The Cybersecurity Maturity Model Certification (CMMC) is a framework created by the U.S. Department of Defense to verify that companies in the defense industrial base are protecting sensitive government information. It was introduced in 2019 to address a persistent problem: defense contractors were contractually required to protect sensitive data, but there was no consistent mechanism to verify they actually were. CMMC ties cybersecurity verification directly to contract eligibility.
CMMC does not create new cybersecurity requirements. Instead, it provides a way to confirm that contractors are implementing the controls already required under federal law, primarily those defined in NIST Special Publication 800-171. The current version, CMMC 2.0, streamlined the original five-level model down to three levels. Level 1 covers basic protection of Federal Contract Information (FCI). Level 2 covers protection of Controlled Unclassified Information (CUI) and aligns with the 110 controls of NIST 800-171. Level 3 addresses the most sensitive CUI against advanced persistent threats.
CMMC is mandatory for organizations that want to bid on and hold DoD contracts involving FCI or CUI. It is not a voluntary framework in the way that NIST CSF or ISO 27001 adoption can be. That said, the way CMMC is enforced is currently in flux, as described in the timeline section below.
The way CMMC is rolled out and enforced changed significantly in July 2026, so it is worth understanding the current state before planning your compliance work.
CMMC 2.0 was designed to phase in over several years. Phase I began on November 10, 2025, and required contractors to complete self-assessments for CMMC Level 1 and Level 2. Phase II, scheduled for November 10, 2026, would have required many contractors to pass a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) in order to win contracts. Phase III (2027) and Phase IV (2028) would have extended certification requirements further.
On July 13, 2026, the Department of Defense announced the immediate suspension of the CMMC Phase II requirements, along with all pending and future CMMC milestones, pending a 60-day review by a newly created CMMC Reform Task Force. The department cited high compliance costs and concerns that the certification model was pushing small and mid-sized businesses out of the defense industrial base. During the review period, the DoD has said it will rely on self-assessments and select government-led assessments rather than mandatory third-party certification.
It is important to be precise about what the suspension does and does not change. It pauses the third-party certification mechanism. It does not repeal the underlying security requirements. Phase I self-assessment requirements remain in force, and every defense contractor is still contractually obligated to protect covered information under DFARS 252.204-7012 and to implement the NIST 800-171 controls, including MFA. Solicitations and contracts that already include Level 2 C3PAO or Level 3 assessment requirements are being amended to remove them, but the security controls behind them remain. The practical takeaway is that MFA and the other NIST 800-171 controls are still required, and organizations that use this period to strengthen their security posture will be better positioned regardless of how the program is reformed.
CMMC applies to any organization in the defense supply chain that handles Federal Contract Information or Controlled Unclassified Information. This is a broad group that extends well beyond large prime contractors. It includes:
The level of CMMC that applies depends on the type of information handled. Contractors that handle only FCI generally fall under Level 1. Those that handle CUI fall under Level 2, which is where the full set of NIST 800-171 controls, including MFA, applies. A small number of contractors handling the most sensitive information fall under Level 3.
A note for Canadian organizations: CMMC applies to Canadian companies that participate in the U.S. defense supply chain as contractors or subcontractors handling FCI or CUI. Canadian organizations working with the DoD or with U.S. prime contractors should expect the same requirements as their U.S. counterparts, including MFA under Level 2, and should also consider the interaction with Canadian controlled goods and data handling obligations.
At CMMC Level 2, the MFA requirements come directly from NIST 800-171. The controls most relevant to authentication are in the Identification and Authentication (IA) domain. The table below maps them to their MFA relevance and how LoginTC supports them.
| CMMC Control | Requirement | MFA Relevance | LoginTC Relevance |
|---|---|---|---|
| IA.L2-3.5.3 | MFA for local and network access to privileged accounts, and network access to non-privileged accounts | Mandatory, cannot be deferred | MFA for Windows logon, servers, VPN, and applications via RADIUS/LDAP/AD |
| IA.L2-3.5.4 | Replay-resistant authentication for network access to privileged and non-privileged accounts | Mandatory | Support for replay-resistant factors including FIDO2 and hardware tokens |
| IA.L2-3.5.2 | Authenticate the identities of users, processes, and devices before granting access | Foundational | Per-user authentication across systems |
| MA.L2-3.7.5 | MFA to establish nonlocal maintenance sessions | Mandatory | MFA for remote maintenance and administrative sessions |
| AU.L2-3.3.1 | Create and retain audit logs to support monitoring and investigation | Audit evidence | Detailed authentication logs for assessment support |
The central MFA control at CMMC Level 2 requires the use of multi-factor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts. Multi-factor authentication means using at least two different types of factor from three categories: something you know, such as a password or PIN; something you have, such as a hardware token or smart card; and something you are, such as a fingerprint or other biometric.
The scope of this control is where many organizations stumble. It applies in three distinct scenarios, and missing any one means the requirement is not met. Local access to privileged accounts, such as an administrator logging directly into a server console or workstation, requires MFA. Network access to privileged accounts requires MFA. And network access to non-privileged accounts, meaning regular users connecting over the network, also requires MFA. The local privileged access scenario is the one most often overlooked, because organizations frequently deploy MFA for cloud and network logins while leaving direct server and workstation admin logins protected by a password alone.
Control IA.L2-3.5.4 requires that authentication mechanisms be replay-resistant for network access. A replay attack is one where an attacker intercepts authentication data and reuses it to gain access. This requirement has a practical consequence: SMS-based one-time codes, while technically a second factor, are generally not considered replay-resistant and do not satisfy this control on their own. Authenticator app codes, FIDO2 security keys, smart cards, and PIV credentials are the accepted approaches.
CMMC allows organizations to address some gaps through a Plan of Action and Milestones (POA&M), which is a documented plan to remediate a control within a set period. MFA is one of a small number of controls that cannot be handled this way. It must be fully implemented and met before an assessment. An organization cannot achieve conditional certification with an outstanding MFA gap. This makes MFA one of the highest-priority controls to get right early.
Yes. MFA is a required control at CMMC Level 2 under IA.L2-3.5.3, and it is one of the controls that cannot be deferred through a POA&M. For any contractor handling Controlled Unclassified Information, MFA is mandatory and must be fully in place before an assessment.
This requirement is unchanged by the July 2026 suspension of Phase II. The suspension pauses the third-party certification process, but the underlying NIST 800-171 controls, including MFA, remain contractually required under DFARS 252.204-7012 and are still verified through self-assessment. The Department of Defense has been explicit that it is reducing administrative overhead, not lowering the security baseline.
MFA is consistently one of the most commonly failed controls in assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The most frequent reason for failure is incomplete scope. Organizations deploy MFA on their cloud platforms and VPNs but overlook local administrator logins to servers and workstations, which the control also requires. Because MFA cannot be placed on a POA&M, a gap of this kind can be enough to fail an assessment outright.
The bottom line for defense contractors is clear. If you handle CUI, MFA is required across privileged accounts and network access, it must be replay-resistant, and it must be complete before you are assessed. The Phase II pause does not change this, and organizations that treat the pause as a reason to stop are taking on both security and contractual risk.
Because CMMC ties cybersecurity to contract eligibility, the consequences of non-compliance are primarily commercial and legal rather than a fixed schedule of fines.
The most direct consequence is the loss of contract eligibility. Contractors that cannot demonstrate the required level of compliance are not eligible to win or continue performing on applicable DoD contracts. In a competitive defense market, an inability to meet CMMC requirements means being shut out of opportunities and losing ground to compliant competitors. For subcontractors, prime contractors can and do gate awards on compliance, so a gap can cut a company out of the supply chain even without direct DoD action.
There is also significant legal exposure. The Department of Justice operates a Civil Cyber-Fraud Initiative that uses the False Claims Act to pursue contractors that misrepresent their cybersecurity compliance. Submitting an inaccurate self-assessment score, or falsely affirming compliance, can lead to substantial financial penalties and legal liability. This risk applies to the self-assessments that remain in force during the Phase II suspension, so the accuracy of a self-attestation carries real weight.
Beyond contracts and legal risk, the underlying purpose of CMMC is to prevent sensitive defense information from reaching adversaries. Breaches of contractor networks have already exposed sensitive program data in the past. A security failure that leads to a breach of CUI can bring reputational damage, loss of trust with the DoD and prime contractors, and removal from the supply chain, on top of the direct harm to national security.
Start by identifying where Federal Contract Information and Controlled Unclassified Information live in your environment. Determine which systems store, process, or transmit this data, since these systems define your assessment scope. Getting scope right is essential, because it determines which accounts and access points need MFA. An unclear or overly broad scope is a common source of both wasted effort and missed controls.
Map every account and how it is accessed. Separate privileged accounts, such as administrators and service accounts, from non-privileged user accounts. For each, identify whether access is local (directly at the device) or over the network. Remember that IA.L2-3.5.3 requires MFA for local and network access to privileged accounts, and for network access to non-privileged accounts, so all three scenarios need to be accounted for. Do not forget service accounts, shared accounts, and emergency break-glass accounts, which are common gaps.
Choose a solution that can enforce MFA across all in-scope scenarios, not just cloud and network logins. Local access to server consoles and workstation administrator accounts is the most commonly missed scenario, so confirm your solution can cover it. Look for support for RADIUS, LDAP, and Active Directory to cover the range of systems in a typical contractor environment, and consider whether you need cloud, on-premises, or hybrid deployment. For systems that cannot natively support MFA, such as some legacy or network devices, plan for a privileged access workstation or jump host that enforces MFA before administrative access is granted.
To satisfy IA.L2-3.5.4, deploy authentication factors that are replay-resistant. FIDO2 security keys, smart cards, PIV credentials, and authenticator app codes are appropriate choices. Avoid relying on SMS-based codes, which are not considered replay-resistant and can undermine compliance even where MFA is otherwise deployed. Phishing-resistant factors such as FIDO2 keys are the strongest option for privileged accounts.
Roll out MFA to every account and access scenario identified in your inventory. Cover cloud platforms, VPNs, network logins, local server and workstation administrator access, and remote maintenance sessions (which fall under MA.L2-3.7.5). Verify that no privileged account or network access path is left on password-only authentication. Aim for complete coverage, since partial coverage is the leading cause of assessment failure on this control.
CMMC assessments are evidence-based. Document your MFA implementation in your System Security Plan (SSP), including which accounts are covered, how MFA is enforced in each scenario, and how any accounts that cannot support MFA are handled through compensating controls. Ensure your solution generates authentication logs that show enforcement across the environment. Assessors will expect to see policies, an account inventory with MFA coverage, evidence of enrollment, and logs.
Before a self-assessment or third-party assessment, test your deployment the way an assessor would. Attempt to access privileged accounts locally and over the network without completing MFA, and confirm that access is denied. Verify that break-glass and service accounts are covered or that documented compensating controls are in place. Finding and closing gaps before an assessment is far less costly than failing one.
LoginTC is well suited to the mixed environments common among defense contractors, where MFA needs to reach not only cloud applications and VPNs but also local server and workstation access. LoginTC integrates through RADIUS, LDAP, and Active Directory, so contractors can enforce MFA across the range of systems in scope for CMMC Level 2 without replacing existing infrastructure.
For the core requirement in IA.L2-3.5.3, LoginTC enforces MFA for Windows logon, server access, VPN and remote connections, and applications that handle CUI. This includes the local privileged access scenario that organizations most often miss. To satisfy the replay-resistance requirement in IA.L2-3.5.4, LoginTC supports replay-resistant and phishing-resistant factors, including FIDO2 security keys and hardware tokens, which are strong choices for privileged accounts and are practical for staff who cannot use a personal mobile device.
For organizations that need to keep authentication infrastructure within their own environment, including those handling CUI under strict data residency expectations, LoginTC offers an on-premises deployment option. Detailed authentication logs and centralized administration provide the evidence needed to document MFA coverage in your System Security Plan and to demonstrate enforcement during a self-assessment or third-party assessment.
Explore LoginTC for Government | View All Connectors
Yes. MFA is a required control at CMMC Level 2 under IA.L2-3.5.3, which requires multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. It is one of a small number of controls that cannot be deferred through a Plan of Action and Milestones, so it must be fully implemented before an assessment. The requirement flows from NIST 800-171 and applies to any contractor handling Controlled Unclassified Information.
No. On July 13, 2026, the Department of Defense suspended the CMMC Phase II third-party certification requirements that were scheduled for November 10, 2026, pending a 60-day review. The suspension pauses the certification mechanism, not the underlying security requirements. Phase I self-assessments, DFARS 252.204-7012 obligations, and the NIST 800-171 controls, including MFA, all remain in force.
CMMC applies to any organization in the defense supply chain that handles Federal Contract Information or Controlled Unclassified Information, including prime contractors, subcontractors, suppliers, and service providers. Contractors handling only FCI generally fall under Level 1, while those handling CUI fall under Level 2, where MFA and the full set of NIST 800-171 controls apply.
CMMC requires at least two different factor types and, under IA.L2-3.5.4, replay-resistant authentication for network access. Acceptable methods include FIDO2 security keys, smart cards, PIV credentials, and authenticator app codes. SMS-based one-time codes are generally not considered replay-resistant and should not be relied on for compliant MFA. Phishing-resistant factors such as FIDO2 keys are strongly preferred for privileged accounts.
The usual reason is incomplete scope. Many organizations deploy MFA on cloud platforms and VPNs but overlook local access to privileged accounts, such as administrators logging directly into servers or workstations, which IA.L2-3.5.3 also requires. Because MFA cannot be placed on a POA&M, an incomplete deployment can cause an assessment to fail outright, which makes complete coverage essential.
Yes, when Canadian companies participate in the U.S. defense supply chain as contractors or subcontractors handling FCI or CUI. Those organizations face the same requirements as U.S. companies, including MFA under Level 2. Canadian organizations should also consider how CMMC interacts with their own controlled goods and data handling obligations.
Yes. The security requirements remain contractually binding, self-assessments are still required, and prime contractors can still gate awards on compliance. The Department of Justice also continues to pursue False Claims Act cases based on inaccurate cybersecurity attestations. Organizations that continue strengthening their MFA coverage and broader NIST 800-171 posture will be better positioned regardless of how the program is reformed after the review.
Meeting the CMMC MFA requirement means covering every scenario the control touches, including the local privileged access that so many organizations miss, and doing it with replay-resistant factors that hold up under assessment. With Phase II under review, the certification timeline may be shifting, but the underlying requirement is not going away.
Our team helps defense contractors and their suppliers deploy MFA that meets CMMC Level 2 requirements across cloud, network, and local access, without disrupting operations. If you are preparing a self-assessment or getting ahead of future certification, we are ready to help.