CMMC level 2 for PKIaaS raises the bar for cryptographic trust

At a glance

What this is: Keyfactor’s CMMC Level 2 certification for PKIaaS shows how regulated trust services are being held to the same verification standard as the ecosystems they support.

Why it matters: For IAM and NHI practitioners, this matters because certificate issuance and cryptographic trust are identity controls, and regulated environments increasingly expect them to be auditable by design.

By the numbers:

• CMMC Level 2 is the inflection point. It requires organizations to implement and operate 110 controls aligned with NIST SP 800-171, validating their ability to protect Controlled Unclassified Information (CUI).

👉 Read Keyfactor's post on CMMC Level 2 certification for PKIaaS

Context

CMMC turns cybersecurity into a participation requirement, not just an internal control exercise. In the defense supply chain, trust is distributed across primes, subcontractors, vendors, and service providers, so assurance has to extend beyond first-party boundaries into every service that handles sensitive data.

For identity and access teams, PKI sits in the same governance plane as workload identity, service authentication, and cryptographic trust. When certificate services are part of the supply chain, the question is no longer only whether the platform works, but whether its operating model can withstand independent scrutiny.

This is a PKI and compliance story, but it is also an identity governance story. The article’s starting point is typical for regulated infrastructure providers: compliance is not treated as a side effect of security, it is treated as a condition of trust in the ecosystem.

Key questions

Q: How should security teams govern PKI services in regulated environments?

A: Treat PKI as identity infrastructure with formal ownership, evidence, and lifecycle controls. Require documented operating procedures for issuance, renewal, revocation, and exception handling, and make third-party assessment a procurement condition when certificates support regulated workloads or sensitive data.

Q: Why does third-party verification matter more than self-attestation for trust services?

A: Because trust services influence other systems’ security posture, claims are not enough. Third-party verification forces organisations to prove controls are operating consistently, which is more defensible in audits, supply chain reviews, and regulated environments than internal assurance alone.

Q: What breaks when certificate lifecycle management is handled informally?

A: Renewals, revocations, and exception handling become inconsistent, which creates hidden trust exposure and audit gaps. In regulated environments, that inconsistency can undermine confidence in the entire cryptographic trust chain, even if the underlying technology is sound.

Q: Who is accountable when a regulated PKI provider fails an assurance review?

A: Accountability sits with both the provider and the customer’s vendor governance process. The provider must maintain control operation and evidence, while the customer must decide whether the assurance level is sufficient for the sensitivity and regulatory burden of the workload.

Technical breakdown

Why CMMC changes the trust model for PKI services

CMMC is not just a control checklist. It is a mechanism for shifting trust from internal claims to externally verified operating practice, which matters when a provider handles cryptographic identities that support authentication, encryption, and access control. PKI providers are especially sensitive because the trust they issue becomes embedded in other systems and other organisations. Once certificate operations support regulated environments, the provider inherits the burden of proving repeatable security behaviour, not merely asserting it.

Practical implication: Practitioners should treat certificate services as regulated trust infrastructure and require independent assurance before allowing them into critical supply chains.

What third-party assessment changes in compliance governance

The move from self-attestation to accredited third-party assessment changes the governance baseline. It forces organisations to demonstrate that controls are not just documented but operationalised consistently, which is a different test from passing a point-in-time audit. In practice, that means evidence quality, process repeatability, and accountability mechanisms matter as much as the control list itself. For identity programmes, this is the same shift seen in access governance when review workflows move from informal sign-off to auditable, policy-driven certification.

Practical implication: Teams should evaluate vendors on evidence quality and operating consistency, not on stated compliance intent alone.

Why automated compliance becomes part of identity architecture

The article links certification to automation because manual processes do not scale well in regulated environments. That is especially true for PKI, where certificate lifetimes, renewal timing, and service dependencies can change faster than human review cycles. The architectural takeaway is that compliance and identity operations converge when trust services must remain both measurable and resilient. The more cryptographic systems support modern infrastructure, the more the governance model must assume continuous verification rather than periodic clean-up.

Practical implication: Build policy-driven certificate and identity processes that produce auditable evidence continuously, not only during assessment windows.

NHI Mgmt Group analysis

PKI providers are now being judged as trust operators, not just infrastructure vendors. When certificate services underpin device identity, workload authentication, and encrypted communications, the provider becomes part of the customer’s control plane. That means the security posture of the trust service itself affects downstream identity assurance. Practitioners should evaluate PKI as regulated identity infrastructure, not as a background utility.

Continuous auditability is becoming the real compliance benchmark. The article shows that certification is less important than the operating model required to earn it. CMMC Level 2 rewards organisations that can demonstrate repeatable controls under independent scrutiny, which is the same standard modern identity governance should use for privileged and cryptographic services. Practitioners should assume evidence quality is a control, not an afterthought.

Trust externalisation is the defining supply chain problem. The defense ecosystem no longer fails only at the prime contractor boundary; it fails wherever a vendor handles sensitive information without the same discipline expected of the customer. That creates a governance expectation that third-party services must meet the same assurance bar as the environment they support. Practitioners should align vendor onboarding to the same standard they would apply to internal regulated systems.

Lifecycle discipline matters more when trust services are shared across customers. Certificates, keys, and service identities all require clear ownership, repeatable renewal, and revocation paths, because unmanaged persistence creates hidden trust debt. In regulated environments, the control gap is not merely technical misconfiguration but incomplete lifecycle governance across the trust stack. Practitioners should treat certificate lifecycle as a governed asset with explicit accountability.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how weak lifecycle governance remains across machine identities.
• That lifecycle gap is why teams should use the NHI Lifecycle Management Guide to structure revocation, renewal, and ownership before regulated trust services go live.

What this signals

PKI assurance is converging with identity governance. As certificate services become part of regulated ecosystems, security teams should expect PKI evidence, lifecycle controls, and auditability to be reviewed alongside service accounts and privileged access. The practical shift is toward treating trust services as governed identity assets, not static infrastructure components.

The broader signal is that compliance programmes are moving from periodic proof to continuous proof. That is consistent with the way identity programmes already think about access reviews and lifecycle controls, and it will push vendors and internal teams toward evidence that can be produced on demand, not reconstructed after the fact.

With only 5.7% of organisations reporting full visibility into their service accounts, according to the Ultimate Guide to NHIs, the same visibility problem will surface anywhere cryptographic trust is treated as background infrastructure. Cryptographic trust debt: when certificate services and secrets lifecycles are not governed with the same rigor as human access, assurance decays faster than most audit cycles can detect.

For practitioners

• Map PKI services into your identity control plane Classify certificate issuance, renewal, and revocation as identity governance functions rather than infrastructure housekeeping. Put ownership, evidence, and audit expectations in the same programme that governs service accounts and privileged access.
• Demand third-party evidence, not self-assertion Require externally verifiable assessment results for vendors that handle cryptographic trust, especially where CUI or regulated data is in scope. Review the control environment, not just the certification badge.
• Automate compliance evidence collection Build workflows that record control operation continuously, including change records, access events, and renewal actions. That reduces audit scrambling and makes exceptions visible before assessment windows open.
• Align certificate lifecycle with governance review Ensure revocation, renewal, and exception handling are reviewed as part of normal identity governance rather than handled ad hoc by platform teams. Use the NHI Lifecycle Management Guide to anchor lifecycle ownership and escalation paths.

Key takeaways

• CMMC Level 2 matters because it shifts PKI from a technical utility into regulated trust infrastructure that must be independently verifiable.
• The compliance signal is as important as the control list.** What this article reveals is that customers increasingly need evidence of repeatable operation, not just policy language.
• Identity teams should bring certificate lifecycle, evidence collection, and vendor assurance into the same governance model used for NHI and privileged access.

Key terms

• Public Key Infrastructure: Public Key Infrastructure is the system used to issue, manage, validate, and revoke digital certificates and keys. In identity programmes, it underpins machine trust, encrypted communication, and authentication decisions, so its governance affects both security posture and operational reliability.
• Controlled Unclassified Information: Controlled Unclassified Information is sensitive government-related information that is not classified but still requires protection and controlled handling. Compliance regimes such as CMMC use it as a trigger for stronger security, auditability, and supplier assurance across the defence ecosystem.
• Certificate Lifecycle: Certificate lifecycle is the full sequence of issuing, renewing, rotating, and revoking certificates. In regulated environments, weak lifecycle discipline creates hidden trust exposure because expired or unrevoked certificates can continue to influence access, encryption, and authentication long after ownership should have changed.
• Third-Party Assessment: Third-party assessment is an independent review of whether controls operate as claimed. It matters in trust services because customers need evidence that security is being performed consistently, not simply documented, especially when the service sits inside a regulated supply chain.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: Keyfactor achieves CMMC Level 2 for PKIaaS. Read the original.