CMMC compliance exposes the identity governance gap in defence supply chains

At a glance

What this is: This guide explains CMMC 2.0 and shows how defence suppliers can meet its three certification levels through cyber hygiene, documented processes, and ongoing assessment.

Why it matters: It matters because CMMC turns identity governance, access reviews, and control evidence into contract-risk issues for teams handling contractor, supplier, and workforce access.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Level 2 requires all 110 security requirements from NIST SP 800-171.
• Level 1 certification requires 17 basic cybersecurity practices.

👉 Read Zluri's guide to CMMC compliance requirements and access review planning

Context

CMMC is a compliance model for defence suppliers, but its real test is whether identity and access controls can prove they are operating continuously, not just at assessment time. For organisations handling FCI or CUI, the question becomes whether access rights, reviews, and documentation are strong enough to withstand audit scrutiny across the full contractor and subcontractor chain.

The article frames CMMC as a ladder of increasing maturity, from basic cyber hygiene to documented processes and higher-assurance controls. That makes it relevant to IAM, IGA, PAM, and machine identity programmes because certification depends on showing that access is governed, not merely granted.

Key questions

Q: What breaks when CMMC access reviews are manual and incomplete?

A: Manual or incomplete access reviews create a documentation gap that can fail both security and certification objectives. Reviewers may approve entitlements they cannot validate, removed access may remain active, and the organisation may be unable to prove control ownership to an assessor. That turns identity governance into a compliance liability rather than a control.

Q: Why do defence suppliers need stronger identity governance for CMMC?

A: CMMC ties contractual eligibility to the organisation’s ability to govern access to FCI and CUI. Strong identity governance matters because it proves who has access, why they have it, and when it is removed. Without that evidence, security teams can have policies on paper while still failing the certification test in practice.

Q: How do organisations know if CMMC-related access controls are working?

A: They should be able to produce current access inventories, complete review records, exception histories, and offboarding evidence without reconstructing them manually. If assessors or internal auditors have to chase multiple systems to verify one account’s status, the control is operating with too much friction and too little assurance.

Q: Who is accountable when subcontractor access remains open after a project ends?

A: The prime contractor remains accountable for proving that delegated access was removed or reduced at the right time, even when the access sat with a third party. In CMMC terms, accountability follows the organisation that claims compliance, not the external party that received the access.

Technical breakdown

CMMC 2.0 and the evidence model behind certification

CMMC 2.0 is not just a list of technical safeguards. It is a certification model that expects organisations to show evidence of practice implementation and, at higher levels, process maturity. Level 1 focuses on basic protection of FCI, Level 2 aligns to NIST SP 800-171 for CUI, and Level 3 adds stronger controls for advanced threats. The operational challenge for identity teams is that evidence must be repeatable, documentable, and available to assessors, which puts access governance, review cadence, and exception handling under direct scrutiny.

Practical implication: Map identity controls to audit evidence before assessment, not after remediation begins.

Why access control becomes a CMMC pressure point

The article repeatedly ties compliance to access control, self-assessment, and documented procedures. That matters because CMMC does not treat access as a one-time provisioning event. It expects organisations to know who can access sensitive information, why they have it, and how that access is reviewed or removed. In practice, access certification, segregation of duties, and role design become part of the compliance story, especially where subcontractors or third parties also touch controlled data.

Practical implication: Review roles, exceptions, and third-party access as part of the certification scope, not as a separate IAM project.

POA&M planning and C3PAO readiness

A Plan of Action and Milestones is the bridge between gaps found in self-assessment and readiness for third-party evaluation. It forces teams to identify weaknesses, prioritise them, assign owners, and track progress with dated milestones. For identity governance, the important point is that unresolved access control issues, missing review records, or incomplete offboarding evidence can all become POA&M items. The assessor relationship then becomes a proof exercise, not a paperwork exercise.

Practical implication: Use the POA&M to close identity control gaps with owners, deadlines, and evidence artifacts.

Threat narrative

Attacker objective: The objective is to reach sensitive defence information through weakly governed access paths and exploit the resulting control failures.

1. Entry occurs through supply-chain exposure when a contractor or subcontractor is brought into a defence environment without sufficiently governed access boundaries.
2. Escalation happens when access rights, documentation, or review records are incomplete, allowing sensitive information to remain available beyond the intended business need.
3. Impact is loss of compliance posture, contractual friction, and increased exposure of FCI or CUI because governance cannot prove control over who had access and when.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

CMMC is really an identity governance test disguised as a compliance framework. The article focuses on certification, but certification lives or dies on whether access can be explained, reviewed, and revoked across users, vendors, and contractors. That puts IAM, IGA, and third-party access governance in the middle of defence supply-chain assurance. Practitioners should treat CMMC readiness as evidence-backed access governance, not as a standalone security checklist.

The control gap CMMC exposes is not lack of policy, but lack of proof. The guide assumes organisations can document practices, yet many IAM programmes still cannot produce clean access-review, offboarding, or exception histories on demand. That is why CMMC pressure lands hardest on environments with scattered identity data and manual certification workflows. The implication is that auditability has to be built into access governance from the start.

Standing access and slow revocation create compliance debt in defence environments. CMMC’s maturity model rewards organisations that can show ongoing control, but prolonged access lifecycles make that difficult. When subcontractors, service accounts, or shared admin roles persist without disciplined review, the organisation inherits an evidence problem as well as a security problem. Practitioners should assume that every unreviewed entitlement becomes a future compliance finding.

Access review fatigue: In CMMC programmes, repeated reviews without reliable data create a false sense of assurance. If managers approve entitlements they cannot see or do not understand, the certification exercise documents process but not governance. Practitioners should redesign review scope around actual access usage and data sensitivity.

CMMC also widens the conversation beyond human users to machine and third-party identities. The article mentions access controls, automation, and partner ecosystems, which means service accounts and delegated access sit inside the same governance boundary as employee credentials. That matters because defence suppliers rarely fail on one identity type alone. Practitioners should align certification scope to the full identity surface, not just workforce accounts.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, according to Ultimate Guide to NHIs.
• For a broader control baseline, review Top 10 NHI Issues to see how access sprawl, rotation, and visibility failures show up across programmes.

What this signals

Access-review evidence is becoming a programme-level differentiator: CMMC pushes identity teams to show not just that reviews happen, but that they produce traceable remediation. That shifts IAM from periodic certification into continuous proof generation, which is exactly where manual workflows tend to break down. Teams should expect audit demand for tighter linkage between entitlement, owner, and business justification.

The defence supply chain is forcing a wider view of identity scope. Contractor access, delegated admin rights, and service accounts all sit inside the same assurance boundary once controlled information is involved, so visibility has to expand beyond employee identities. For teams building the next control cycle, the practical signal is whether they can answer who has access, for what contract, and with what expiry condition.

Identity evidence debt: When certification depends on review records, missing offboarding and exception data become a liability that compounds over time. The organisations most exposed are the ones that treat compliance as a point-in-time exercise instead of a maintained access state. Mature programmes will tie each identity event to a durable evidence trail and keep it aligned with the contract lifecycle.

For practitioners

• Baseline all CMMC-scoped identities Inventory workforce, contractor, subcontractor, and service identities that can touch FCI or CUI, then tag each entitlement to the relevant contract or data set for audit traceability.
• Convert access reviews into evidence packs Capture reviewer, approver, entitlement rationale, and remediation outcome for each certification cycle so the next assessor can trace decisions without manual reconstruction.
• Use POA&M items to drive identity remediation Track every missing review, unrevoked account, and undocumented exception as a dated remediation item with an owner and closure evidence.
• Tighten third-party access boundaries Limit subcontractor and supplier access to the smallest contract scope possible, and remove access promptly when the business relationship or project phase ends.

Key takeaways

• CMMC is as much about identity evidence as it is about technical controls, because assessors need to see who had access, why they had it, and when it was removed.
• The scale of the governance problem is already visible in NHI practice, where 96% of organisations store secrets outside safe repositories and struggle to keep revocation timely.
• Defence suppliers should treat access review quality, third-party entitlement scope, and POA&M discipline as core certification work, not supporting admin tasks.

Key terms

• CMMC: The Cybersecurity Maturity Model Certification is a U.S. Department of Defense program that requires contractors to demonstrate defined security practices and, at higher levels, process maturity. It turns cybersecurity into a certification obligation for organisations handling federal contract information or controlled unclassified information.
• POA&M: A Plan of Action and Milestones is a structured remediation record that lists security gaps, owners, deadlines, and progress toward closure. In compliance programmes, it becomes evidence that weaknesses are being managed rather than ignored, and it often determines whether an organisation can show controlled improvement over time.
• Controlled Unclassified Information: Controlled Unclassified Information is sensitive government-related information that is not classified but still requires protection from unauthorised disclosure. In CMMC programmes, handling CUI raises the assurance bar because access, documentation, and remediation controls must be precise enough to survive assessment and contract scrutiny.
• Access certification: Access certification is the formal review and approval of who should keep access to a system, application, or dataset. In CMMC contexts, it is not just an IAM task. It is a proof point that access decisions are current, justified, and traceable to business need.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: CMMC compliance, an in-depth guide. Read the original.