Identification and authentication are the first line of defense to prevent unauthorized people or processes from entering our networks. CMMC addresses this crucial issue with the IA domain of controls. This includes 9 practices and 26 objectives which must be met for CMMC 2.0 level 2 certification – this is the certification level that most government DOD contractors will need to achieve.
Among the practices are:
Require strong complex passwords with change of characters when new password is created.
Prohibit reuse for a specified number of generations.
Store and transmit only cryptographically protected passwords.
Obscure feedback of authentication information.
Even if you are already implementing the objectives in this domain as part of your good cybersecurity hygiene it all must be well documented in your system security plan to pass your assessment. Evidence must be produced for all 26 objectives in the form of artifacts, interviews, and testing to prove compliance.
Peter McNamee CCP