How to Actually Handle Identification and Authentication for CMMC

Published on May 20, 2025

Most breaches don’t start with hackers breaking down your firewall. They start with someone logging in using credentials they found on the dark web.

This post breaks down the NIST 800-171 control family for Identification and Authentication. No fluff. Just the basics, the problems, and how to fix them.

What You’re Supposed to Be Doing

This control family makes sure your users are who they say they are. Before they touch anything.

Here’s the short list of what matters:

  • Everyone gets their own login.
    No shared ERP accounts. No admin1/admin2 nonsense.
  • Turn on MFA.
    Yes, even for Carl in Accounting. Especially for Carl.
  • Don’t send credentials over email.
    Use a real system such as Keeper Password Manager to store and share passwords. Not a sticky note.
  • Watch login attempts.
    Too many failed logins = something shady or someone forgetful. Either way, it’s a problem.

What Usually Goes Wrong

  • Factory floors using one universal login for everyone.
  • Admin accounts still active after someone quits.
  • No offboarding workflow at all.
  • Passwords that get reused across multiple accounts.

This stuff isn’t just theory. It’s how companies get suffer big losses in a breach.

Tools That Make It Easier

You don’t need to roll out retina scans. Start with what’s built in:

  • MFA from Microsoft 365. Turn it on.
  • Password managers like Keeper or 1Password. Excel sheets doesn’t count (and is NOT compliant.)
  • Phishing-resistant MFA like YubiKey when you’re ready to level up.
  • SSO if your team is juggling too many logins.

Don’t complicate this. Test tools on yourself. Then roll them out.

Common Pushback (and What to Do)

  • “I don’t want that app on my phone.”
    Cool. Offer them a hardware token. Or better training. Or a new job. Users need to understand MFA is crucial and installing an Authenticator app on their phone is the equivalent of being given a key to the office.
  • “The password rules are too strict.”
    People will always complain. If people really hate it, roll out YubiKeys so users don’t need to know their password.

Paperwork You’ll Regret Ignoring

Eventually, someone will ask for documentation. Be ready with:

  • An Access policy
  • Credential management steps
  • Access control guidelines
  • Monitoring and audit rules

You don’t need a 50-page PDF. Just write what you actually do and make sense for your organization.

Where to Start If You’re Behind

Don’t aim for perfect. Aim for progress.

  • Unique logins for everyone.
  • MFA turned on.
  • Passwords stored in something that’s not Excel.
  • Monitor failed login attempts.

That’s a solid foundation. You can build from there. Authentication isn’t exciting. But it’s essential. Nail it now or deal with the mess later.

← Back to Blog