IA.L2-3.5.2 User Authentication: CMMC Level 2 Requirement
User authentication is a foundational security control that verifies the identity of users, processes, and devices before they access your organizational information systems. Under CMMC Level 2, this is a mandatory practice that bridges basic access control with advanced identity verification—essential for protecting sensitive defense contractor data.
What this means
This control requires you to authenticate (verify the identity of) users, processes, and devices as a prerequisite to granting them access to your information systems. Authentication confirms that the person, application, or device requesting access is genuinely who or what they claim to be, preventing unauthorized access by impostors or compromised accounts.
How to comply
- 1.Implement unique user identifiers for all system users and ensure each person has a distinct login credential
- 2.Enforce password policies requiring minimum length (12+ characters), complexity (uppercase, lowercase, numbers, symbols), and regular changes
- 3.Deploy multi-factor authentication (MFA) for remote access and privileged accounts
- 4.Configure systems to prompt for authentication before granting access to information systems
- 5.Document your authentication methods and maintain records of who accessed which systems and when
- 6.Regularly test authentication mechanisms to ensure they function correctly and cannot be bypassed
- 7.Disable default accounts and credentials on all systems before deployment
Evidence auditors look for
- Password policy documentation showing minimum requirements and enforcement rules
- Screenshots of login prompts requiring username and password (or MFA)
- System logs showing authentication attempts, successes, and failures
- MFA configuration reports for remote access tools and VPNs
- Account management records demonstrating unique user identifiers
- Security baseline configurations enforcing authentication at system startup
- Proof of disabling or changing default vendor credentials
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates authentication control verification by aggregating login logs, password policies, and MFA status across your systems—eliminating manual evidence collection and flagging non-compliant accounts in real time.
See how GRCWatch handles this control automatically
Start free trial