DATE: February 2, 2026|CLASSIFICATION: UNCLASSIFIED|BRIEFING ID: BHD-INTEL-2026-002

CMMC Level 2 Identity & Access Hardening: Executable Implementation Plan

By Blue Heron Defense Compliance Team

Executive Summary

CMMC Level 2 compliance requires enforcement of multi-factor authentication (MFA) for all users, blocking of legacy authentication protocols, and privileged access controls. This briefing provides an executable mission plan for organizations targeting CMMC L2 readiness, with step-by-step implementation tasks, verification procedures, and evidence artifacts designed to withstand C3PAO assessment. Based on NIST SP 800-171 Rev. 2 control AC.L2-3.1.2, this plan addresses the most common gap identified in Readiness Review Tool (RRT) assessments: inadequate MFA enforcement and legacy authentication exposure.

Mission Objective

Milestone: Identity & Access Hardening

Objective: Enforce strong authentication and privileged access controls aligned to CMMC Level 2.

Exit Criteria:

  • MFA enforced for all in-scope users
  • Admin roles protected with phishing-resistant authentication
  • Access reviews scheduled and documented
  • Legacy authentication protocols blocked

Target Date: Within 28 days of engagement initiation

Priority: P0 (Critical path for CMMC certification)

Control Coverage: AC.L2-3.1.2

NIST SP 800-171 Requirement: "Employ multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts."

Current Gap Rationale: Based on typical Readiness Review Tool (RRT) findings, the following gaps are prevalent across Defense Industrial Base (DIB) contractors:

  • MFA not enforced for all users in scope
  • Legacy authentication protocols still permitted (SMTP, POP3, IMAP)
  • Break-glass accounts lack documented procedures
  • Privileged access lacks phishing-resistant MFA

Support Type: Configurable (tenant-wide policy enforcement via Microsoft Entra ID Conditional Access)

Assessment Method Alignment: MFA enforcement is verified through exported configuration (examine) and test sign-in attempts (test). This dual-method validation ensures defensible evidence for C3PAO assessment.

Implementation Tasks

STEP-001: Enforce MFA and Block Legacy Authentication

  • Enable Security Defaults or Conditional Access MFA Policy: Configure tenant-wide MFA requirement for all users in scope. For Microsoft 365 Commercial tenants, implement Conditional Access policy 'CES-CA-MFA-AllUsers' with requireMfa=true and blockLegacyAuth=true.
  • Disable Legacy Authentication Protocols: Block SMTP AUTH, POP3, IMAP, and other legacy protocols where possible. Export authentication logs to confirm no legacy auth sign-ins succeed post-implementation.
  • Create Break-Glass Accounts: Establish two emergency access accounts ('BreakGlass1', 'BreakGlass2') with strong protections: phishing-resistant MFA, documented usage procedures, and conditional exclusion from MFA policies. Store credentials in physically secured location with audit trail.
  • Configure Privileged Role Protection: Ensure all admin roles (Global Administrator, Security Administrator, Compliance Administrator) require phishing-resistant MFA (FIDO2/WebAuthn or PIV/CAC). SMS and voice-call MFA do not satisfy this requirement.

Verification Procedures

How to Verify Implementation:

  • Export Conditional Access Policies: Use Microsoft Graph API or PowerShell to export CA policy configuration. Verify MFA requirement is present and legacy auth block is enabled. Retain export with SHA-256 hash for evidence retention.
  • Attempt Legacy Auth Sign-In: Conduct controlled test using legacy authentication protocol (e.g., SMTP AUTH with valid credentials). Confirm connection is rejected with appropriate error message.
  • Review Sign-In Logs: Export Azure AD/Entra ID sign-in logs for 72-hour period post-implementation. Verify all authentication events include MFA challenge and outcome. Document any exclusions (break-glass accounts) with justification.
  • Test Break-Glass Procedure: Simulate emergency access scenario using documented break-glass procedure. Verify account can authenticate and access is logged with tamper-evident audit trail.

Expected Evidence Artifacts

The following artifacts must be collected and retained for C3PAO assessment:

EV-CA-POLICY-EXPORT-001:

  • Type: Configuration Export
  • Description: Conditional Access policy export demonstrating MFA enforcement and legacy auth blocks
  • Collector: PowerShell (Get-MgIdentityConditionalAccessPolicy)
  • Retention: 365 days minimum
  • Storage: SharePoint Evidence Library with version control
  • Hash: SHA-256 checksum for tamper detection

EV-AUTH-TEST-LOG-001:

  • Type: Log Export
  • Description: Authentication test log showing MFA challenge and legacy auth block results
  • Collector: PowerShell (Get-MgAuditLogSignIn)
  • Retention: 365 days minimum
  • Storage: SharePoint Evidence Library with version control
  • Hash: SHA-256 checksum for tamper detection

Prechecks & Postchecks

PRE-001: Confirm Conditional Access Capability

Method: Examine

Expected: Conditional Access is available for the tenant (Microsoft 365 E3/E5 or standalone license), or a documented alternative MFA enforcement mechanism is selected.

On Fail: Stop and escalate. Choose supported MFA enforcement mechanism for current licensing state. Do not proceed with implementation until capability is confirmed.

POST-001: Confirm MFA Enforcement Active

Method: Test

Expected: All tested users receive MFA challenge during authentication. Legacy auth attempts fail with appropriate error code.

On Fail: Rollback or adjust policy exclusions. Re-run verification task. Do not proceed to next milestone until postcheck passes.

Rollback Strategy

Strategy: Reverse Task

Procedure:

1. Disable or delete the CES baseline CA policy via Microsoft Entra ID portal or PowerShell

2. Verify users can authenticate without MFA (test with pilot account)

3. Document rollback reason and timestamp in change log

4. Notify stakeholders of rollback and revised timeline

Idempotency: Best effort. Policy re-application is safe but may cause brief authentication disruption.

Risk Mitigation: Always test policy changes in pilot group before broad deployment. Maintain break-glass account access throughout implementation.

Technical Execution Details

Execution Engine: PowerShell with Microsoft Graph API

Command: Set-ConditionalAccessBaseline

Arguments:

```json

{

"policyName": "CES-CA-MFA-AllUsers",

"requireMfa": true,

"blockLegacyAuth": true,

"includeGroups": ["AllUsersInScope"],

"excludeAccounts": ["BreakGlass1", "BreakGlass2"]

}

```

Inputs:

  • SI Baseline (target level, scope definition)
  • Tenant current state (existing CA policies, group memberships)

Outputs:

  • Evidence: CA policy export (EV-CA-POLICY-EXPORT-001)
  • State: Tenant CA policy applied (configuration change logged)

Dependencies: None (priority P0, no upstream tasks required)

Implementation Considerations

Key Dependencies:

  • List of in-scope users and admin accounts
  • Scheduled maintenance windows for policy deployment
  • Administrative access to configure identity policies

Implementation Deliverables:

  • Conditional Access policy set and export evidence
  • Authentication verification logs
  • Runbook for break-glass accounts and MFA rollout
  • User communication templates and training materials

Success Criteria:

  • MFA required for all in-scope users
  • Legacy authentication blocked
  • Evidence artifacts stored and indexed for compliance assessment

[Pricing and engagement details available upon request]

Next Steps

[Contact information and engagement details available]

Learn More