TL;DR: CMMC 2.0 shifts defense contractors from claimed compliance to verified proof, with identity controls, audit trails, and evidence of enforced access rules now central to bid eligibility under the DoD’s assessment model. Secret Double Octopus frames the biggest risk as inconsistent identity enforcement across legacy systems, shared accounts, remote access, and privileged workflows, where proof is often weaker than policy.
NHIMG editorial — based on content published by Secret Double Octopus: CMMC 2.0 and the Identity Imperative: What Defense Contractors Need to Know
By the numbers:
- Only 4% of contractors were actually prepared for formal assessment while 75% believed they were compliant.
- For Level 2 compliance, all 110 requirements across these 14 domains must be implemented, documented in a System Security Plan (SSP), and verifiable by an assessor.
- Level 1 applies to organizations that handle Federal Contract Information (FCI), and approximately 63% of DIB contractors fall into this category.
Questions worth separating out
Q: What fails in CMMC assessments when identity controls are only documented and not enforced?
A: When identity controls exist only on paper, assessors cannot verify that access was actually limited, authenticated, and logged.
Q: Why do shared accounts create more CMMC risk than many teams expect?
A: Shared accounts remove accountability, which means you cannot prove who accessed CUI, who changed a system, or who triggered a risky event.
Q: How do security teams know whether MFA is strong enough for CMMC 2.0?
A: MFA is strong enough when it is enforced for the required access paths, documented in the SSP, and technically resistant to replay where the control calls for it.
Practitioner guidance
- Inventory every identity path to CUI and FCI. Trace cloud, legacy, remote, and shop-floor access paths end to end, then classify each one by whether it can be authenticated, controlled, and logged with assessor-ready evidence.
- Eliminate shared accounts on sensitive access paths. Replace shared logins with uniquely attributable identities for VPN, RDP, SSH, and administrative workflows so that access can be traced to a single accountable user.
- Prove MFA enforcement, not just deployment. Capture technical evidence that MFA is required for privileged and remote access, then verify that legacy systems and cloud services use a replay-resistant method where CMMC requires it.
What's in the full article
Secret Double Octopus' full blog post covers the operational detail this post intentionally leaves for the source:
- How its identity approach maps to CMMC identity, access, and audit expectations across legacy and remote paths
- Specific implementation detail for privileged access, login enforcement, and evidence capture in assessment-ready environments
- The source article's full breakdown of CMMC levels, control domains, and how contractors should scope in-scope systems
- Practical discussion of where MFA, shared accounts, and audit logs become assessment blockers in real deployments
👉 Read Secret Double Octopus' CMMC 2.0 identity and compliance guide →
CMMC 2.0 identity evidence: are your controls truly audit-ready?
Explore further
Identity evidence, not just identity policy, is the new compliance boundary. CMMC 2.0 rewards what can be demonstrated under assessment, which means user-level proof of authentication, access control, and auditability matters more than written intent. In defence contracting, the control is not real unless it is visible, attributable, and repeatable across every system that touches FCI or CUI. Practitioners should treat evidence generation as part of the control itself.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when a contractor cannot prove identity controls during a CMMC assessment?
A: The organisation pursuing the contract is accountable, because CMMC is about verified compliance at the contractor level, not delegated assurance. The accountable teams are usually IAM, PAM, security operations, and compliance working together. If the evidence chain is incomplete, the bid eligibility risk sits with the contractor, not the assessor.
👉 Read our full editorial: CMMC 2.0 makes identity evidence the real test for defense contractors