CMMC Level 2 administrative access: what IAM teams need to know

TL;DR: Defense contractors pursuing CMMC Level 2 are finding that access control, identification, authentication, and auditability break down most often at the administrative layer, where VPNs, static SSH keys, shared accounts, and fragmented cloud access patterns create assessment friction, according to Teleport and Coalfire. The underlying issue is not the control language but the assumption that administrative access can be enforced consistently across hybrid environments without identity-native session control.

NHIMG editorial — based on content published by Teleport: Modernizing Administrative Access for CMMC Level 2

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

Questions worth separating out

Q: How should security teams modernize privileged access for CMMC Level 2 environments?

A: Security teams should move privileged access to an identity-native model where every admin session is tied to a verified identity, issued with short-lived credentials, and logged centrally.

Q: Why do static SSH keys and shared admin accounts create compliance risk?

A: They create risk because they are reusable, hard to attribute, and often remain active long after the operational need has passed.

Q: What breaks when privileged access is split across multiple tools and platforms?

A: The evidence chain breaks first.

Practitioner guidance

• Map every administrative path to a verified identity Inventory VPN, bastion, SSH, RDP, kubectl, and cloud console paths, then require each to terminate in a user or workload identity that can be traced in audit logs.
• Eliminate standing privileged access where possible Replace shared admin accounts and persistent SSH keys with short-lived, session-scoped access that expires when the task ends and leaves a clean evidence trail.
• Centralise audit evidence at the access broker Route privileged sessions through one control point so authentication, authorization, MFA, and session activity can be exported together for assessor review.

What's in the full article

Teleport's full blog post covers the operational detail this post intentionally leaves for the source:

• The control-by-control mapping to AC, IA, and AU families, including how the vendor positions each capability.
• The administrative session architecture with proxy-mediated access, short-lived certificates, and centralized audit collection.
• The readiness and migration considerations for brownfield environments that still rely on VPNs, bastions, and static keys.
• The operational examples showing how evidence is assembled for assessors across cloud and hybrid systems.

👉 Read Teleport's analysis of modernizing administrative access for CMMC Level 2 →

CMMC Level 2 administrative access: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →