DATE: February 2, 2026|CLASSIFICATION: UNCLASSIFIED|BRIEFING ID: BHD-INTEL-2026-002

CMMC Level 2 Identity & Access Hardening: Executable Implementation Plan

By Blue Heron Defense Compliance Team

Executive Summary

CMMC Level 2 compliance requires enforcement of multi-factor authentication (MFA) for all users, blocking of legacy authentication protocols, and privileged access controls. This briefing provides an executable mission plan for organizations targeting CMMC L2 readiness, with step-by-step implementation tasks, verification procedures, and evidence artifacts designed to withstand C3PAO assessment. Based on NIST SP 800-171 Rev. 2 control AC.L2-3.1.2, this plan addresses the most common gap identified in Readiness Review Tool (RRT) assessments: inadequate MFA enforcement and legacy authentication exposure.

Milestone: Identity & Access Hardening

Objective: Enforce strong authentication and privileged access controls aligned to CMMC Level 2.

Exit Criteria: - MFA enforced for all in-scope users - Admin roles protected with phishing-resistant authentication - Access reviews scheduled and documented - Legacy authentication protocols blocked

Target Date: Within 28 days of engagement initiation

Priority: P0 (Critical path for CMMC certification)

NIST SP 800-171 Requirement: "Employ multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts."

Current Gap Rationale: Based on typical Readiness Review Tool (RRT) findings, the following gaps are prevalent across Defense Industrial Base (DIB) contractors:

  • MFA not enforced for all users in scope
  • Legacy authentication protocols still permitted (SMTP, POP3, IMAP)
  • Break-glass accounts lack documented procedures
  • Privileged access lacks phishing-resistant MFA

Support Type: Configurable (tenant-wide policy enforcement via Microsoft Entra ID Conditional Access)

Assessment Method Alignment: MFA enforcement is verified through exported configuration (examine) and test sign-in attempts (test). This dual-method validation ensures defensible evidence for C3PAO assessment.

STEP-001: Enforce MFA and Block Legacy Authentication

How to Verify Implementation:

The following artifacts must be collected and retained for C3PAO assessment:

EV-CA-POLICY-EXPORT-001: - Type: Configuration Export - Description: Conditional Access policy export demonstrating MFA enforcement and legacy auth blocks - Collector: PowerShell (Get-MgIdentityConditionalAccessPolicy) - Retention: 365 days minimum - Storage: SharePoint Evidence Library with version control - Hash: SHA-256 checksum for tamper detection

EV-AUTH-TEST-LOG-001: - Type: Log Export - Description: Authentication test log showing MFA challenge and legacy auth block results - Collector: PowerShell (Get-MgAuditLogSignIn) - Retention: 365 days minimum - Storage: SharePoint Evidence Library with version control - Hash: SHA-256 checksum for tamper detection

PRE-001: Confirm Conditional Access Capability

Method: Examine

Expected: Conditional Access is available for the tenant (Microsoft 365 E3/E5 or standalone license), or a documented alternative MFA enforcement mechanism is selected.

On Fail: Stop and escalate. Choose supported MFA enforcement mechanism for current licensing state. Do not proceed with implementation until capability is confirmed.

POST-001: Confirm MFA Enforcement Active

Method: Test

Expected: All tested users receive MFA challenge during authentication. Legacy auth attempts fail with appropriate error code.

On Fail: Rollback or adjust policy exclusions. Re-run verification task. Do not proceed to next milestone until postcheck passes.

Strategy: Reverse Task

Procedure: 1. Disable or delete the CES baseline CA policy via Microsoft Entra ID portal or PowerShell 2. Verify users can authenticate without MFA (test with pilot account) 3. Document rollback reason and timestamp in change log 4. Notify stakeholders of rollback and revised timeline

Idempotency: Best effort. Policy re-application is safe but may cause brief authentication disruption.

Risk Mitigation: Always test policy changes in pilot group before broad deployment. Maintain break-glass account access throughout implementation.

Execution Engine: PowerShell with Microsoft Graph API

Command: Set-ConditionalAccessBaseline

Arguments: ```json { "policyName": "CES-CA-MFA-AllUsers", "requireMfa": true, "blockLegacyAuth": true, "includeGroups": ["AllUsersInScope"], "excludeAccounts": ["BreakGlass1", "BreakGlass2"] } ```

Inputs: - SI Baseline (target level, scope definition) - Tenant current state (existing CA policies, group memberships)

Outputs: - Evidence: CA policy export (EV-CA-POLICY-EXPORT-001) - State: Tenant CA policy applied (configuration change logged)

Dependencies: None (priority P0, no upstream tasks required)

Proposal ID: PROP-0001

Line Item: Identity & Access Hardening

Pricing: Fixed price, $3,500 USD

Deliverables: - Conditional Access policy set and export evidence - Authentication verification logs - Runbook for break-glass accounts and MFA rollout - User communication templates and training materials

Acceptance Criteria: - MFA required for all in-scope users - Legacy authentication blocked - Evidence artifacts stored and indexed in SharePoint Evidence Library

Out of Scope: - Endpoint management onboarding beyond agreed scope - GCC High licensing procurement - Custom application MFA integration

Customer Dependencies: - Provide list of in-scope users and admin accounts - Approve outage windows and user communication schedule - Grant administrative access to configure identity policies

Implement Your CMMC L2 Identity Controls

Our compliance engineers will execute this mission plan in your environment, with full evidence collection and C3PAO-ready documentation. Typical implementation time: 5-7 business days.

Schedule Implementation