Preparing for a CMMC assessment means tightening your controls across the board but few areas trip up contractors more than Identity and Access Management (IAM).

IAM is woven throughout CMMC, especially in the Access Control (AC) and Identification and Authentication (IA) domains.

And while most organizations think they have it handled, assessors often find the same problems again and again.

Here are the most common IAM gaps that can put your compliance—and contracts—at risk.

1. Orphaned Accounts That Never Got the Memo

Former employees, expired vendor logins, abandoned service accounts—these “orphaned” identities linger long after they’re needed. If they still have access to systems with CUI, they represent a major security risk.

CMMC assessors will ask:

• How do you track account lifecycle?

• When is access reviewed?

• Who manages the offboarding process?

  
  

If you don’t have a clear, consistent offboarding process, this is a red flag.

2. Shared Credentials (Because It’s Easier)

We get it, some systems weren’t built with user management in mind. But shared logins mean zero accountability, no audit trail, and no way to verify who accessed what.

CMMC doesn’t make exceptions here. If your team is still passing around usernames, it’s time to revisit your access policies and the tools you’re using to enforce them.

3. Incomplete MFA Rollout

Multi-factor authentication (MFA) is required for CMMC Level 2 across all accounts with access to CUI. But “we have MFA” doesn’t mean much if:

• It’s only turned on for VPN, but not email or cloud storage

• Contractors or admins are exempt

• Legacy apps are left out of scope

• 
  

If it’s inconsistent, it won’t pass.

4. Missing Role-Based Access Control (RBAC)

Your users should only have access to the systems and data they need to do their jobs. That’s the principle of least privilege.

But many companies skip formal role definitions or fail to revisit permissions as roles evolve. The result? Over-provisioned accounts, admin sprawl, and unclear boundaries around CUI access.

5. No Access Review Process

It’s not enough to assign access once and forget it. CMMC requires regular access reviews to confirm permissions are still appropriate.

If you don’t have a documented review schedule or can’t show that it’s happening—this will raise concerns during your assessment.

6. Lack of Documentation and Evidence

You may be doing everything right operationally but if you can’t prove it, it doesn’t count.

CMMC assessors will want to see:

• System Security Plans (SSPs) that clearly describe IAM controls

• Account management policies and procedures

• Logs that demonstrate enforcement (like login activity and access change history)

  
  

If it’s not written down or backed by evidence, it’s not compliant.

Clean up your IAM practices now, and you won’t just be more compliant—you’ll be more secure, more efficient, and better prepared to scale.

Need help untangling permissions, accounts, or access policies? Let’s talk.