Meeting IA.L2-3.5.1 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requires robust identification and authentication controls; combining single sign-on (SSO), multi-factor authentication (MFA), and device trust (device posture and identity) creates an implementable, auditable approach that protects Controlled Unclassified Information (CUI) while enabling user productivity.
What IA.L2-3.5.1 expects from your Compliance Framework implementation
At a practical level this control requires that your organization identify and authenticate users and devices before granting access to systems that process, store, or transmit CUI. In your Compliance Framework documentation you should map IA.L2-3.5.1 to concrete technical controls: an enterprise IdP for SSO, MFA enforcement for all privileged and user accounts accessing CUI, and device-trust enforcement so only managed/compliant endpoints (or tightly constrained unmanaged endpoints) can reach sensitive resources. Your policy, procedures, and system configuration must be captured as evidence for audits and CMMC assessments.
Recommended architecture: SSO + MFA + Device Trust
Architecturally, implement a centralized identity provider (IdP) that supports SAML 2.0 and/or OIDC for SSO, SCIM for automated user provisioning, strong MFA (FIDO2/WebAuthn or hardware tokens for administrators), and an endpoint management system (MDM/EMM) to assert device compliance. Use Conditional Access (or equivalent access control) policies that make access decisions based on (a) the user identity presented by SSO, (b) a successful MFA challenge, and (c) a device-compliance claim (device is enrolled, not jailbroken/compromised, has required patches, disk encryption enabled). Technical details: configure SSO with SAML NameID/email and group claims, enable OIDC scopes (openid profile email) for modern apps, implement SCIM attribute mappings (userName, givenName, familyName, active, groups) for provisioning, and use certificate-based authentication or device compliance tokens for device identity.
Implementing SSO and MFA (practical steps)
Start by selecting an IdP that fits your size and budget (examples: Azure AD, Okta, Google Workspace with Cloud Identity). Register each cloud app with SAML/OIDC so authentication funnels through the IdP. Turn on MFA for: all admin accounts, service accounts with privileged access, and users accessing systems that process CUI. Prefer phishing-resistant factors (FIDO2 keys like YubiKey, platform authenticators) for administrators and high-risk users. For workforce MFA, use push-based authenticators or TOTP as a fallback. Configure session lifetimes and risk-based step-up authentication for sensitive operations (e.g., downloading CUI, requesting privileged API tokens). For on-prem apps, deploy a SAML/OIDC gateway or integrate via RADIUS with the IdP to centralize MFA enforcement.
Implementing Device Trust (practical steps)
Device trust requires an endpoint management solution and a way for the IdP to consume device compliance signals. Enroll corporate devices in MDM (Intune, Jamf, Workspace ONE). Define compliance policies: OS minimum version, disk encryption (BitLocker/FileVault), screen lock, antivirus/EDR presence, and required patch level. Issue device certificates (via enterprise PKI) or use device compliance tokens issued by the MDM that the IdP can validate. Configure Conditional Access to require the device to be marked "compliant" before granting access to apps handling CUI. For contractors or BYOD, create a separate policy that allows only browser-isolated or web-limited access, or require VPN with client TLS certs and MFA when device enrollment is not possible.
Small business scenario — step-by-step example
Example: a 50-employee defense contractor using Microsoft 365 Business Premium wants to meet IA.L2-3.5.1. Practical steps: enable Azure AD as the IdP, onboard devices to Intune, create automatic enrollment via Azure AD Join/MDM auto-enroll, configure Conditional Access policy that requires "Require device to be marked as compliant" + "Require MFA" for All Cloud Apps that handle CUI, and enforce MFA for all Global Admins with FIDO2 keys. Use SCIM to provision users from the HR system to Azure AD to keep user lifecycle auditable. For VPN and legacy apps, deploy Azure AD Application Proxy or a SAML gateway and require client certs for on-prem endpoints. Budget notes: Microsoft 365 Business Premium includes Intune and Azure AD P1 features required; Okta + Jamf or other mixes have similar licensing but verify SCIM/conditional access features are included.
Operational controls, logging, and evidence for auditors
Operationalize by documenting procedures: enrollment SOPs, exception handling for unmanaged devices, onboarding/offboarding steps (automated via SCIM), and a change control log for access policy changes. Enable and retain logs: IdP authentication logs, Conditional Access events, MDM compliance events, and VPN/Proxy access logs—forward these to a SIEM (Splunk, Azure Sentinel, Elastic) and keep at least the retention period required by your contract or assessor guidance. Regularly run access reviews, verify privileged account inventories, and produce evidence packages (configuration screenshots, audit logs showing enforcement, device enrollment lists) for assessments.
Risks and consequences of not implementing IA.L2-3.5.1
Failing to properly identify and authenticate users and devices increases the risk of unauthorized access to CUI, credential-based compromise (phishing, credential stuffing), lateral movement from unmanaged endpoints, and exfiltration of sensitive data. For contractors, non-compliance can lead to failed CMMC assessment outcomes, loss of contracts, costly incident response, regulatory penalties, and reputational damage. From a technical standpoint, lack of device trust means you cannot ensure that the endpoint applying for access has the required controls (encryption, patching, EDR), creating an exploitable gap even if MFA is present.
Summary: to meet IA.L2-3.5.1, implement a centralized IdP with SSO, enforce strong MFA (prefer phishing-resistant factors), and require device trust via MDM/PKI and Conditional Access; document mapping to the Compliance Framework, maintain logs and evidence, and operate regular reviews. For small businesses, practical combinations like Azure AD + Intune or Okta + Jamf provide a cost-effective path to compliance when paired with clear policies, automated provisioning, and retained audit trails.
