Workshop on Privileged Access Management requirements across NIST 800-171 (3.1.1, 3.1.5, 3.1.7), NIST 800-53 (AC-2, AC-6), and CMMC L2. Covers PAM tool selection (CyberArk, BeyondTrust, Delinea), session recording, just-in-time access, and the evidence assessors expect. Includes implementation patterns for cloud and on-premises environments.
Privileged accounts are among the highest-value targets in any federal contractor environment, and assessors know it. This four-hour workshop gives compliance practitioners a structured, control-by-control walkthrough of Privileged Access Management requirements and the implementation evidence that satisfies them — without the guesswork.
The session opens with the three 800-171 controls that most directly govern privileged access: 3.1.1 (authorized access control), 3.1.5 (least privilege), and 3.1.7 (privileged function restrictions). Participants examine each requirement at the practice level — what the control actually demands, where implementations commonly fall short, and how the same controls map to CMMC Level 2 practice domains. The relationship between the CMMC assessment objectives and documented PAM procedures is addressed directly.
For organizations operating under NIST 800-53 — including those supporting federal agencies or pursuing FedRAMP-adjacent programs — the workshop covers AC-2 (Account Management) and AC-6 (Least Privilege) in depth. Attendees learn how to align a PAM program to satisfy both 800-171 and 800-53 simultaneously, reducing duplicated effort and documentation overhead.
The workshop takes an honest look at the three PAM platforms assessors most commonly encounter in defense contractor environments: CyberArk, BeyondTrust, and Delinea. Instructor Carl B. Johnson walks through the capability considerations relevant to compliance — including vault architecture, session brokering, credential rotation, and reporting — without advocating for a single vendor. The goal is to help practitioners ask the right questions when selecting or configuring a tool their organization already owns or is evaluating.
Two PAM capabilities generate the most assessor scrutiny: session recording and just-in-time (JIT) access provisioning. This block covers how to implement both in cloud and on-premises environments, what a reviewable session recording must capture to satisfy evidence requirements, and how JIT workflows map to least-privilege principles under 3.1.5 and AC-6. Common configuration gaps that create compliance findings are identified and corrected.
The closing curriculum block focuses entirely on documentation: the system security plan language, account inventory records, access review artifacts, and configuration exports that a C3PAO or government assessor will ask for. Participants build a working understanding of how to organize and present PAM evidence so that nothing is left to interpretation on assessment day.
This workshop is built for the practitioners doing the work: IT compliance analysts, system security officers, identity and access management engineers, and GRC professionals at defense contractors, subcontractors, and federal-facing organizations who are responsible for implementing or documenting PAM controls. It is equally relevant to those preparing for a CMMC assessment, responding to a DFARS 252.204-7012 obligation, or maturing an existing 800-53-aligned access control program.
Managers evaluating this training for their teams should know that participants return with immediately applicable artifacts and a repeatable process — not just awareness-level knowledge. If your organization is working toward CMMC, CUI, and DFARS compliance or has an upcoming risk assessment, this session directly supports both workstreams. Organizations looking to build a broader access control and compliance foundation may also benefit from reviewing IT compliance services available through Cleared Systems.
This workshop delivers the technical depth and compliance precision that defense contractors need to implement Privileged Access Management correctly the first time. Seats are limited to preserve an interactive environment where specific questions get specific answers. Register through the event details above, or explore ongoing vCISO support if your organization needs sustained PAM and compliance guidance beyond a single session.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
