Because “we think only the right people can do that” isn’t an acceptable control

CMMC, or Cybersecurity Maturity Model Certification, is a U.S. Department of Defense (DoD) program that sets cybersecurity standards for contractors in the Defense Industrial Base (DIB) to protect sensitive government data (FCI and CUI) and support US Department of Defense compliance. That’s true. It’s also the fastest way to discover that a cloud IAM is held together with good intentions, legacy roles, and the sort of “temporary” exceptions that have celebrated three birthdays.

CMMC 2.0 is now a formal program rule under 32 CFR Part 170, effective 16 December 2024, and it’s being rolled into DoD contracting via DFARS changes that took effect fairly recently in November 2025, with a phased implementation. If your organization touches the defense supply chain (prime or sub), this stops being theoretical very quickly.

So why do assessors fixate on cloud entitlements? Because in cloud environments, entitlements are the truth. Not your org chart. Not your ticketing system. Not your “we only grant admin to senior engineers” pinky promise.

“All we want are the facts, ma'am.”
- Sgt. Joe Friday, Dragnet [1954]

Cloud Entitlements are Where Broken Privilege Goes to Hide

In CMMC Level 2, you’re effectively being assessed against NIST SP 800-171 Rev. 2 requirements for protecting CUI. The Access Control family is blunt about it: least privilege, using non-privileged roles for nonsecurity functions, and controlling/logging privileged functions.  

In a classic on-prem world, “privilege” is often tied to a small number of admin groups. In the cloud, privilege spreads sideways:

• IAM roles and attached policies
• Wildcard actions and broad permissions
• Identity provider group sprawl
• Service accounts, CI/CD identities, and automation
• Third-party access paths (MSPs, integrators, support)

A CMMC assessor knows this. They also know a lot of breaches don’t require malware when an attacker can simply assume a role that can do far too much.

Assessors Don’t Grade Intention. They Grade Evidence

CMMC assessments aren’t vibe checks. They’re evidence-driven, and NIST even publishes assessment procedures (800-171A) to standardize what evidence looks like.  

That’s why “we review access quarterly” gets followed by:

• “Show me the last review.”
• “Show me what changed as a result.”
• “Show me that privileged actions are logged and monitored.”
• “Show me that the people who can access CUI systems are actually authorized.”

In cloud terms, that turns into entitlement questions:

• Who can read, modify, or exfiltrate CUI data stores?
• Who can change network controls or key management?
• Who can mint new identities, tokens, or credentials?
• Who can disable logging?
• Who can create a new access path that bypasses approvals?

If you can’t answer those questions precisely, you’ll end up answering them slowly. And if you answer them slowly during an assessment, you’ll answer them even more slowly during an incident.

The real issue: “standing privilege” is cheap until it isn’t.

Most cloud teams drift into standing privilege for practical reasons:

• Engineers need to ship
• Access tickets slow everything down
• ”Temporary” becomes permanent
• Nobody wants to be the person who broke prod because they tightened a role

CMMC pushes back on this drift because standing privilege is the opposite of least privilege in practice. If a role exists 24/7, it will be used 24/7. Or abused 24/7, depending on who gets hold of it.

Under NIST 800-171 access requirements, you’re expected to enforce least privilege and restrict use of privileged functions; essentially, Privilege Elevation and Delegation Management (PEDM). A clean way to satisfy the intent (and make the evidence easy) is to make that privilege temporary, scoped, and logged.

Which is just a polite way of saying: Just-in-Time access.

‍Where Just-in-Time Fits Naturally in CMMC

CMMC doesn’t demand “JIT” by name. It demands outcomes that JIT delivers neatly:

Time-bound privilege for sensitive operations

Instead of “Admin role forever”, move to “Approved elevation for 30–120 minutes.” The access exists only for the window of work, and then it’s revoked automatically. That aligns with least privilege in a way auditors can understand without needing a cloud architecture lesson.

Scope-bound privilege (not “admin, but please behave”)

The best JIT implementations don’t just time-box. They scope-box too:

Exact actions required (e.g., start/stop, read-only, change policy)

Exact resources required (one project, one account, one environment)

Enforced separation between “build” and “breakglass”

This matters because assessors care about blast radius. Your biggest IAM risk is usually one overly broad role that can do 17 different things across 12 different places.

Approval workflows that produce audit artifacts

Assessors love clean governance. That means:

• Request → approval → grant → revoke
• Who approved, when, and why
• What was granted
• What happened during the elevated session

If you integrate approvals into the tools teams actually use (Slack/Teams), you reduce the temptation for engineers to route around controls “just this once”.

‍CMMC, or Cybersecurity Maturity Model Certification, is a U.S. Department of Defense (DoD) program that sets cybersecurity standards for contractors in the Defense Industrial Base (DIB) to protect sensitive government data (FCI and CUI) and support US Department of Defense compliance. That’s true. It’s also the fastest way to discover that a cloud IAM is held together with good intentions, legacy roles, and the sort of “temporary” exceptions that have celebrated three birthdays.

NIST 800-171A’s whole vibe is evidence. So you want logs that show:

• Privileged actions taken
• By whom
• Under which entitlement
• During which approved window

Not for fun. For the day your assessor asks, “Prove it.”

What a “CMMC-Ready Entitlement Program” Looks Like in Practice

For CISOs and security architects, the goal isn’t to boil the ocean. It’s to make the high-risk access paths boring:

1. Map entitlements across AWS/Azure/GCP and core SaaS
   You can’t govern what you can’t see.

2. Identify “CUI-impacting” roles and permissions
   Focus on data access, key management, identity admin, network control, and logging controls.

3. Replace standing privilege with JIT elevation
   Start with cloud console admins, CI/CD identities, and incident response roles.

4. Automate revocation and access reviews
   Because humans forget, and auditors remember.

5. Generate evidence continuously
   If your access system can’t produce clean reports, you’ll end up with spreadsheets. And spreadsheets are where compliance goes to retire.

Treat Entitlements as Infrastructure

CMMC assessors care about cloud entitlements because they’re the operational reality of access control, and CMMC is fundamentally an access-control-and-evidence program wearing a compliance badge. With CMMC being phased into contracts from late 2025 onward, 2026 is when many organisations feel the pressure to demonstrate least privilege in real systems, not in policy documents.  

If you treat cloud entitlements as a first-class security surface, and you back it with JIT workflows, tight scoping, automated revocation, clean AuthN vs AuthZ, and audit-grade logging, you’ll make both your assessor and your incident responder happy. Which, in security, counts as a win.