Overview
CMMC Level 2 requires multifactor authentication for all network access to systems that process, store, or transmit Controlled Unclassified Information. The requirement traces to NIST SP 800-171 Revision 2, control 3.5.3 (IA.L2-3.5.3), and assessors treat it as a prerequisite for certification rather than a deficiency that can be deferred.
In practice, MFA implementation introduces decisions that intersect with other CMMC controls in ways many contractors do not anticipate. The choice of authenticator type affects media protection policy, mobile device management, USB port configuration, and audit logging. An organization that selects its MFA solution in isolation risks satisfying one requirement while failing another.
This paper examines the MFA requirement in the context of the full CMMC Level 2 control set, identifies the conflicts contractors will encounter, and provides practical guidance for deploying an MFA approach that will withstand assessment scrutiny.
- IA.L2-3.5.3 control requirements and assessment expectations
- FIDO2, PIV/CAC, hardware OTP, TOTP, push, and SMS authenticator analysis
- FIPS 140 validated hardware keys and Zero Trust alignment
- Personal device compliance risk under AC.L2-3.1.18 and AC.L2-3.1.19
- USB device class conflict resolution with MP.L2-3.8.7
- Group Policy configuration for HID, Smart Card, and Mass Storage classes
- Biometric enrollment, fallback, and shop-floor considerations
- Related controls: IA.L2-3.5.2, SC.L2-3.13.8, AU.L2-3.3.1, AC.L2-3.1.1
- Authenticator selection planning framework
- Sample System Security Plan entry for IA.L2-3.5.3
- Key issuance and revocation lifecycle management
- POA&M limitations and assessment practice for MFA
Control identifiers above link to individual control cards in the CMMC Level 2 Controls Directory.
Who This Paper Is For
IT leadership and compliance staff at small and mid-size Defense Industrial Base contractors preparing for CMMC Level 2 certification. The paper is written for readers who need to understand both the control requirements and the practical implementation decisions, without assuming deep familiarity with NIST publications or prior assessment experience.
What Makes This Paper Different
Most MFA guidance for CMMC stops at restating the control language. This paper addresses the implementation conflicts that surface when MFA is deployed alongside media protection, mobile device, and audit logging controls. It provides the technical detail needed to configure USB ports for hardware authenticators without undermining removable media restrictions, explains why personal devices create assessment risk even when they appear to function as a second factor, and includes a ready-to-adapt SSP entry with the evidence types assessors will request.
Where the paper presents practitioner interpretation rather than explicit regulatory text, it says so. That distinction matters when the analysis needs to hold up under assessment scrutiny.
References
NIST SP 800-171 Revision 2 · NIST SP 800-63B · NIST SP 800-157 · OMB Memorandum M-22-09 · FIDO2/WebAuthn Specifications · USB Device Class Specifications · Microsoft Device Installation Group Policy · Cyber AB CMMC Assessment Guide Level 2 v2.13 · CMMC Final Rule, 32 CFR Part 170