CMMC 2.0 Level 2 · NIST SP 800-171

Your DoD contract now scores CMMC. IA.L2-3.5.3 wants MFA for privileged and network access — is it on AD and your network gear?

CMMC 2.0 Level 2 mirrors the 110 controls of NIST SP 800-171, and the identification-and-authentication family is where assessments stall. IA.L2-3.5.3 requires multi-factor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts. IA.L2-3.5.4 adds that authentication must be replay-resistant. These apply to the systems that handle CUI — domain controllers, file servers, and the network paths into them — not just email. Authnull enforces a phishing-resistant factor across AD, Windows, Linux, and RADIUS, and produces the per-login evidence your assessor and SSP need.

Talk to a compliance engineer

At a glance

FrameworkCMMC 2.0 Level 2

Key controlsIA.L2-3.5.3 · 3.5.4 · AC.L2-3.1.12

Applies toDoD contractors handling CUI

TimingPhasing into DoD contracts

You walk away withSSP & POA&M evidence

Mapped to specific controls — not a generic MFA checklist.

The line that put you here

“Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.”

— NIST SP 800-171 r2, IA.L2-3.5.3

A C3PAO assessment is pass/fail per control — there is no partial credit. IA.L2-3.5.3 is one of the controls most likely to be marked NOT MET when MFA stops at the cloud IdP.

Requirement mapping

Requirement → Authnull

Control	What it requires	How Authnull covers it	Status
IA.L2-3.5.3	MFA for local & network access to privileged accounts; network access to non-privileged accounts.	AD logon, local Windows console, and SSH MFA covers both local and network access — privileged and standard users alike.	Covered
IA.L2-3.5.4	Employ replay-resistant authentication mechanisms.	FIDO2 / security-key and cryptographic push factors are replay-resistant by design.	Covered
AC.L2-3.1.12	Monitor and control remote access sessions.	RADIUS MFA on VPN plus per-session logs deliver both the control and the monitoring record.	Covered
AC.L2-3.1.1	Limit system access to authorized users and devices.	Factor binding ties each session to a known user and device before access is granted.	Covered

Why your IdP report isn't enough

The gap is always below the cloud login.

Your IdP already satisfies

Microsoft 365 GCC sign-in

Cloud collaboration apps

What it leaves for the audit

AD / domain controllers

CUI file & app servers

VPN into the enclave

Linux SSH

Authnull enforces MFA on every path on the right — at the directory, OS, and RADIUS layer — so the column that fails the audit becomes the column that passes it.

Evidence

What you hand the assessor.

SSP-ready control mapping

Each enforced path mapped to its 800-171 control for your System Security Plan and assessor walkthrough.

Assessment artifacts

Per-login records by user, system and factor — the evidence a C3PAO samples during a Level 2 assessment.

Replay-resistant factors

Meets IA.L2-3.5.4 with FIDO2 and cryptographic push — no custom work.

Turn IA.L2-3.5.3 from NOT MET to MET.

Enforce replay-resistant MFA across AD, servers, and remote access, with evidence mapped to your SSP. Start free, or review your boundary with a compliance engineer.

Talk to a compliance engineer

Other deadlines we cover

All compliance pages

Cyber insurance renewalRemote · Privileged · Directory PCI DSS v4.08.4.2 · 8.4.1 · 8.4.3 · 8.5.1 HIPAA Security Rule§164.312(d) · 312(a)(2)(i) · 308(a)(4)NIS2 DirectiveArt. 21(2)(j) · 21(2)(d) · Art. 20 SOC 2 Type IICC6.1 · CC6.6 · CC6.7