Modernizing Administrative Access for CMMC Level 2

Organizations pursuing CMMC Level 2 readiness are discovering that the hardest challenges sit not in the controls themselves, but in operationalizing them consistently across administrative access, identity enforcement, and audit visibility.

Among defense contractors falling within CMMC Level 2 scope under the DoD’s October 2024 final rule, the Access Control (AC), Identification and Authentication (IA), and Audit and Accountability (AU) control families remain the most common source of assessment friction during readiness work. These control families intersect most directly with the parts of an environment that have evolved most through cloud modernization.

As defense contractors expand across major cloud and hybrid systems, privileged access patterns tend to drift. Administrative access becomes fragmented across VPNs, local accounts, static SSH keys, cloud-native IAM, and disconnected authentication workflows. While these patterns function operationally, they introduce significant friction during CMMC readiness, particularly when assessors expect uniform evidence across boundaries that were never designed to enforce policy uniformly.

At Coalfire, these are common challenges observed during modernization and CMMC readiness engagements supporting alignment to NIST SP 800-171. As organizations work to centralize governance, reduce standing privileges, and improve audit readiness, Coalfire has increasingly leveraged Teleport within customer architectures to address these challenges through identity-native administrative access patterns.

---

Why traditional administrative access models create CMMC assessment friction

Traditional administrative access models, built around VPN-centric trust and static credentials, were not designed for the scale of modern hybrid infrastructure. As organizations expand across cloud and Kubernetes platforms, fragmented governance becomes difficult to operationalize against the demands of AC family controls, which expect consistent enforcement of identity, least privilege, and remote access restriction across all administrative paths.

VPNs and bastions grant broad network access with no resource-level control. IP-based access can't be attributed to a verified user, static SSH keys and shared accounts accumulate without expiry, and once inside the network nothing limits lateral movement or enforces least privilege.

Teleport shifts this perimeter to identity, ensuring every connection is authenticated, authorized, and attributed to a cryptographic identity. Coalfire recommends Teleport during modernization engagements because location-independent, identity-based access with consistent enforcement and full attribution is what AC family controls require.

---

Infrastructure identity and access for CMMC environments

A typical pattern Coalfire deploys for CMMC-bound clients positions a Teleport Proxy at the access edge for both commercial and GovCloud workloads with the Auth Service brokered to a centralized SSO/IdP, commonly Okta or Entra ID. Administrative sessions to cloud instances, Kubernetes clusters, and local hosts are mediated through the proxy, with short-lived certificates issued per session rather than static credentials living on jump hosts. Audit events from protocols such as SSH, kubectl, RDP, database, and applications flow into an audit log that downstream SIEM and evidence-collection tooling can consume.

For greenfield modernization where no prior identity or access tooling exists, this pattern replaces the bastion-and-VPN topology entirely. For brownfield environments with VPNs, bastion hosts, and static keys already in production, Teleport commonly runs alongside legacy tooling during a controlled migration.

---

Aligning Teleport’s capabilities to the AC, IA, and AU control requirements

The capabilities most relevant to CMMC Level 2 cluster around three control families. The framing below uses the distinction Coalfire applies during readiness — implements where the control is met out of the box, supports or enables where capability enables the outcome but requires configuration, and accelerates where the value is primarily in evidence and audit efficiency.

Access Control (AC): Teleport implements AC.L2-3.1.1 by binding every administrative session to a verified identity rather than a shared or local account, and implements AC.L2-3.1.12 by mediating remote administrative sessions through a controlled proxy with policy-enforced access. Teleport supports AC.L2-3.1.5 through role-based access and a just-in-time approval workflow that eliminates standing administrative privilege by requiring time-bound approval for elevated roles. This is often the single highest-impact capability for CMMC-aligned environments, because it replaces the “permanent admin” pattern that drives recurring findings.

Identification and Authentication (IA): Teleport implements IA.L2-3.5.3 by enforcing per-session MFA at the proxy for all privileged access, applying a single MFA policy across environmental targets. In hybrid environments where MFA has historically been implemented per-platform, this collapses what is usually fragmented enforcement into a single demonstrable control.

Audit and Accountability (AU): Teleport implements AU.L2-3.3.2 because every session is tied to a short-lived certificate attributed to a verified, cryptographic human, machine, or AI identity. Teleport also accelerates AU.L2-3.3.1 evidence collection with access policy and audit existing is one platform, which can be the difference between assembling correlated logs from five tools and exporting a single audit stream.

---

How Teleport decreases CMMC audit friction

Evidence collection is consistently among the most cited pain points during CMMC readiness. Security and compliance teams are typically asked to correlate access logs, authentication records, MFA validation evidence, privileged activity records, and approval trails across multiple disconnected systems, and often manually.

When Coalfire supports clients through C3PAO readiness, the most common assessor question on AC and IA family controls is some form of “show me consistent enforcement across the boundary.” Environments using a centralized identity-aware proxy can answer that question by exporting one set of evidence. However, environments using per-platform access can only answer after reconstructing it across platforms. The control language is the same; the time-to-evidence is not.

Unified identity and access architectures such as Teleport give organizations a single answer to who accessed what, when, how access was authorized, and which policies governed the activity. This visibility reduces manual audit preparation while improving the defensibility of evidence presented during assessment.

---

Modernizing administrative access with unified identity for long-term compliance sustainability

CMMC Level 2 readiness is an operational maturity challenge as much as it is a compliance one. As organizations modernize across cloud and hybrid environments, centralized identity governance and identity-based privileged access patterns are becoming foundational to scalable compliance.

At Coalfire, leveraging Teleport within customer architectures has supported modernization strategies focused on reducing administrative attack surface, strengthening identity-based governance, improving audit visibility, and simplifying operational consistency across privileged access workflows. For organizations navigating both modernization and CMMC readiness simultaneously, Teleport’s Infrastructure Identity Platform supports a more scalable and sustainable compliance posture over time.

---

About the author: Nicolas Morris is Managing Principal in Coalfire’s Cloud Services practice, leading strategy, advisory, design, deployment, and managed services for private sector SaaS, PaaS, and enterprise clients. He has deep expertise guiding organizations through secure cloud transformations across AWS, Azure, GCP, and hybrid environments, aligning with compliance frameworks including FedRAMP, FISMA, NIST CSF, HITRUST, and PCI DSS. Since joining Coalfire in 2015, Nicolas has developed high-impact services and capabilities that drive growth in cloud and managed services, leveraging a background in public sector cybersecurity for DHS, the National Reconnaissance Office (NRO), and the U.S. Coast Guard (USCG) and Navy (USN). He holds an M.S. in Systems Engineering (Cyber Security) from Virginia Tech, a B.S. in Systems Engineering from the University of Virginia, and multiple industry certifications such as CISSP.