IAL, Compliance, and MSPs

This shift to identity-based security has had major implications for compliance. Frameworks like FedRAMP, CMMC, and NIST 800-series controls all rely on strong identity practices. Yet areas like Identity Assurance remain a consistent challenge.

Many organizations assume that if a user can log in with MFA, their identity is secure. In reality, authentication only proves that someone possesses a credential. Identity assurance determines whether the system actually knows who that person is.

 

What Are Identity Assurance Levels?

Identity Assurance Levels are defined in NIST Special Publication 800-63, “Digital Identity Guidelines.” It defines the degree of confidence an organization has in a user’s identity.

Cloud-native architectures, remote work, SaaS sprawl, and third-party integrations have made identity the primary attack surface. Compromised credentials remain the leading cause of breaches, and attackers increasingly exploit weaknesses in onboarding, access provisioning, and identity lifecycle management rather than technical vulnerabilities.

Regulators and auditors have taken notice. Across FedRAMP, CMMC, and NIST programs, expectations are shifting away from simple access controls toward demonstrable identity governance. Organizations are now expected to show not only that access is restricted, but that identities are properly established, verified, maintained, and retired.

Importantly, IAL measures how certain the system is that the individual is who they claim to be. Accordingly, NIST defines three levels of identity assurance:

• IAL1 represents the lowest level of confidence. At this level, identity is self-asserted. The system accepts the user’s identity without verifying it against authoritative sources. This level is common in low-risk consumer services but is generally inappropriate for regulated environments. 
• IAL2 introduces identity proofing. At this level, a user’s identity is verified using government-issued identification, authoritative records, or equivalent verification methods. The identity is bound to the account in a way that allows the organization to confidently assert that the account belongs to a real individual. 
• IAL3 represents the highest level of assurance. It requires in-person or supervised identity verification and strong cryptographic binding between the individual and their digital identity. This level is typically reserved for high-risk or national security systems.

Most federal and defense-related systems operate at IAL2, even when they do not explicitly state it. The problem is that many organizations do not realize they are expected to meet that standard.

 

How IAL Fits Into the Broader NIST Identity Model

NIST separates digital identity into three components: Identity Assurance Level, Authentication Assurance Level (AAL), and Federation Assurance Level (FAL).

• IAL: Who is this person, and can we guarantee they are present and accounted for?
• AAL: What are the strengths of the authentication methods used to verify this person, and can we trust them to ensure the security level of their access? 
• FAL: How securely are we transmitting identity data across different networks and systems?

Most organizations focus heavily on AAL. They deploy MFA, enforce password policies, and implement conditional access. While these are critical controls, they do not address whether the account itself is associated with a verified individual.

This distinction becomes crucial during audits. An organization may demonstrate strong MFA enforcement but still fail an assessment if it cannot show how identities were proofed, how uniqueness is ensured, or how identity lifecycle events are managed.

In other words, authentication without identity assurance creates a false sense of security.

 

Does FedRAMP Require a Specific IAL Level?

FedRAMP does not explicitly require organizations to implement a specific IAL. However, its control baselines are built on NIST 800-53, which assumes strong identity management as a prerequisite for access control, auditing, and accountability.

In practice, FedRAMP assessors expect organizations to demonstrate:

• Controlled account provisioning and deprovisioning.
• Traceability between users and actions.
• Strong identity governance processes.
• Clear separation of duties.
• Evidence that access is granted only to verified individuals. 

For example, FedRAMP controls related to account management, identification and authentication, and audit logging all depend on knowing who a user actually is. If an organization cannot demonstrate how identities are verified during onboarding, it becomes difficult to prove compliance with least privilege or accountability requirements.

These expectations implicitly require IAL2-level identity assurance.

 

Does CMMC Require a Specific IAL Level?

CMMC presents a similar challenge, though it is often discussed in different terms. CMMC does not explicitly reference Identity Assurance Levels, but its practices depend heavily on identity integrity.

At CMMC Level 2 and above, organizations must demonstrate:

• Controlled access to systems containing CUI
• Identification and authentication of users
• Proper termination of access
• Accountability for user actions
  Protection against unauthorized access 

Common CMMC gaps often stem from weak identity practices. Shared accounts, poorly documented onboarding, inconsistent access reviews, and lack of identity verification are among the most common issues encountered during assessments.

As CMMC enforcement ramps up, assessors are increasingly looking at how identities are managed. For managed service providers supporting defense contractors, this means identity practices are now in scope, whether explicitly stated or not.

 

Best Practices for IAL Programs

By 2026, mature organizations are approaching identity assurance as a lifecycle rather than a one-time event.

• A strong IAL program includes documented identity proofing during onboarding, typically tied to HR or vendor management processes. Identities are validated against authoritative sources, bound to individuals, and reviewed periodically for accuracy. 
• Access is granted based on verified identity and role. Privileged access is tightly controlled and time-bound. Deprovisioning is automated and auditable. Identity-related events are logged and integrated into security monitoring systems. 
• More advanced programs incorporate risk-based identity checks, continuous monitoring, and identity analytics to detect anomalies or misuse. These capabilities support both compliance and operational security objectives.

 

MSPs Can Meet IAL. Trust Continuum GRC

Forward-looking MSPs are responding by offering identity-as-a-service. This includes standardized onboarding workflows, identity verification processes, access reviews, and evidence collection for audits. 

We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

• FedRAMP
• GovRAMP
• GDPR
• NIST 800-53
• DFARS NIST 800-171, 800-172
• CMMC
• SOC 1, SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075, 4812
• COSO SOX
• ISO 27000 Series
• ISO 9000 Series
  
• CJIS
• 100+ Frameworks

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cybersecurity® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect your systems and ensure compliance.

[wpforms id= “43885”]