The Controls Your Assessor Requires
Can’t Be Produced by the Architecture You Have.
Defense contractors and federal agencies rely on cloud identity platforms to secure CUI enclaves and classified networks. Those platforms require an internet connection to function. Inside your air gap, they don’t work. The access logs don’t exist. The MFA evidence cannot be produced. The audit is approaching anyway.
1 in 4
Industrial security tests finds shared or default credentials in isolated OT and enclave networks
5 Years
Nation-state actors maintained undetected access to critical networks using only valid credentials
$0
Contract revenue available to a defense contractor who fails CMMC certification
Sources: Claroty State of CPS Security 2024 · CISA Advisory AA24-038A (Volt Typhoon), February 2024
Part 1: The Problem
Three Gaps. One Assessment. One Deadline.
CMMC, NIST 800-171, and classified enclave requirements all depend on identity controls working inside the boundary. Here is where most defense contractors and federal agencies are exposed.
Authentication Fails Inside the Enclave
Cloud-hosted IdPs require an outbound connection. Inside a CMMC-scoped enclave or a SCIF, that connection doesn’t exist. MFA fails. RADIUS times out. Operators fall back to shared local credentials to maintain operations, creating exactly the shared account conditions that fail assessments.
RADIUS Has a Transport-Layer Blind Spot
OMB M-21-07 mandates IPv6 transition across federal and DoD networks. New infrastructure including switches, routers, and firewalls is being deployed on IPv6 transport. Most IAM vendors’ RADIUS implementations only support IPv4. If your RADIUS server cannot operate over IPv6, every network device on IPv6 segments has no authentication path through your identity platform.
The Compliance Evidence Doesn’t Exist
CMMC Level 2 requires MFA on all CUI access and full access logging from within the enclave boundary. If the identity system that generates that evidence was never deployed inside the boundary, the evidence structurally cannot exist. Assessment findings from a missing control don’t go away. They disqualify contract performance.
Why It’s Unsolved
No Major Vendor Built for Networks Designed to Be Offline
The Assumption
Modern IAM was designed around one architectural assumption: the device authenticating and the service validating can both reach the internet. Every component, cloud FIDO2 servers, SaaS policy engines, mobile push, centralized audit, was built on that model.
Classified enclaves, CMMC-scoped networks, SIPR, JWICS, and SCIFs violate that assumption by design.
The regulatory requirements mandating these boundaries (CMMC, NIST 800-171, DISA STIGs) assumed identity would function inside them. The identity industry built for a different world.
The Consequence
The result is a category gap. Organizations search for “offline MFA” or “air-gapped FIDO2” and find workaround documentation, not a product.
There was no vendor category for purpose-built air-gapped IAM. Until now.
A compounding problem exists at the network layer. RADIUS is the standard protocol for authenticating to switches, routers, and firewalls in classified environments. Federal and DoD networks are mandating IPv6 per OMB M-21-07, but most vendors’ RADIUS implementations are IPv4-only.
The controls the assessor requires cannot be produced by the architecture you have. That is not a finding you can remediate with a policy change.
Closing the Gap Doesn’t Mean Ripping Out Your Existing Infrastructure
It means extending identity controls into the environments your current tools cannot reach. Here is what complete identity coverage inside a CMMC enclave or classified network requires.
Network devices authenticate individually, over IPv4 and IPv6.
Switches, routers, and firewalls validate credentials via RADIUS against a local identity store with MFA enforced. Full IPv6 transport support for networks completing OMB M-21-07 transition. No shared account. No timeout. No fallback.
MFA works with no internet path.
Authentication runs on local infrastructure inside the boundary: FIDO2, TOTP, YubiKey, CAC, PIV. No outbound call. No timeout. No fallback to a static password during an isolation event.
Contractor access expires automatically.
Accounts created for a program phase or maintenance period are time-bounded by design. When the work ends, the access ends. No orphaned accounts, no persistent privilege, no manual deprovisioning required.
Audit evidence is generated automatically.
Per-user access logs are produced continuously inside the boundary. No manual log reconstruction before assessments. Evidence that exists continuously is evidence that holds up.
Nothing calls home.
License validation, telemetry, threat intelligence updates: none of these require an outbound connection. In air-gapped environments, on-premises products that carry hidden cloud dependencies fail silently after a grace period expires. AirGap was built without them.
Part 2: The Solution
The Complete Identity Stack. Inside the Boundary.
SecureAuth AirGap deploys every identity control your CMMC enclave, classified network, or federal air gap requires, as a single package. No cloud dependencies. No components that call home. Deploy it inside the boundary, and it works.
The Gap
RADIUS times out inside the enclave. Cloud IdP is unreachable.
What AirGap Delivers
RADIUS validates against an on-premises IdP via local LDAP. Full IPv4 and IPv6 transport. MFA enforced at the network layer. OMB M-21-07 compliant.
The Gap
Cloud IAM doesn’t function inside the air gap
What AirGap Delivers
Workforce IdP runs on Windows Server virtual appliances inside the boundary. No outbound call at any point in the authentication chain.
The Gap
FIDO2 requires a cloud server, making it unusable inside a SCIF or classified enclave
What AirGap Delivers
FIDO Service deploys on-premises. YubiKeys and passkeys register and authenticate entirely inside the boundary, with no external server.
The Gap
MFA evidence for CMMC doesn’t exist because the IdP never deployed inside scope
What AirGap Delivers
Every authentication event logged locally. Continuous per-user access records. CMMC 2.0 and NIST 800-171 control coverage generated by the authentication flow itself.
The Gap
IPv6 network devices have no RADIUS authentication path
What AirGap Delivers
Full RADIUS support over IPv4 and IPv6 transport. Every network device authenticates through the identity platform, regardless of transport layer.
Nothing Calls Home.
The complete stack ships as a single ISO.
In classified and enclave environments, multi-phase deployments are operationally painful. AirGap ships as a single deployable package. That is what secure environments require.
Workforce IdP
Windows Server virtual appliances. Runs the full identity and policy engine locally. No external calls for licensing, telemetry, or policy updates.
FIDO Service
On-premises FIDO2 WebAuthn server. Hardware token registration and authentication inside the boundary. Compatible with YubiKeys, passkeys, and PIV credentials.
Mobile Service
On-premises authentication app support. Push notifications route through local infrastructure. No SaaS relay required.
RADIUS (IPv4 + IPv6)
Local RADIUS server with full IPv4 and IPv6 transport. Validates against the on-premises IdP via LDAP. MFA enforced at the network layer for switches, routers, and firewalls. OMB M-21-07 compliant.
MFA & Config Data
Local database stores all FIDO, Mobile Service, and RADIUS configuration and enrollment data inside the boundary.
The Frameworks Require It. The Architecture Has to Support It.
CMMC Level 2+
MFA on all CUI access. Per-user access logging. Time-bounded privilege. All generated inside the enclave boundary.
NIST 800-171
Access control, audit logging, identification and authentication controls: produced by every authentication event inside the boundary.
OMB M-21-07 (IPv6)
Full RADIUS support over IPv6 transport. Identity controls that keep pace with federal network infrastructure mandates.
Classified Enclave Requirements
SIPR, JWICS, SCIFs, and classified program networks. Per-user access attribution. No cloud dependency. No license calls that fail silently.
Built for the Environments That Cannot Compromise on Identity
Defense Contractors
CMMC-scoped CUI enclaves. Program networks. Cleared facilities and classified program environments where assessment findings are contract risk.
Federal Agencies
Networks mandating IPv6 transition per OMB M-21-07. Air-gapped systems with no internet path. Federal networks that require identity controls aligned with NIST and FISMA frameworks.
Classified Enclave Operators
SIPR, JWICS, and SCIF environments. Networks requiring per-user authentication and audit trails without any component that reaches outside the boundary.
DoD Program Offices
Networks actively migrating to IPv6. Environments where RADIUS over IPv6 is a technical requirement, not a roadmap item.
Trusted by CISOs, IAM Architects, Network Security Leads, and CMMC Compliance Managers responsible for identity in defense and federal environments.
Full Identity Control. Inside the Boundary.
How security and operations leaders in defense contracting and federal agencies are closing the identity gap in their most sensitive networks, without replacing existing infrastructure.
The SecureAuth AirGap Playbook is a practical guide for security and operations leaders. It maps the structural gap in air-gapped identity, explains why the category has gone unsolved, and shows what a complete on-premises identity stack looks like in CMMC-scoped enclaves, classified networks, and federal environments, including RADIUS over IPv6, offline FIDO2 MFA, and automatically generated audit evidence inside the boundary.
What’s Inside the Playbook
- The structural gap in air-gapped identity for defense
- Why cloud-first IAM fails in classified enclaves
- Complete on-premises identity stack architecture
- RADIUS over IPv6 for OMB M-21-07 compliance
- Offline MFA: FIDO2, TOTP, YubiKey, CAC, PIV
- CMMC 2.0 and NIST 800-171 audit evidence generation
