PKIaaS and CMMC level 2: what changes for identity teams?

TL;DR: Defense supply chain trust is moving from self-assertion to third-party verification, as Keyfactor’s CMMC Level 2 certification for its PKIaaS environment shows, with 110 NIST SP 800-171 controls required to handle CUI, according to Keyfactor. The wider lesson is that PKI providers are now judged as trust operators, not just infrastructure suppliers.

NHIMG editorial — based on content published by Keyfactor: Keyfactor achieves CMMC Level 2 for PKIaaS

By the numbers:

• CMMC Level 2 is the inflection point. It requires organizations to implement and operate 110 controls aligned with NIST SP 800-171, validating their ability to protect Controlled Unclassified Information (CUI).

Questions worth separating out

Q: How should security teams govern PKI services in regulated environments?

A: Treat PKI as identity infrastructure with formal ownership, evidence, and lifecycle controls.

Q: Why does third-party verification matter more than self-attestation for trust services?

A: Because trust services influence other systems’ security posture, claims are not enough.

Q: What breaks when certificate lifecycle management is handled informally?

A: Renewals, revocations, and exception handling become inconsistent, which creates hidden trust exposure and audit gaps.

Practitioner guidance

• Map PKI services into your identity control plane Classify certificate issuance, renewal, and revocation as identity governance functions rather than infrastructure housekeeping.
• Demand third-party evidence, not self-assertion Require externally verifiable assessment results for vendors that handle cryptographic trust, especially where CUI or regulated data is in scope.
• Automate compliance evidence collection Build workflows that record control operation continuously, including change records, access events, and renewal actions.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• The specific CMMC Level 2 alignment points tied to PKIaaS operations and evidence collection.
• How the provider frames independent assessment requirements for regulated customers.
• Why certificate trust services are being positioned against CUI handling and defense supply chain expectations.
• The relationship between PKI operating discipline, FedRAMP posture, and automation in regulated environments.

👉 Read Keyfactor's post on CMMC Level 2 certification for PKIaaS →

PKIaaS and CMMC level 2: what changes for identity teams?

Explore further

View Full Forum →  |  NHI Foundation Course →