IA β Identification & Authentication Domain Notes
CMMC Domain: IA (Identification & Authentication)
NIST 800-171 Family: 3.5.x
IA.L2-3.5.7 β PASSWORD COMPLEXITY
Control: Enforce minimum password complexity and change requirements.
Issue
Assessors sometimes reject purely administrative controls and demand technical enforcement.
Community Resolution
- Entra ID is the right technical control for cloud/GCC High environments
- Provide: Entra password settings screenshot + Microsoft FedRAMP documentation (showing this is Microsoft's responsibility)
- One assessor accepted this immediately; another pushed back claiming additional technical control needed
- β Assessor variability is real β escalate to lead assessor if a team member is pushing back unreasonably
Evidence Package (what worked)
- Microsoft Entra password settings (length, complexity, history, reuse) β screenshots
- Microsoft FedRAMP ATO documentation showing enforcement at tenant level
- SSP narrative mapping IA.L2-3.5.7 to tenant-level Entra settings
- Evidence that no identities or auth paths bypass these settings
Policy Wording Trap
- If your policy says "require 8-character passwords" but Entra enforces 12, assessors may flag inconsistency
- Use "at least 8 characters" language in policy to accommodate higher enforcement without contradiction
- Source: Embarrassed_Carob6 comment
For PreVeil Environments
- PreVeil has its own authentication enforcement β document separately how it meets this control
- Assessors wanted clarity on "where enforcement actually lives" in a hybrid stack
Source: https://old.reddit.com/r/CMMC/comments/1q6h6xt/ (2026-01-07)
IA General Notes
Dedicated Admin Accounts
- CMMC requires separate privileged accounts from standard user accounts
- Google Workspace: Dedicated admin accounts required β community thread discussed this
- M365/Entra: Separate admin accounts + privileged identity management
- Source: https://old.reddit.com/r/CMMC/comments/1remle3/ (2026-02-25)
MFA Requirements
- MFA is required for all CUI-accessing users
- Microsoft Authenticator via Entra Conditional Access is the standard solution for M365 environments
- "Correct place for MFA is at the actual workstation access" (Entra Conditional Access policy)
- BYOD/MAM phones for MFA: addressed in separate thread
- Source: https://old.reddit.com/r/CMMC/comments/1rlyo86/ (2026-03-05)
Password Managers and FedRAMP
- Community thread specifically on FedRAMP-compliant password managers (2026-02-23)
- Not all password managers are FedRAMP authorized β required for CUI environments
- Source: https://old.reddit.com/r/CMMC/comments/1rcn89c/ (2026-02-23, score 9, 27 comments)
Related Posts
- IA.L2-3.5.7 Password Complexity β 2026-01-07
- Password Managers - FedRAMP? β 2026-02-23
- MFA Confusion β 2026-03-05
- Dedicated Admin accounts for Google Workspace β 2026-02-25