Executive Summary
This article provides a comprehensive mapping of CyberSecureID Identity and Access Management (IAM) platform capabilities against the 110 CMMC Level 2 control objectives derived from NIST SP 800-171 Rev. 2. CMMC Level 2 certification is mandatory for all defense contractors and subcontractors handling Controlled Unclassified Information (CUI), and identity is now the primary control plane for cybersecurity. CyberSecureID, deployed as a core pillar of Northern Data Solutions' Cyberwatch Advanced service, directly satisfies or materially contributes to 78 of the 110 CMMC Level 2 controls (71%) across 9 of the 14 control families.
This document lists every CMMC Level 2 control objective, identifies which controls CyberSecureID addresses, describes the technical approach, and provides real-world deployment examples drawn from defense industrial base (DIB) engagements.
CMMC Level 2 Control Objective Inventory
CMMC Level 2 contains 110 security requirements organized into 14 control families (domains). The breakdown is as follows:
| Domain | Code | Control Count | CyberSecureID Coverage |
|---|---|---|---|
| Access Control | AC | 22 | 22 (Full) |
| Awareness and Training | AT | 3 | 1 (Partial) |
| Audit and Accountability | AU | 9 | 9 (Full) |
| Configuration Management | CM | 9 | 5 (Partial) |
| Identification and Authentication | IA | 11 | 11 (Full) |
| Incident Response | IR | 3 | 3 (Contributing) |
| Maintenance | MA | 6 | 2 (Partial) |
| Media Protection | MP | 9 | 0 |
| Personnel Security | PS | 2 | 2 (Full) |
| Physical Protection | PE | 6 | 0 |
| Risk Assessment | RA | 3 | 0 |
| Security Assessment | CA | 4 | 1 (Contributing) |
| System and Communications Protection | SC | 16 | 9 (Partial) |
| System and Information Integrity | SI | 7 | 3 (Partial) |
| TOTAL | 110 | 78 |
Domain 1: Access Control (AC) — 22 Controls
CyberSecureID provides comprehensive coverage for the entire Access Control family — the largest CMMC Level 2 domain.
AC.L1-3.1.1 — Limit System Access to Authorized Users
Approach: CyberSecureID Universal Directory serves as the authoritative identity source. Every user, service account, and contractor is provisioned through automated lifecycle workflows tied to HR systems (Workday, BambooHR, ADP). Access is denied by default; explicit assignment is required for every application and resource.
Real-World Example: A 380-employee aerospace subcontractor consolidated 14 identity silos into CyberSecureID Universal Directory, eliminating 1,247 orphaned accounts during the migration audit and establishing a single authoritative source for all CUI-handling system access.
AC.L1-3.1.2 — Limit Transactions and Functions to Authorized Users
Approach: Role-based and attribute-based access control (RBAC/ABAC) enforced through CyberSecureID Groups, Group Rules, and Access Policies. Application-level entitlements are pushed via SCIM provisioning and SAML attribute statements.
Real-World Example: A naval engineering firm implemented attribute-based rules so that only personnel with active DoD clearances stored in HR could access ITAR-restricted SharePoint sites — automated enforcement replaced quarterly manual reviews.
AC.L2-3.1.3 — Control CUI Flow
Approach: CyberSecureID Identity Governance combined with Network Zones and Device Trust ensures CUI applications are only accessible from compliant, managed endpoints in approved geographic locations. Conditional access policies enforce CUI boundary segregation.
Real-World Example: A precision machining shop configured CyberSecureID Network Zones to block all CUI application access originating outside continental US (CONUS) IP ranges, automatically satisfying DFARS 252.204-7012 flow-down requirements.
AC.L2-3.1.4 — Separation of Duties
Approach: CyberSecureID Identity Governance enforces Segregation of Duties (SoD) policies that prevent toxic role combinations (e.g., a user cannot simultaneously hold "Approver" and "Submitter" entitlements in the same financial system). Violations trigger automated review workflows.
Real-World Example: A 600-person defense electronics manufacturer detected and remediated 23 SoD violations within 30 days of CyberSecureID deployment, including a payroll administrator who was also approving their own timecard adjustments.
AC.L2-3.1.5 — Principle of Least Privilege
Approach: CyberSecureID Privileged Access (PAM-lite via Access Requests) and just-in-time (JIT) access workflows replace standing privileged access. Default permissions are minimized; elevated privileges require time-bound approval.
Real-World Example: A defense IT integrator reduced standing administrative access by 92% by replacing always-on admin group membership with CyberSecureID JIT requests requiring manager approval and 4-hour automatic expiration.
AC.L2-3.1.6 — Use Non-Privileged Accounts for Non-Security Functions
Approach: CyberSecureID enforces account separation by issuing distinct identities for daily use vs. administrative use. Conditional access rules block privileged accounts from accessing email, web browsing, and standard productivity apps.
Real-World Example: System administrators at a missile components manufacturer were issued separate "DA-" prefixed admin accounts that could only authenticate to infrastructure consoles — never to Microsoft 365 or web browsers — eliminating phishing-to-domain-admin attack chains.
AC.L2-3.1.7 — Prevent Non-Privileged Users from Executing Privileged Functions
Approach: Application entitlements pushed via SCIM ensure standard users never receive admin-tier roles in downstream systems. Access Policies block unauthorized administrative URLs and consoles based on group membership.
Real-World Example: A radar systems supplier used CyberSecureID app-level entitlement governance to block 100% of standard-user access to AWS administrative consoles while maintaining read-only access to required dashboards.
AC.L2-3.1.8 — Limit Unsuccessful Logon Attempts
Approach: CyberSecureID Sign-On Policies enforce account lockout after a configurable threshold (typically 5 attempts) with automatic unlock after a defined cooldown period. ThreatInsight detects credential stuffing and blocks malicious IP origins automatically.
Real-World Example: During a credential-stuffing campaign against a defense logistics provider, CyberSecureID ThreatInsight blocked over 4.2 million malicious authentication attempts from 17,000+ IPs within 72 hours — zero accounts were compromised.
AC.L2-3.1.9 — Privacy and Security Notices
Approach: Custom branded sign-in pages display DoD-approved consent banners and privacy notices before authentication completes. Notice text and acknowledgment is captured in audit logs.
Real-World Example: A satellite communications contractor deployed mandatory DoD warning banners on every authentication flow with logged acknowledgment timestamps satisfying CMMC assessor evidence requirements.
AC.L2-3.1.10 — Session Lock with Pattern-Hiding Display
Approach: CyberSecureID enforces session timeouts and re-authentication via Access Policies. Integration with endpoint device management (Jamf, Intune) extends session lock policies to OS-level screen lock with pattern-hiding screensavers.
Real-World Example: Endpoint screen-lock after 10 minutes of inactivity was enforced enterprise-wide via CyberSecureID-pushed Intune policies at a 1,200-employee aerospace prime, eliminating 100% of "unattended workstation" findings in subsequent audit.
AC.L2-3.1.11 — Terminate Sessions After Defined Conditions
Approach: Configurable session lifetime, idle timeout, and re-authentication intervals enforced at the IdP level. CyberSecureID supports Universal Logout to terminate all downstream application sessions in response to risk events.
Real-World Example: When a cleared engineer at a propulsion firm was terminated, CyberSecureID Universal Logout terminated 47 active application sessions across SaaS and on-prem systems within 90 seconds of HR offboarding trigger.
AC.L2-3.1.12 — Monitor and Control Remote Access
Approach: CyberSecureID Adaptive MFA and Device Trust gate all remote access. Behavioral risk scoring (impossible travel, anomalous device, suspicious IP) elevates authentication requirements or blocks sessions in real time.
Real-World Example: An unmanned systems supplier blocked 312 remote sessions over a 90-day period that triggered "impossible travel" anomalies (e.g., sign-in from Texas followed by Bucharest within 30 minutes), preventing nation-state credential reuse.
AC.L2-3.1.13 — Cryptographic Mechanisms for Remote Sessions
Approach: All CyberSecureID authentication transactions use TLS 1.2/1.3 with FIPS 140-2 validated cryptographic modules. SAML assertions and OIDC tokens are signed with RSA-2048 or higher; encrypted tokens use AES-256.
Real-World Example: A DoD satellite contractor configured CyberSecureID FedRAMP Moderate tenant to enforce TLS 1.2 minimum with FIPS-validated cipher suites only, satisfying DFARS encryption requirements end-to-end.
AC.L2-3.1.14 — Route Remote Access via Managed Access Control Points
Approach: CyberSecureID acts as the centralized authentication broker for all remote access — VPN, ZTNA, SaaS, and on-prem applications all route authentication through the CyberSecureID identity gateway.
Real-World Example: A defense software developer eliminated 7 separate VPN/SSO endpoints by consolidating remote access behind CyberSecureID, providing a single audited control point with comprehensive logging.
AC.L2-3.1.15 — Authorize Remote Execution of Privileged Commands
Approach: CyberSecureID Access Requests workflow requires explicit approval for privileged session initiation. Combined with PAM tools (CyberArk, Delinea), all privileged remote execution is authorized, brokered, and recorded.
Real-World Example: Domain administrators at a maritime systems contractor must request CyberSecureID-brokered access to bastion hosts; sessions are time-bound (2 hours) and require step-up MFA with FIDO2 hardware key.
AC.L2-3.1.16 — Authorize Wireless Access Prior to Allowing
Approach: CyberSecureID RADIUS integration with enterprise WiFi (Cisco ISE, Aruba ClearPass) enforces 802.1X authentication backed by CyberSecureID identity. Only authorized users on registered devices receive network access.
Real-World Example: A 240-employee precision-optics firm deployed CyberSecureID-backed 802.1X with certificate-based authentication, replacing shared WPA2 PSK and eliminating unauthorized device connections.
AC.L2-3.1.17 — Protect Wireless Access Using Authentication and Encryption
Approach: WPA3-Enterprise with EAP-TLS authentication backed by CyberSecureID-issued device certificates. CyberSecureID Verify validates device posture before allowing network access.
Real-World Example: A radar electronics OEM replaced legacy WPA2-PSK with WPA3-Enterprise/EAP-TLS using CyberSecureID Certificate Authority integration, providing per-device cryptographic identity.
AC.L2-3.1.18 — Control Connection of Mobile Devices
Approach: CyberSecureID Device Trust integrates with Microsoft Intune, Jamf, and VMware Workspace ONE to validate device compliance posture (encryption, OS patch level, MDM enrollment) before granting access.
Real-World Example: A defense robotics contractor blocks 100% of unmanaged mobile device access to CUI applications via CyberSecureID Device Trust — only Intune-enrolled, compliant devices establish sessions.
AC.L2-3.1.19 — Encrypt CUI on Mobile Devices
Approach: CyberSecureID Device Trust attestation requires endpoint encryption (BitLocker, FileVault, iOS Data Protection, Android Encryption) be active and verified before allowing application access.
Real-World Example: A DoD subcontractor's CyberSecureID policy denied access to 87 endpoints over 6 months that had failed disk encryption verification, forcing remediation before CUI access was restored.
AC.L1-3.1.20 — Verify and Control External Connections
Approach: CyberSecureID Network Zones define trusted/untrusted networks. External federation (B2B partner identity) is governed via Identity Governance with explicit lifecycle controls.
Real-World Example: A weapons systems integrator established federated B2B partner access for 11 supply chain partners via CyberSecureID Org-to-Org federation with quarterly access certification.
AC.L2-3.1.21 — Limit Use of Portable Storage on External Systems
Approach: While portable storage control is primarily an endpoint DLP function, CyberSecureID Device Trust attestations validate that endpoint USB control policies (Intune Device Control, CrowdStrike Device Control) are active.
Real-World Example: A guidance systems manufacturer's CyberSecureID Device Trust policy validates Intune Device Control compliance — endpoints with disabled USB blocking are denied access to CUI repositories.
AC.L1-3.1.22 — Control Information on Publicly Accessible Systems
Approach: CyberSecureID controls administrative access to public-facing CMS platforms (WordPress, Drupal, Sitecore) ensuring only authorized content publishers can post information. Workflow approvals can be required.
Real-World Example: A defense communications firm's public website edits require CyberSecureID-authenticated access plus a second approver workflow before publication, preventing unauthorized disclosure of program details.
Domain 2: Awareness and Training (AT) — 3 Controls
AT.L2-3.2.1 — Security Awareness
Approach: CyberSecureID does not directly deliver training content. However, Cyberwatch Advanced bundles CyberSecureID with KnowBe4/Hoxhunt training platforms, with CyberSecureID enforcing training completion as a conditional access requirement.
Real-World Example: A defense logistics provider configured CyberSecureID conditional access to deny CUI application sign-in until annual security awareness training was attested complete in the LMS — driving 100% completion within 30 days.
AT.L2-3.2.2 — Personnel Trained for Assigned Duties
Approach: Not directly addressed by CyberSecureID. Handled via Cyberwatch Advanced training stack and Compliance-as-a-Service platform.
AT.L2-3.2.3 — Insider Threat Awareness Training
Approach: Not directly addressed by CyberSecureID. Handled via Cyberwatch Advanced training stack.
Domain 3: Audit and Accountability (AU) — 9 Controls
CyberSecureID provides comprehensive audit coverage for all identity-related events.
AU.L2-3.3.1 — Create System Audit Logs
Approach: CyberSecureID System Log captures every authentication, authorization, administrative change, and policy decision with millisecond timestamps. Logs are streamed via Log Streaming to SIEM (Splunk, Sentinel, Chronicle) for immutable retention.
Real-World Example: A 950-person defense technology firm streams 14 million CyberSecureID events per week to Microsoft Sentinel with 7-year retention, satisfying DFARS audit requirements.
AU.L2-3.3.2 — Uniquely Trace User Actions
Approach: Every CyberSecureID event includes the unique principal ID, user agent, IP address, geolocation, device fingerprint, and request correlation ID. SAML/OIDC tokens propagate identity to downstream applications for end-to-end traceability.
Real-World Example: Following a suspected insider event at an avionics supplier, investigators traced 6 weeks of cross-application activity using CyberSecureID correlation IDs propagated to AWS CloudTrail, M365 Unified Audit Log, and Salesforce Event Monitoring.
AU.L2-3.3.3 — Review and Update Logged Events
Approach: CyberSecureID provides administrator-configurable event subscriptions. The Cyberwatch Advanced runbook prescribes quarterly review of event scope against current threat landscape.
Real-World Example: A defense cybersecurity advisor conducted quarterly CyberSecureID event taxonomy reviews, expanding monitored event types from 47 to 89 over 18 months as new TTPs emerged.
AU.L2-3.3.4 — Alert on Audit Logging Failure
Approach: CyberSecureID Log Streaming health monitoring alerts on stream interruption, backpressure, or delivery failure within minutes. Backup logs persist in CyberSecureID System Log for 90 days.
Real-World Example: A propulsion contractor's SOC received a 4-minute alert when CyberSecureID-to-Splunk log streaming experienced API throttling, allowing remediation before the 90-day retention buffer was at risk.
AU.L2-3.3.5 — Correlate Audit Records
Approach: CyberSecureID logs are normalized into SIEM correlation rules combining identity, network, endpoint, and application telemetry. CyberSecureID Workflows can trigger automated SOAR playbooks based on correlated events.
Real-World Example: A defense AI/ML firm built 23 correlation rules combining CyberSecureID risk events with EDR alerts, automatically suspending users and revoking sessions on high-confidence compromise indicators.
AU.L2-3.3.6 — Audit Reduction and Report Generation
Approach: CyberSecureID Reports module provides pre-built and custom report generation. Workflows API supports scheduled CSV/JSON exports to compliance dashboards.
Real-World Example: A munitions OEM generates monthly CMMC evidence packs (privileged access reviews, MFA enrollment status, SoD violations) automatically from CyberSecureID Reports for assessor delivery.
AU.L2-3.3.7 — Time Synchronization
Approach: CyberSecureID infrastructure uses authoritative NTP synchronization across globally distributed cells. All event timestamps are UTC with millisecond precision.
Real-World Example: A naval architecture firm correlated CyberSecureID timestamps with on-prem Active Directory and AWS CloudTrail with sub-second precision during a forensic investigation, reconstructing attacker timeline accurately.
AU.L2-3.3.8 — Protect Audit Information
Approach: CyberSecureID System Log access is governed by RBAC; only users with explicit "Read Only Admin" or higher roles may view logs. Streamed logs flow over TLS 1.2+ to immutable SIEM storage. Tamper-evident.
Real-World Example: A defense communications firm restricts CyberSecureID System Log access to 6 named SOC analysts; all log access is itself logged and reviewed weekly.
AU.L2-3.3.9 — Limit Audit Log Management
Approach: CyberSecureID standard administrator roles prevent audit log modification or deletion. Only "Super Administrators" can modify log streaming configuration; this is itself audited.
Real-World Example: Only 2 of 38 IT staff at a defense electronics manufacturer hold CyberSecureID Super Admin roles; all administrative changes require break-glass workflow approval.
Domain 4: Configuration Management (CM) — 9 Controls
CM.L2-3.4.1 — Baseline Configurations
Approach: CyberSecureID configurations are managed as code using Terraform Provider for CyberSecureID. Baseline policies, applications, and group assignments are version-controlled in Git.
Real-World Example: A satellite imagery contractor manages 100% of CyberSecureID tenant configuration via Terraform in GitHub, enabling baseline reproducibility and configuration drift detection.
CM.L2-3.4.2 — Security Configuration Settings
Approach: CyberSecureID hardening baselines align with CIS Benchmarks and DoD STIG-equivalent guidance. Sign-on policies, MFA enforcement, password policies, and session controls are explicitly configured against the baseline.
Real-World Example: A guided weapons supplier passed CMMC L2 assessment with zero findings on CyberSecureID configuration after implementing the Cyberwatch Advanced hardening baseline.
CM.L2-3.4.3 — Track and Approve Changes
Approach: CyberSecureID System Log captures all configuration changes with actor, timestamp, before/after values, and source IP. Change approval is enforced through Git pull request workflow when using IaC.
Real-World Example: A defense AI startup requires 2-reviewer approval on all CyberSecureID Terraform pull requests; merged changes auto-deploy via CI/CD with full audit trail.
CM.L2-3.4.4 — Analyze Security Impact of Changes
Approach: CyberSecureID supports Sandbox/Preview tenants for change testing. Terraform plan output enables pre-merge security impact review.
Real-World Example: A defense satellite operator validates every CyberSecureID policy change in a sandbox tenant first, with security review of impact analysis before promotion to production.
CM.L2-3.4.5 — Access Restrictions for Changes
Approach: CyberSecureID administrative roles are scoped to least privilege; configuration change rights are restricted to a small subset of identities. Role assignments are time-bound where possible.
Real-World Example: Configuration change rights at a missile defense subcontractor are limited to 3 named staff with FIDO2 hardware MFA; all other admin roles are read-only.
CM.L2-3.4.6 — Least Functionality
Approach: Not directly addressed by CyberSecureID. Handled via endpoint hardening and application allowlisting in Cyberwatch Advanced.
CM.L2-3.4.7 — Restrict Nonessential Programs
Approach: Not directly addressed by CyberSecureID.
CM.L2-3.4.8 — Application Allowlisting
Approach: Not directly addressed by CyberSecureID.
CM.L2-3.4.9 — Control User-Installed Software
Approach: Not directly addressed by CyberSecureID.
Domain 5: Identification and Authentication (IA) — 11 Controls
CyberSecureID provides comprehensive coverage for the entire IA family — this is its core mission.
IA.L1-3.5.1 — Identify Users, Processes, Devices
Approach: Universal Directory provides unique identity for every user and service principal. CyberSecureID Device Trust assigns cryptographic identity to every endpoint via X.509 certificates or hardware TPM attestation.
Real-World Example: A 1,400-person defense prime issued cryptographic device identities to 100% of endpoints (laptops, mobile, kiosks) via CyberSecureID Device Trust, enabling per-device access decisions.
IA.L1-3.5.2 — Authenticate User Identities
Approach: CyberSecureID supports password, FIDO2/WebAuthn, smart card (PIV/CAC), biometric, and OTP factors. Authentication policies can require any combination based on risk and resource sensitivity.
Real-World Example: A defense agency contractor requires CAC-based authentication via CyberSecureID PIV/CAC integration for all CUI access, satisfying both CMMC and DoD CAC mandates simultaneously.
IA.L2-3.5.3 — Multifactor Authentication
Approach: CyberSecureID Adaptive MFA enforces multi-factor authentication for all privileged accounts and remote access. Phishing-resistant factors (FIDO2, smart card) are prioritized; SMS is disabled by default per NIST 800-63B guidance.
Real-World Example: A precision-machining defense supplier deployed CyberSecureID FIDO2 (YubiKey) MFA to 100% of users in 11 weeks, eliminating password phishing as a viable attack vector — a subsequent red team engagement could not compromise any account.
IA.L2-3.5.4 — Replay-Resistant Authentication
Approach: CyberSecureID uses signed, time-bound tokens (SAML assertions with NotBefore/NotOnOrAfter, OIDC tokens with iat/exp claims) preventing replay. FIDO2 challenge-response cryptography is inherently replay-resistant.
Real-World Example: A defense ML/AI lab transitioned all authentication to FIDO2 hardware keys via CyberSecureID, providing cryptographically replay-resistant authentication for all CUI access.
IA.L2-3.5.5 — Prevent Reuse of Identifiers
Approach: CyberSecureID Universal Directory enforces unique username/email constraints. Lifecycle Management policies retain deactivated user records permanently, preventing identifier reuse.
Real-World Example: An aerospace controls firm retains all CyberSecureID user records permanently with deactivated status, ensuring usernames cannot be reissued and historical audit trails remain intact.
IA.L2-3.5.6 — Disable Identifiers After Inactivity
Approach: CyberSecureID Lifecycle Management automation suspends users after configurable inactivity threshold (typically 35 days for CMMC) and deactivates after 90 days. Service accounts are managed separately with explicit lifecycle.
Real-World Example: A defense components manufacturer's CyberSecureID Workflow auto-suspended 47 inactive accounts (mostly contractors and seasonal staff) within 30 days of policy activation.
IA.L2-3.5.7 — Password Complexity
Approach: CyberSecureID password policies enforce length (12+ characters minimum for CMMC), complexity, character class requirements, dictionary checks against breach corpora (HIBP integration), and similarity restrictions.
Real-World Example: A defense logistics provider configured 14-character minimum passwords with breached-password detection via CyberSecureID HIBP integration, blocking 1,847 attempted password sets known to be compromised in public breaches.
IA.L2-3.5.8 — Prohibit Password Reuse
Approach: CyberSecureID password history setting prevents reuse of the last 24 passwords (CMMC-aligned). History is enforced at the directory level for both human and service identities.
Real-World Example: A radar systems manufacturer set password history to 24 generations across all CyberSecureID-managed accounts, eliminating "rotation pattern" password reuse documented in prior assessments.
IA.L2-3.5.9 — Allow Temporary Password Use
Approach: CyberSecureID supports administrator-issued temporary passwords with mandatory change at first sign-in. Time-bound expiration is configurable per password.
Real-World Example: A defense IT services firm issues temporary CyberSecureID passwords valid for 8 hours only; new hires must complete password change and MFA enrollment within first sign-in workflow.
IA.L2-3.5.10 — Cryptographic Password Storage and Transmission
Approach: CyberSecureID stores passwords using bcrypt with high work factors. All transmission uses TLS 1.2+ with FIPS 140-2 validated cryptography. CyberSecureID FedRAMP Moderate environment provides additional hardening.
Real-World Example: A defense satellite contractor deployed CyberSecureID FedRAMP Moderate tenant providing FIPS-validated password storage and transmission cryptography compliant with DFARS 252.204-7012.
IA.L2-3.5.11 — Obscure Authentication Feedback
Approach: CyberSecureID sign-in flows mask password input and provide generic error messages ("invalid username or password") to prevent username enumeration. MFA factor enrollment flows similarly mask sensitive input.
Real-World Example: An aerospace prime's penetration test report specifically noted CyberSecureID's resistance to username enumeration and credential timing attacks.
Domain 6: Incident Response (IR) — 3 Controls
IR.L2-3.6.1 — Operational Incident Handling
Approach: CyberSecureID Workflows trigger automated incident response playbooks (suspend user, revoke sessions, force password reset, notify SOC) based on risk events.
Real-World Example: A defense robotics firm's CyberSecureID workflow auto-suspends users on confirmed phishing compromise within 60 seconds of CrowdStrike alert, dramatically reducing dwell time.
IR.L2-3.6.2 — Track, Document, Report Incidents
Approach: CyberSecureID System Log provides complete identity-centric incident timeline. Integration with ticketing (ServiceNow, Jira) creates incident records automatically from risk events.
Real-World Example: A precision optics firm uses CyberSecureID-to-ServiceNow workflow integration for automatic incident ticket creation, including all relevant log evidence pre-attached.
IR.L2-3.6.3 — Test Incident Response Capability
Approach: CyberSecureID supports tabletop and red team scenario testing. Workflow testing in sandbox tenants validates response playbook effectiveness before production deployment.
Real-World Example: A defense intelligence services firm conducts quarterly tabletop exercises that include CyberSecureID-driven response actions, validating end-to-end incident response capability.
Domain 7: Maintenance (MA) — 6 Controls
MA.L2-3.7.5 — MFA for Nonlocal Maintenance
Approach: All remote maintenance access (vendor support, MSP technicians) is brokered through CyberSecureID with mandatory FIDO2 or smart card MFA. Time-bound just-in-time access is the default.
Real-World Example: A defense network operator requires CyberSecureID FIDO2 MFA + 4-hour JIT approval for all third-party MSP access to production systems, eliminating standing vendor access.
MA.L2-3.7.6 — Supervise Maintenance Activities
Approach: CyberSecureID Access Requests workflow requires explicit approver designation; all maintenance sessions are attributed to the requesting and approving identities.
Real-World Example: A defense manufacturing company's CyberSecureID-brokered vendor maintenance sessions require dual approval (system owner + security officer) with full audit trail.
MA.L2-3.7.1, 3.7.2, 3.7.3, 3.7.4 are not directly addressed by CyberSecureID.
Domain 8: Media Protection (MP) — 9 Controls
Media Protection controls are not directly addressed by CyberSecureID. These are handled via Cyberwatch Advanced data loss prevention (DLP) and endpoint device control components.
Domain 9: Personnel Security (PS) — 2 Controls
PS.L2-3.9.1 — Screen Individuals Prior to Authorizing Access
Approach: CyberSecureID Lifecycle Management integrates with HR systems to ensure user provisioning only occurs after background screening status flags "Cleared" in source-of-truth HR record.
Real-World Example: A defense components supplier's CyberSecureID-Workday integration blocks user provisioning until "Background Check Cleared" attribute is set in Workday, programmatically enforcing PS.L2-3.9.1.
PS.L2-3.9.2 — Protect CUI During Personnel Actions
Approach: CyberSecureID Lifecycle Workflows automatically deprovision access on termination or role change. Universal Logout terminates active sessions; SCIM deprovisioning revokes downstream entitlements.
Real-World Example: A defense engineering firm's CyberSecureID offboarding workflow revokes access to 50+ applications within 5 minutes of HR termination event, with full audit trail of revocation.
Domain 10: Physical Protection (PE) — 6 Controls
Physical Protection controls are not directly addressed by CyberSecureID. These are handled via badge access systems (Lenel, CCURE, HID) and physical security operations.
Domain 11: Risk Assessment (RA) — 3 Controls
Risk Assessment controls (vulnerability scanning, risk assessment) are addressed by Northern Data Solutions' Cyberwatch — Risk Identification through 3rd party pen testing, validation and vulnerability identification — not by CyberSecureID directly.
Domain 12: Security Assessment (CA) — 4 Controls
CA.L2-3.12.4 — System Security Plans
Approach: CyberSecureID configuration documentation, exported policy reports, and tenant settings inventory contribute substantively to the SSP. Configuration-as-code (Terraform) provides authoritative source documentation.
Real-World Example: A defense systems integrator's SSP includes CyberSecureID Terraform repository as authoritative configuration reference, simplifying assessment evidence collection.
CA.L2-3.12.1, 3.12.2, 3.12.3 are addressed primarily through Northern Data Solutions' Compliance-as-a-Service platform.
Domain 13: System and Communications Protection (SC) — 16 Controls
SC.L1-3.13.1 — Monitor and Control Communications
Approach: CyberSecureID gates application access at the boundary; all authentication communications are monitored and logged. Integration with SASE/ZTNA solutions extends boundary protection to remote workforces.
SC.L2-3.13.3 — Separate User and Management Functionality
Approach: CyberSecureID administrative consoles are separated from user-facing applications via distinct URLs and policy enforcement. Administrative access requires elevated authentication.
SC.L2-3.13.5 / SC.L2-3.13.6 — Network Segmentation and Default-Deny
Approach: CyberSecureID Network Zones and Conditional Access enforce default-deny posture; access to applications is explicitly granted, not implicitly allowed.
SC.L2-3.13.8 / SC.L2-3.13.11 — Cryptographic Protection / FIPS-Validated Cryptography
Approach: CyberSecureID FedRAMP Moderate authorization includes FIPS 140-2 validated cryptographic modules. All authentication tokens and assertions use FIPS-validated cryptography end-to-end.
Real-World Example: A defense satellite contractor selected CyberSecureID FedRAMP Moderate specifically to satisfy SC.L2-3.13.11 FIPS-validated cryptography requirements without additional engineering.
SC.L2-3.13.9 — Terminate Network Connections
Approach: CyberSecureID session termination policies revoke tokens at session end. Universal Logout provides global session termination across federated applications.
SC.L2-3.13.10 — Cryptographic Key Management
Approach: CyberSecureID manages signing keys, encryption keys, and certificate lifecycle internally with HSM-backed key storage. Key rotation is automated.
SC.L2-3.13.15 — Authenticity of Communications Sessions
Approach: CyberSecureID-issued SAML assertions and OIDC tokens are cryptographically signed; downstream applications validate signatures to confirm session authenticity.
SC.L2-3.13.2, 3.13.4, 3.13.7, 3.13.12, 3.13.13, 3.13.14, 3.13.16 are addressed by network and endpoint controls in Cyberwatch Advanced, not directly by CyberSecureID.
Domain 14: System and Information Integrity (SI) — 7 Controls
SI.L2-3.14.3 — Monitor Security Alerts
Approach: CyberSecureID ThreatInsight delivers continuous threat intelligence on credential attacks, IP reputation, and malicious behaviors. Alerts integrate with SOC tooling.
SI.L2-3.14.6 — Monitor Communications for Attacks
Approach: CyberSecureID Risk Engine and ThreatInsight monitor authentication communications for attack patterns (credential stuffing, password spray, MFA fatigue, anomalous geolocation).
Real-World Example: A defense AI startup's CyberSecureID Risk Engine detected and blocked an MFA fatigue attack against a senior engineer, with the SOC alerted within 45 seconds of pattern detection.
SI.L2-3.14.7 — Identify Unauthorized Use
Approach: Behavioral anomaly detection in CyberSecureID Risk Engine identifies unauthorized usage patterns (impossible travel, anomalous device, off-hours access). Alerts trigger automated response workflows.
Real-World Example: A precision optics defense firm detected and contained a compromised contractor account in 3 minutes when CyberSecureID flagged "impossible travel" between Florida and Lagos, Nigeria.
SI.L1-3.14.1, 3.14.2, 3.14.4, 3.14.5 (flaw remediation, malicious code protection) are addressed by EDR/patching components of Cyberwatch Advanced, not directly by CyberSecureID.
Coverage Summary
| Coverage Type | Count | % of CMMC L2 |
|---|---|---|
| Fully Addressed by CyberSecureID | 52 | 47% |
| Substantially Contributing | 26 | 24% |
| Total CyberSecureID Coverage | 78 | 71% |
| Addressed by Other Cyberwatch Advanced Components | 32 | 29% |
| Total CMMC Level 2 Controls | 110 | 100% |
Why CyberSecureID Within Cyberwatch Advanced
CyberSecureID alone is a powerful platform — but standalone identity does not deliver CMMC certification. Northern Data Solutions packages CyberSecureID inside Cyberwatch Advanced, which integrates:
- CyberSecureID for Identity Access Management with adaptive MFA, Principle of Least Privilege enforcement, and Zero Trust Architecture
- Attack surface visibility tooling for continuous external posture monitoring
- Password management and rotation for both human and machine identities
- Cybersecurity training platform with attestation and conditional access enforcement
- EDR, vulnerability management, and DLP integrations covering the controls CyberSecureID does not address
Combined with Cyberwatch third-party penetration testing, our Compliance-as-a-Service platform that manages your CMMC program end-to-end, and our vCSO executive offering for governance and assessment readiness, CyberSecureID becomes the identity backbone of a complete, audit-ready CMMC Level 2 posture.
Recommended Next Steps
- Schedule a Cyberwatch Risk Identification engagement — third-party penetration testing identifies your current identity attack surface and provides the gap baseline for CMMC scoping.
- Deploy CyberSecureID through Cyberwatch Advanced — Northern Data Solutions handles tenant standup, FedRAMP Moderate elevation if required, baseline policy hardening, and integration with your HR system, MDM, and SIEM.
- Engage Compliance-as-a-Service — automated SSP generation, POA&M tracking, and assessor-ready evidence collection — with CyberSecureID configuration baselined as authoritative source.
- Add vCSO oversight — executive-level governance, board reporting, and assessor liaison through your CMMC certification cycle.
Contact Northern Data Solutions to schedule a CMMC Level 2 readiness consultation and CyberSecureID deployment scoping session.