones, so it must be fully implemented before an assessment. The requirement flows from NIST 800-171 and applies to any contractor handling Controlled Unclassified Information.

Has the CMMC Phase II suspension removed the MFA requirement?

No. On July 13, 2026, the Department of Defense suspended the CMMC Phase II third-party certification requirements that were scheduled for November 10, 2026, pending a 60-day review. The suspension pauses the certification mechanism, not the underlying security requirements. Phase I self-assessments, DFARS 252.204-7012 obligations, and the NIST 800-171 controls, including MFA, all remain in force.

Who does CMMC apply to?

CMMC applies to any organization in the defense supply chain that handles Federal Contract Information or Controlled Unclassified Information, including prime contractors, subcontractors, suppliers, and service providers. Contractors handling only FCI generally fall under Level 1, while those handling CUI fall under Level 2, where MFA and the full set of NIST 800-171 controls apply.

What types of MFA are acceptable under CMMC?

CMMC requires at least two different factor types and, under IA.L2-3.5.4, replay-resistant authentication for network access. Acceptable methods include FIDO2 security keys, smart cards, PIV credentials, and authenticator app codes. SMS-based one-time codes are generally not considered replay-resistant and should not be relied on for compliant MFA. Phishing-resistant factors such as FIDO2 keys are strongly preferred for privileged accounts.

Why is MFA the most commonly failed CMMC control?

The usual reason is incomplete scope. Many organizations deploy MFA on cloud platforms and VPNs but overlook local access to privileged accounts, such as administrators logging directly into servers or workstations, which IA.L2-3.5.3 also requires. Because MFA cannot be placed on a POA&M, an incomplete deployment can cause an assessment to fail outright, which makes complete coverage essential.

Does CMMC apply to Canadian organizations?

Yes, when Canadian companies participate in the U.S. defense supply chain as contractors or subcontractors handling FCI or CUI. Those organizations face the same requirements as U.S. companies, including MFA under Level 2. Canadian organizations should also consider how CMMC interacts with their own controlled goods and data handling obligations.

Should we keep working on CMMC compliance during the Phase II pause?

Yes. The security requirements remain contractually binding, self-assessments are still required, and prime contractors can still gate awards on compliance. The Department of Justice also continues to pursue False Claims Act cases based on inaccurate cybersecurity attestations. Organizations that continue strengthening their MFA coverage and broader NIST 800-171 posture will be better positioned regardless of how the program is reformed after the review.

Get a Free CMMC MFA Strategy Session

Meeting the CMMC MFA requirement means covering every scenario the control touches, including the local privileged access that so many organizations miss, and doing it with replay-resistant factors that hold up under assessment. With Phase II under review, the certification timeline may be shifting, but the underlying requirement is not going away.
 
Our team helps defense contractors and their suppliers deploy MFA that meets CMMC Level 2 requirements across cloud, network, and local access, without disrupting operations. If you are preparing a self-assessment or getting ahead of future certification, we are ready to help.
 


Start your free trial today. No credit card required.

Sign up and Go