CMMC 2.0 for manufacturers: Where access control breaks down on the shop floor

Compliance with CMMC 2.0 is no longer an abstract topic for manufacturers in the Defense Industrial Base sector. It is tied to eligibility for DoD work, and it shows up in day-to-day operations faster than many teams expect.

What tends to create trouble in an assessment is not a missing policy document. It’s the routine access decisions that happen constantly in production environments: who signs in, how authentication works in shared spaces, what access people retain over time, and whether you can prove any of it after the fact.

That is why access control is a major focus in CMMC 2.0 Level 2 (aligned to NIST SP 800-171). Many real incidents start with familiar issues such as credential reuse, shared accounts, overly permissioned users, and unclear accountability. Manufacturing settings can amplify those risks because workstations are shared, shifts rotate, personal devices may be restricted, and uptime takes priority.

Why manufacturing makes access control harder

In office environments, identity is usually tied to a single person and a single device. On a plant floor, that model breaks quickly. People move between stations. Multiple operators use the same endpoint. Temporary coverage happens. Logins are frequent, and delays are costly.

When authentication is slow or inconsistent, workarounds appear. Generic logins are created. Passwords get reused. Sessions are left active because signing back in disrupts the workflow. Those choices may keep production moving, but they create accountability gaps that are hard to defend during an assessment.

What assessors look for in access controls

Assessors want to see that activity can be tied back to an individual user. Shared accounts make that difficult immediately, and they undermine the value of every subsequent log and audit record.

They also examine authentication strength and coverage. MFA matters, especially for remote access and privileged access, but partial deployment is a common issue. If only certain systems enforce MFA, and others that touch CUI do not, the control is not operating consistently.

Shared workstations add another test: session handling. Even with unique logins, unattended sessions can lead to activity being attributed to the wrong person or allow access to continue under someone else’s permissions. Timeouts, locking, and straightforward reauthentication are not just convenience settings in manufacturing. They are core controls for both security and auditability.

Least privilege is another common pressure point. In many plants, access grows over time because it is easier than tuning roles, or because support teams need fast resolution paths. That can lead to broad admin rights that are difficult to justify and risky to maintain.

Then there is logging. Not in the sense of “we collect logs,” but in the sense of “we can show evidence.” Authentication events, privileged actions, and access to systems that store or process CUI should be traceable and reviewable. If you cannot tell a clear story from your records, assessments become harder, and incident response slows.

The gap between written policy and real workflows

Most manufacturers do not struggle because they are ignoring security. They struggle because the controls do not fit the operating environment.

It is common to see MFA deployed unevenly across legacy and modern systems. It is common to see privileged access granted broadly to prevent delays. It is common to see logs stored without a clear way to connect actions to a specific person at a shared endpoint. These gaps are usually the result of workflow friction, not negligence.

CMMC assessments tend to surface that friction quickly.

A practical path to readiness

Progress usually comes from treating access as an identity and workflow problem, not a list of disconnected controls. The goal is consistent authentication that is usable at shared stations, clearer separation between standard and privileged activity, and audit evidence that is easy to retrieve.

Imprivata approaches this with identity-first access designed for shared workstation environments, including passwordless options that can reduce friction while improving accountability in settings where office-style login patterns do not work well. The common assumption is that security hinders productivity, but compromise isn’t necessary with the right technology in place. Access controls empowered by the right technology should work with your systems – enabling an easier workflow that can actually help you improve productivity and uptime.

Start with the shared stations

If you want one place to begin, start where the risk is highest and the evidence is hardest to produce. Pick a shared workstation that can reach systems handling CUI and walk through the process as an assessor would.

Can every user authenticate as themselves? Is strong authentication enforced consistently? Do sessions end when the operator steps away? Can you pull logs that clearly show who accessed what and when?

If those answers are unclear, you have found a useful starting point, and you found it before the assessment did.

Looking to align your security measures with CMMC 2.0? To reduce your risk and improve your audit readiness, download our checklist: Understanding the requirements of CMMC 2.0 for manufacturers.