TL;DR: CMMC compliance is moving from policy discussion to contract condition, with Level 1, 2, and 3 requirements mapped to FAR 52.204-21, NIST SP 800-171 Rev. 2, and NIST SP 800-172 as the DoD phases in enforcement through 2028. The real governance challenge is not documentation alone but proving access control, authentication, logging, and segmentation actually reduce exposure across contractor environments.
NHIMG editorial — based on content published by Zero Networks: CMMC Compliance: How to Meet New Cybersecurity Requirements
By the numbers:
- The average cost of a data breach in the United States hit a record high of $10.22 million in 2025, a 9% year-over-year increase.
- CMMC Level 2 requires 110 requirements across 14 categories, including access control, audit and accountability, identification and authentication, and incident response.
- CMMC implementation began on November 10, 2025, and will roll out in four phases over three years.
Questions worth separating out
Q: What fails when CMMC scope is not tied to identity ownership?
A: When CMMC scope is not tied to identity ownership, organisations usually discover too late that service accounts, shared credentials, and third-party access were never mapped to the systems handling FCI or CUI.
Q: Why do IAM controls matter so much in CMMC assessments?
A: IAM controls matter because CMMC depends on proving that only authorised users and systems can access contract data.
Q: How do organisations know whether CMMC controls are operating effectively?
A: Organisations know CMMC controls are operating effectively when they can produce current evidence, such as assessment results, audit logs, and maintained SSP and POA&M records, that match the actual environment.
Practitioner guidance
- Map contract systems to identity ownership Identify every system that processes, stores, or transmits FCI or CUI, then assign explicit ownership for each human and non-human identity that can access it.
- Close MFA and credential management gaps first Verify MFA coverage, unique user identification, and credential lifecycle controls before the next self-assessment or third-party review.
- Tie segmentation to contract-scoped blast radius Use microsegmentation and explicit network boundaries to isolate systems that handle federal information from the rest of the environment.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- The exact mapping between CMMC levels and the underlying FAR 52.204-21, NIST SP 800-171 Rev. 2, and NIST SP 800-172 requirements.
- The assessment cadence and affirmation workflow for Level 1, Level 2, and Level 3, including where self-assessment ends and third-party review begins.
- The specific control areas the vendor highlights for CMMC readiness, including access control, audit, identification and authentication, and incident response.
- The vendor's view of how automated microsegmentation is positioned against CMMC readiness requirements.
👉 Read Zero Networks' analysis of CMMC compliance requirements and rollout phases →
CMMC compliance and identity controls: what IAM teams need to know?
Explore further
CMMC is effectively an identity governance test disguised as a compliance programme. The framework treats access control, authentication, and auditability as proof that an organisation can safely handle federal information. That makes identity the operational centre of gravity, especially where contractors rely on shared systems, third-party access, or non-human identities to move work across environments. Practitioners should read CMMC as a mandate to prove control over who and what can act in scope.
A question worth separating out:
Q: Who is accountable when a contractor fails a CMMC requirement?
A: The contractor is accountable for meeting the CMMC level required by the contract, even when subcontractors, managed service providers, or automation systems contribute to the failure. Because CMMC is enforced through acquisition clauses, accountability extends to the full supply chain that touches the in-scope environment.
👉 Read our full editorial: CMMC compliance puts identity and access controls back at the center