In this piece
- 01 Securing CUI beyond the technical checkbox
- 02 Understanding the RBAC model
- 03 Mapping RBAC to CMMC Level 2 controls
- 04 How to design your CUI role matrix
- 05 A phased approach to RBAC implementation
- 06 Avoiding common RBAC pitfalls in the DIB
- 07 Auditing and maintaining your RBAC system
- 08 Related reading
Your CMMC Level 2 assessment is not far off. Someone on your team is pulling screenshots from Microsoft 365, someone else is exporting group memberships from Active Directory, and the uncomfortable question keeps coming up in every prep meeting: can you prove who can access CUI, in which systems, and why they have that access?
For many defense contractors, the honest answer is “sort of.” Access lives in a mix of shared folders, email groups, VPN profiles, ERP permissions, engineering repositories, and exceptions granted months ago for a proposal crunch or subcontractor onboarding. That is not a defensible access control program. It is an audit problem waiting to surface.
In the Defense Industrial Base, access control has to do more than keep systems running. It has to stand up to assessor scrutiny, support least privilege, and hold together when projects, personnel, and contracts change fast. That is where Role-Based Access Control becomes more than a security concept. It becomes the operating model that lets you explain access decisions cleanly and maintain them over time.
Securing CUI beyond the technical checkbox
CMMC assessors want more than a statement that access is “restricted.” They want evidence that access is intentional, tied to job function, approved, and reviewable. If your environment handles Controlled Unclassified Information, that means you need a repeatable way to answer basic but high-stakes questions:
- Who has access to CUI repositories
- What actions they can take
- Which approvals support that access
- How access changes when their role changes
Why ad hoc permissions fail under assessment
A spreadsheet of one-off exceptions usually reflects how smaller contractors grew. It starts with shared drives, grows into project folders, then expands into Teams, SharePoint, engineering systems, ticketing platforms, and remote access tools. Nobody planned for complexity. It just arrived.
That model breaks down during a CMMC assessment because it shows accumulation instead of control. When access is assigned person by person, reviewers often find inconsistent approvals, stale access, and permissions that no longer match actual duties.
A practical rule: if you cannot explain access without opening three different admin consoles and a spreadsheet, your model is not mature enough for CMMC Level 2.
Why RBAC is the better compliance posture
Role-based access control gives you a business answer to a technical question. Instead of saying, “Jane has these rights because we added them over time,” you can say, “Jane is assigned to the Program Engineering role for Project A, and that role permits these actions on these CUI systems.”
That shift matters. It ties access to function rather than personality. It also makes onboarding, offboarding, transfers, and temporary assignments easier to govern.
For contractors preparing for CMMC, the takeaway is simple: RBAC gives you a cleaner story, better evidence, and far less chaos when assessors start tracing access to CUI.
Understanding the RBAC model
At the center of role-based access control are three moving parts: users, roles, and permissions. Users are people or service identities. Roles represent job functions. Permissions are the allowed actions inside systems, such as read, modify, approve, export, or administer.
Instead of granting permissions directly to each user, you assign permissions to roles and then assign users to those roles. That single design choice is what makes RBAC manageable at scale.
Think in keycards, not one-off keys
A secure facility is a useful analogy. You do not hand every engineer a separate key for the lab, server room, and archive cabinet. You issue a keycard for a defined function, then tie that keycard to approved areas.
RBAC works the same way in IT:
- Users are the employees, admins, and service accounts.
- Roles are functions like Contracts Manager, CAD Engineer, Help Desk Technician, or Quality Manager.
- Permissions are the specific actions inside tools and data stores.
A new employee should not trigger a scramble across Exchange, SharePoint, VPN, your ERP, your file server, and your PLM platform. They should get the approved role set for their job.
Why the hierarchy matters
NIST defines RBAC as a model where permitted actions on resources are tied to roles rather than individual identities, and notes that role permissions may be inherited through a hierarchy.
That hierarchy is useful in a defense contractor environment. A senior role can inherit baseline permissions from a junior role, then add only what is necessary. For example:
| Role | Inherits | Additional permissions |
|---|---|---|
| Project Engineer | Engineering baseline | Access to Project A design workspace |
| Lead Engineer | Project Engineer | Approve design changes |
| Engineering Manager | Lead Engineer | Review team access requests |
This keeps role design cleaner than rebuilding the same permission stack for every title.
A good RBAC model is less about clever architecture and more about disciplined translation from business function to system permission.
Why RBAC beats informal access models
Many small contractors still operate with a loose discretionary model. Someone owns a folder, mailbox, or app and grants access when asked. That works until auditors ask whether those grants are approved, documented, and consistently reviewed.
RBAC is stronger for regulated environments because it supports:
- Least privilege by limiting each role to necessary actions
- Auditability because permissions are traceable to role definitions
- Repeatability because similar job functions get similar access
- Cleaner separation of duties because conflicting privileges can be designed out of the role set
For CMMC Level 2, that structure is what turns access control from an administrative habit into evidence.
Mapping RBAC to CMMC Level 2 controls
For defense contractors, RBAC matters when it helps satisfy actual assessment objectives. The Access Control practices in NIST 800-171, which underpin CMMC Level 2, push you toward defined authorization, least privilege, managed access changes, and separation of duties. A well-built RBAC program supports all of those.
The key is to present RBAC as both a policy model and an operational control. Assessors want to see documented roles, approved assignments, evidence of provisioning and deprovisioning, and periodic review. They do not want a slide deck about zero trust with no tie to actual permissions.
Where RBAC directly supports access control practices
Your written access model should align with the control intent described in your CMMC Level 2 access control policies. In practice, RBAC helps you operationalize several core requirements.
| Control practice | What assessors look for | How RBAC helps |
|---|---|---|
| AC.L2-3.1.1 | Defined access control policy | Roles formalize who gets what access and under what rule set |
| AC.L2-3.1.2 | Access based on approved authorization | Role assignment can require supervisor, owner, or security approval |
| AC.L2-3.1.5 | Least privilege and separation of duties | Roles limit permissions and can prevent conflicting access combinations |
| AC.L2-3.1.6 | User access management | Joiner, mover, leaver changes become role assignment events |
| AC.L2-3.1.7 | Remote access control | Remote privileges can be role-limited rather than broadly enabled |
What evidence actually works
Many organizations overfocus on policy language and underprepare system evidence. A mature RBAC implementation gives you artifacts that assessors can follow.
Useful evidence usually includes:
- Role definitions with purpose, owner, approved permissions, and system scope
- User-role assignment records showing who approved access
- Role-permission mappings for systems that process, store, or transmit CUI
- Access review records showing that assignments are periodically checked
- Deprovisioning evidence for terminated users and changed assignments
- Exception handling records for temporary or emergency access
If you are using Microsoft Entra ID, Active Directory, SharePoint, file server groups, VPN concentrators, or line-of-business applications, the goal is consistency. The role should exist in your governance model before it exists in the tool.
Least privilege is where assessors often dig deeper
Least privilege sounds simple until you test it. In many DIB environments, users accumulate access because they support multiple contracts, cover for absent staff, or move between proposal, production, and sustainment work. The role model has to reflect those realities without collapsing into chaos.
A clean way to frame this during assessment:
- Baseline role for the employee’s standing job function
- Project role for contract-specific CUI access
- Administrative or privileged role only when separately justified
- Temporary exception role when work is time-bound and approved
That approach also helps with separation of duties. Someone who can create vendor records in an ERP should not automatically be able to approve payment actions. Someone who manages audit logs should not be the same person who can alter them. Those are common assessor questions, not abstract security ideals.
The strongest assessment evidence is a role matrix, current assignments, and proof that the organization actually uses them. A policy statement alone will not carry it.
How to design your CUI role matrix
Role design is where most RBAC projects either become useful or become a mess. If you start by mirroring every HR title, you will end up with a bloated model that does not match how CUI is handled. If you start by cloning existing permissions, you will preserve old mistakes.
Design around data exposure and operational responsibility, not just job names.
Start with systems and CUI touchpoints
List the systems, repositories, and workflows where CUI lives or moves. That usually includes email, file storage, engineering repositories, ERP or MRP systems, ticketing, remote access, and collaboration platforms.
Then ask two hard questions for each one:
- Who needs access to perform contract work?
- What actions do they need to perform?
A strong RBAC implementation relies on two explicit structures: a user-role matrix and a role-permission matrix. Guard against permissions becoming so fine-grained that they create role explosion. Start with coarser roles, then refine only when business need and audit evidence justify it.
Build roles around meaningful work
In a defense contractor environment, the role names should make sense to operations, compliance, and system owners. Good roles often sound like this:
- Program Manager CUI
- Lead Engineer Project A
- Contracts Officer
- Quality Assurance Reviewer
- HR Restricted Data
- IT Privileged Administrator
Bad roles sound like export dumps from a directory service, or vague catchalls like “General User Plus.”
A practical role matrix can start simple:
| Role | Project A (ITAR) | Project B (FOUO) | Financials | HR Records |
|---|---|---|---|---|
| Program Manager | Read | Read | No | No |
| Lead Engineer | Read/Write | Read | No | No |
| Contracts Officer | Read | Read/Write | No | No |
| Finance Manager | No | No | Read/Write | No |
| HR Manager | No | No | No | Read/Write |
| IT Administrator | Limited admin only | Limited admin only | No direct business access | No direct business access |
Keep permissions operationally useful
Permission design should match actual tasks. In most environments, that means actions like read, create, modify, approve, export, and administer. If your model gets so detailed that every folder variation becomes a separate role, you have not improved control. You have just moved the sprawl.
Use this decision rule:
- Coarse enough to manage
- Specific enough to defend
- Restricted enough to support least privilege
Do not build roles to reflect edge cases. Build roles for normal work, then govern exceptions separately.
Separate standing access from temporary need
One of the biggest mistakes in CUI environments is baking short-term project support into permanent roles. That creates privilege creep fast.
Treat these as separate categories:
- Standing role access for routine job duties
- Project assignment access for active contract participation
- Emergency or privileged access with expiration and review
That last category matters more than many teams realize. It is often where audit findings begin.
A phased approach to RBAC implementation
If your current environment grew through shared drives, legacy file servers, Microsoft 365 groups, VPN access lists, and application-by-application decisions, do not try to switch everything at once. The fastest way to break operations is a big-bang RBAC rollout built in a conference room and pushed live on a Friday.
A better approach is controlled, phased migration with clear ownership.
Discovery and validation
The first half of implementation is mostly discovery and validation.
- Assess current access. Export current group memberships, shared mailbox access, SharePoint permissions, VPN roles, local admin assignments, and application roles. Find where CUI resides and compare current access against actual duty requirements.
- Define the initial role set. Use your role matrix to create a baseline role catalog. Keep it small enough to manage. Include role owner, business purpose, systems in scope, and approval path.
- Run a pilot. Choose one contained scope. A single program team, one business unit, or one CUI-heavy workflow works well. Avoid your most politically sensitive department for the first pilot.
Rollout and refinement
Once the pilot works, scale carefully.
Gradual rollout across systems. Move role enforcement system by system. In many shops, that means identity platform first, then file repositories, then email groups, then ERP, engineering, and remote access tooling.
During rollout, keep a written exception register. Some legacy systems will not map cleanly at first. That is normal. What matters is that the exception is explicit, approved, and tracked.
Monitoring and refinement. Static RBAC is useful, but some situations require tighter controls. Current guidance points toward combining RBAC with conditional or context-aware controls when static roles are not enough, such as by time, location, or situation.
For defense contractors, that often means:
- Time-limited elevation for admin tasks
- Conditional access for remote connections to CUI systems
- Stronger controls for unmanaged devices or unusual login context
- Approval workflows for project-based exceptions
What works in practice
The organizations that implement RBAC well usually do a few things consistently:
- They involve system owners early. IT cannot define finance, engineering, contracts, and QA access in isolation.
- They tie role assignment to HR and project events. New hire, role change, project reassignment, and termination should all trigger access review.
- They write down exception handling. Informal exceptions become permanent exposure.
What fails is trying to solve every edge case before rollout. Start with your highest-risk CUI systems, establish governance, and improve from there.
Avoiding common RBAC pitfalls in the DIB
The standard pitch for role-based access control is that it is simple and scalable. In real DIB operations, it is only simple when the business is stable. Many contractors do not have that luxury. People move between programs, proposal teams surge, subcontractors come and go, and engineers need temporary access to systems outside their home project.
That is where weak RBAC programs start failing.
The four most common failure modes
Role sprawl. A new role gets created every time a manager asks for a slight variation. Soon you have overlapping roles nobody can explain clearly. Administration gets harder instead of easier.
Privilege creep. An employee changes contracts or helps another team for a month, but old permissions never come off. Over time, the account reflects career history instead of current responsibility.
Workflow mismatch. The role model assumes static departments, but actual business runs on projects, matrixed teams, and temporary assignments. Users start bypassing the model because it does not fit how work gets done.
Legacy system friction. Your identity platform may support clean role groups, but older ERP, PLM, or proprietary systems may still rely on local permissions, brittle integrations, or manual admin practices.
What good governance looks like
RBAC breaks down without continuous maintenance and governance. For the DIB, that guidance is practical rather than theoretical.
Use controls like these:
- Quarterly role review for every CUI-related role and assignment
- Monthly review of high-risk access such as privileged admin, remote admin, export-sensitive repositories, and emergency roles
- Time-bound exception access for surge staffing, proposal support, and temporary project assignments
- Role ownership assigned to a real business leader, not just IT
- Fast deprovisioning tied to HR termination and project removal events
If your program relies on memory, tribal knowledge, or “we’ll clean that up later,” it will drift out of compliance.
A defense contractor does not need the most advanced IAM architecture in the market. It needs a role model that survives operational churn without hiding stale access.
Auditing and maintaining your RBAC system
A compliant RBAC program is a living control set. Assessors will care about your design, but they will care even more about whether it still matches reality.
The fastest way to prove that is to maintain evidence continuously instead of scrambling for it before an assessment.
The maintenance checklist that matters
Use a recurring audit rhythm built around these checks:
- Validate role assignments. Confirm that each user still needs every assigned role, especially after project changes or internal transfers.
- Review privileged access. Check administrative, emergency, and remote access roles more often than standard business roles.
- Confirm deprovisioning. Make sure departed users, subcontractors, and reassigned staff lose access promptly across all in-scope systems.
- Test separation of duties. Look for toxic combinations in ERP, finance, logging, and administrative workflows.
- Preserve change evidence. Keep approvals, tickets, workflow records, and logs that show who changed access and why.
Prepare the evidence before the assessor asks
For Windows-centric environments, directory evidence matters. Group membership changes, privileged group assignments, disabled account handling, and admin activity should be reviewable from your identity layer. That is one reason many teams tighten their Active Directory audit process for CMMC and NIST 800-171 before formal assessment.
A strong evidence package typically includes:
| Evidence type | What it should show |
|---|---|
| Role matrix | Defined roles and intended permissions |
| Access review records | Periodic validation by role owners |
| Provisioning records | Approval path for new access |
| Deprovisioning records | Removal of access after termination or reassignment |
| Logs | Traceability for access changes and privileged activity |
RBAC works for CMMC when it reflects current business reality. If the matrix says one thing and the systems say another, the systems win. Keep the model current, review it on a schedule, and treat exceptions like controlled events rather than permanent shortcuts.
IRONKEEP helps defense contractors bring access control, encrypted collaboration, and CUI handling into one audit-ready environment. If you are trying to reduce permission sprawl across email, file storage, and project collaboration while preparing for CMMC Level 2, IRONKEEP is built for that exact problem. Lock in founding member pricing before we launch.
Related reading
- CMMC Level 2 access control policies
- Auditing Active Directory for CMMC and NIST 800-171
- Building a CMMC-ready user provisioning workflow
- What is NIST 800-171?
Get the CMMC Level 2 readiness checklist
30 items across 11 control families, with what a C3PAO expects to see for each one. Subscribers also get early access to founding member pricing.
Founding member pricing goes away at launch.