Phishing-resistant MFA for CMMC: what DIB teams need to prove

TL;DR: CMMC Level 2 and Level 3 assessments increasingly depend on phishing-resistant MFA, with NIST SP 800-63B setting the authenticator and verifier-binding expectations that CISA also reinforces for high-assurance access in defense industrial base environments. The real issue is that compliance now hinges on proving cryptographic authentication behavior, not just claiming MFA exists.

NHIMG editorial — based on content published by Axiad: MFA & Russian Dolls, understanding CMMC compliance and phishing-resistant authentication

By the numbers:

• CMMC compliance deadlines for DoD contractors will begin appearing in contracts starting in early to mid-2025, with full implementation expected by 2028.
• The DoD will embed CMMC requirements into all contracts by 2029.

Questions worth separating out

Q: How should security teams implement phishing-resistant MFA for CMMC-scoped systems?

A: Start by identifying which access paths touch CUI or FCI, then require phishing-resistant methods for those paths rather than treating all MFA as equivalent.

Q: Why does basic MFA often fall short for CMMC compliance?

A: Basic MFA can prove that a user used two factors, but it does not always prove that the authentication channel was resistant to phishing or verifier impersonation.

Q: How do you know if your authentication controls are actually phishing resistant?

A: Test whether the authenticator is cryptographically tied to the intended site or application and whether a fraudulent verifier can still complete the exchange.

Practitioner guidance

• Inventory all authentication paths used for CMMC-scoped systems Document every login flow that reaches Federal Contract Information or Controlled Unclassified Information, including interactive users, federation hops, and any privileged access path that lands in the same environment.
• Map each path to an assurance level in NIST 800-63B Tie each identity flow to AAL1, AAL2, or AAL3 and record the evidence that supports that classification.
• Prioritise phishing-resistant methods for regulated access Use FIDO passkeys or TLS certificate-based authentication where CMMC scope and sensitivity justify the higher assurance requirement.

What's in the full article

Axiad's full blog covers the operational detail this post intentionally leaves for the source:

• The CMMC level-by-level authentication references that show how audit expectations change across Level 1, Level 2, and Level 3.
• The NIST 800-63B details behind AAL2 and AAL3, including which factors and binding methods satisfy higher assurance.
• The CISA phrasing on phishing-resistant MFA and the exact conditions under which FIDO passkeys or TLS certificates qualify.
• The specific cryptographic storage examples, including TPM, TEE, secure element, and keychain storage.

👉 Read Axiad's analysis of phishing-resistant MFA requirements for CMMC compliance →

Phishing-resistant MFA for CMMC: what DIB teams need to prove?

Explore further

View Full Forum →  |  NHI Foundation Course →