Contact us at (571) 408-8810 • Authorized C3PAO • CMMC L2 Certified • GTIA Trustmark Assured Status

CMMC Compliance Services

Confidently navigate the CMMC process

Assessments for Contractors

Mock assessments, pre-assessments, readiness assessments or CMMC Level 2 Assessments.

Assessments for MSPs

Get yourself, and your clients, CMMC ready.

CMMC Compliant Managed IT

Stay secure, compliant, and operational with DIB focused managed IT services.

Not a DoD Contractor?

We also serve small and medium business in the Northern Virginia area. Reach out today to see if our tailored IT solutions can help your business stay secure and up and running.

Our Company

Learn about our mission and company history.

Our Process

A simple, transparent, and proven path to CMMC readiness.

Z

Why Choose Resilient IT?

We're mission oriented, focused on building resilient technology, compliance, and cybersecurity solutions.

~

Our Security

Careers

IA.L2-3.5.2 – Don’t Just Identify… Authenticate: Proving Identity Before Granting Access

Written by Kevin Mann

CMMC | Cybersecurity

800-171, c3pao, cmmc, cmmc controls, cmmc l2, implementation

August 19, 2025

If IA.L2-3.5.1 is about knowing who is trying to access your systems, then IA.L2-3.5.2 is about verifying they really are who they claim to be.

As a Certified CMMC Assessor and Certified CMMC MSP, we often find that organizations rely on weak or inconsistent authentication—especially for service accounts, scripts, or cloud apps. But CMMC Level 2 requires formal, provable authentication for all users, processes, and devices before granting access.

Let’s break it down.

CONTROL:

IA.L2-3.5.2 – Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

Assessment Objectives (from the CMMC Assessment Guide):

  1. Identities of users are authenticated prior to access.
  2. Identities of processes acting on behalf of users are authenticated prior to access.
  3. Identities of devices are authenticated prior to access.

 MSP Perspective: How to Implement It

Identification without authentication is just guessing. You need to verify identity before granting any access.

  1. Authenticate Users
  • Use centralized identity providers like Azure AD, Entra ID, or Okta.
  • Enforce multi-factor authentication (MFA) for all privileged and remote access.
  • Ban shared logins and default credentials.
  1. Authenticate Processes
  • Require API keys, certificates, or signed tokens for services or automated processes.
  • Track each service account and require strong authentication methods.
  • Rotate secrets and tokens regularly.
  1. Authenticate Devices
  • Implement device-based authentication using Intune, MDM, or NAC tools.
  • Use Conditional Access Policies that check device compliance (e.g., encryption, patch status) before allowing access.
  • Block unknown or unmanaged devices from sensitive systems or cloud access.

Tip: Make access conditional—not just on identity, but also on device health, location, and role.

What fails:

  • Local logins with no password
  • Scripts running with embedded plaintext credentials
  • BYOD devices accessing without registration

What passes:

  • MFA for all users
  • Certificates or tokens for services
  • Device-based authentication with access policies enforced

Common Pitfalls

  • MFA enabled for only some users
  • Devices allowed to connect to cloud apps or VPN without verification
  • Automated processes using hardcoded or shared credentials

Final Guidance

Trust must be earned—and in cybersecurity, trust starts with authentication. If someone (or something) is accessing your systems without proving their identity, you’re not compliant—and you’re not secure.

You May Also Like…