Pitfall #3 – The Access Control Gap

Hi there,

Access Control (AC) and Identification & Authentication (IA) represent a significant portion of the 110 security practices required for CMMC Level 2. And this is where many organizations quietly fall behind — not because their controls are weak, but because they lack the evidence to prove consistency.

Common Gaps We See

During readiness assessments, these patterns show up repeatedly:

• No quarterly access reviews — Users and permissions aren’t reviewed on a scheduled basis
• Privileged accounts lack oversight — Admin access isn’t actively monitored or controlled
• MFA deployment is inconsistent — Multi-Factor Authentication is in place, but not everywhere it’s required
• No documented least-privilege model — Access decisions aren’t tied to a formal framework

For a complete breakdown of CMMC Level 2 requirements, see our CMMC Guide.

The Critical Misunderstanding

Here’s the point many organizations miss:

Assessors don’t ask: “Is MFA installed?”

They ask: “Show me the governance, documentation, and evidence that this control is consistently enforced.”

Technology alone isn’t the answer. Operational discipline is.

For a deeper dive on identity architecture, see our Identity Foundations guide.

A Simple Maturity Model

One way to think about where your organization stands:

Status	Description
Green	Controls are documented, repeatable, and reviewed regularly
Yellow	Controls exist but are inconsistently applied
Red	No governance, no evidence, significant exposure

Most organizations believe they’re Green until an assessor asks for the evidence. If you’re unsure where your organization lands on this scale, it’s worth taking a closer look before assessment day.

What’s Next

Next up: Logging & Incident Response — the silent assessment killer.

If you’re preparing for CMMC Level 2 or just want clarity on where your identity and access controls stand, feel free to connect with me. I’m always happy to share insights.

Regards,
Rick Hernandez
CEO | N2CON