CMMC is a US Department of Defense cybersecurity certification model for contractors that handle controlled information. It uses maturity levels and control requirements to determine whether an organisation can bid on or support defence work, with identity controls playing a central role in readiness.
Expanded Definition
CMMC, or the Cybersecurity Maturity Model Certification, is the Department of Defense’s framework for determining whether a contractor is ready to handle controlled information and participate in defence-related work. It combines required practices with maturity expectations, so the question is not only whether controls exist, but whether they are consistently implemented and evidenced. In NHI-heavy environments, that means service accounts, API keys, machine credentials, and automated workflows must be governed with the same discipline as human access.
Definitions vary across vendors when CMMC is discussed alongside broader compliance programs, but the model itself is distinct from generic security advice because it is procurement-linked and assessment-driven. For contractors, the practical standard often aligns with NIST control families and the NIST Cybersecurity Framework 2.0, while identity readiness depends on how well non-human access is inventoried, restricted, and reviewed. The most common misapplication is treating CMMC as a document exercise, which occurs when organisations map policies on paper but leave privileged service accounts and long-lived secrets unmanaged in production.
Examples and Use Cases
Implementing CMMC rigorously often introduces evidence-collection overhead, requiring organisations to weigh procurement eligibility against the cost of continuous control validation.
- A defence subcontractor inventories all service accounts, then ties each one to an owner, purpose, and review cadence so assessors can trace access decisions to operational need.
- An engineering team stores API keys in a secrets manager, rotates them on schedule, and documents the process as evidence that credential handling is not ad hoc.
- A build pipeline is redesigned so that deployment automation uses short-lived credentials instead of embedded tokens, reducing exposure during contractor assessment.
- Security teams use the Ultimate Guide to NHIs to benchmark lifecycle controls for machine identities, then align them with NIST Cybersecurity Framework 2.0 safeguards and access reviews.
- A prime contractor requires suppliers to prove that third-party integrations cannot retain standing access after a project ends, especially where controlled technical data is exchanged.
Why It Matters in NHI Security
CMMC matters because the weakest NHI often becomes the easiest route into regulated defence environments. If service accounts, CI/CD tokens, or shared automation credentials are overprivileged or poorly tracked, an attacker can move through systems without triggering the same controls used for human logins. NHIMG research shows that 97% of NHIs carry excessive privileges and 80% of identity breaches involved compromised non-human identities, which underscores how frequently machine access becomes the real attack path. The Ultimate Guide to NHIs also notes that only 20% of organisations have formal offboarding and revocation processes for API keys, leaving stale access in place long after operational need has ended.
For contractors, this is not merely a security hygiene issue. It can affect eligibility, assessment outcomes, and the ability to sustain a defence contract when evidence is requested. In practice, CMMC turns identity governance into a business requirement, not a back-office task. Organisations typically encounter the consequences only after an audit finding, incident, or bid failure, at which point NHI control and documentation become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | CMMC identity readiness maps to access control and least-privilege governance. |
| NIST CSF 2.0 | PR.AC-4 | CMMC assessments often examine how access is approved, limited, and reviewed. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Secret sprawl and poor credential lifecycle management are core NHI risks under CMMC. |
Centralise, rotate, and revoke non-human credentials before assessment evidence is requested.
