CMMC Ready — CMMC Level 2
80% NIST 800-171 coverage. 2 control gaps identified.
CMMC Status
CMMC Ready
Target Level
Level 2
NIST Coverage
80%
Infor Government
by Infor
Overview
Infor Government by Infor is an ERP & finance solution with FedRAMP authorization targeting CMMC Level 2 compliance. It provides 80% coverage of NIST 800-171 controls for defense contractors handling CUI.
What This Means for Defense Contractors
Infor Government meets the architectural requirements for CMMC Level 2. However, CMMC compliance depends on your entire system boundary — not just individual tools. There are 2 NIST 800-171 control gaps that need remediation before assessment. Defense contractors using Infor Government should verify that their System Security Plan (SSP) documents how this tool fits within their authorization boundary.
NIST 800-171 Coverage
Control Gaps
Using Infor Government without addressing these NIST 800-171 controls may result in findings during a CMMC assessment:
Strengths
Using Infor Government in a CMMC Environment
For defense contractors already using Infor Government, the path to CMMC compliance involves documenting the tool in your System Security Plan (SSP), ensuring proper access controls are configured, and validating that Infor Government's security controls align with your authorization boundary. With 80% NIST 800-171 coverage, Infor Government provides a strong compliance foundation, though the 2 remaining control gaps will need compensating controls or supplementary tools.
CMMC-Ready ERP & Finance Alternatives
CMMC Compliance Analysis for Infor Government
Infor Government demonstrates strong CMMC Level 2 readiness with FedRAMP authorization and 80% NIST 800-171 control coverage, positioning it well for defense contractors handling CUI in financial and operational workflows. The platform excels in System and Information Integrity (3.14) and Configuration Management (3.4) families through automated compliance reporting and STIG-hardened configurations. Its SOC 2 Type II certification and continuous monitoring capabilities strongly support Audit and Accountability (3.3) and System and Communications Protection (3.13) requirements. However, critical gaps in Access Control (3.1.1 - Authorized Access and 3.1.2 - Transaction and Function Control) present significant challenges, as these controls are fundamental to CUI protection and will be scrutinized heavily during C3PAO assessment. A C3PAO assessor will evaluate Infor Government's role in the contractor's CUI processing workflows, examining data flow diagrams, access control matrices, and integration with the organization's identity management systems. The DoD SRG IL4/IL5 support is advantageous for higher-classification environments but doesn't directly address CMMC Level 2 gaps. This tool can exist within a CMMC authorization boundary but requires substantial compensating controls for the 3.1.x gaps. Compared to competitors like Deltek Costpoint or Unanet, Infor Government's FedRAMP authorization provides a compliance advantage, but the access control gaps are more significant than those typically found in purpose-built defense contractor ERP solutions.
Configuration Guide
Configure Infor Government's Role-Based Access Control (RBAC) to implement least privilege principles addressing 3.1.1 gaps - establish user roles aligned with job functions and implement quarterly access reviews. Deploy compensating controls including network segmentation to isolate ERP traffic and implement additional authentication layers through integration with enterprise identity providers supporting MFA. For 3.1.2 remediation, configure transaction logging and approval workflows for all CUI-related financial transactions, implementing segregation of duties controls within the ERP modules. Document compensating controls in the System Security Plan (SSP), specifically addressing how network controls and procedural safeguards mitigate access control limitations. Timeline estimate: 8-12 weeks for initial configuration and compensating control implementation, with 4-6 weeks for documentation updates. Maintain compliance through quarterly user access reviews, monthly vulnerability scans of the ERP environment, and continuous monitoring of system logs. Prepare evidence including access control matrices, transaction logs, network architecture diagrams, and proof of STIG compliance for C3PAO review. Establish automated reporting for control effectiveness metrics and maintain POA&M entries for any identified weaknesses during ongoing operations.
Configuration Checklist
- 1ISSO: Configure Role-Based Access Control matrix mapping job functions to system privileges addressing NIST 3.1.1 requirements
- 2Sysadmin: Implement network segmentation isolating Infor Government ERP traffic from general business networks
- 3ISSO: Document compensating controls for 3.1.1 and 3.1.2 gaps in SSP Section 10 (System Environment)
- 4Sysadmin: Enable comprehensive audit logging for all CUI-related transactions within ERP modules
- 5ISSO: Establish quarterly user access review procedures with documented approval workflows
- 6Sysadmin: Integrate Infor Government with enterprise identity provider supporting multi-factor authentication
- 7ISSO: Create POA&M entries for identified access control gaps with remediation timelines
- 8C3PAO: Validate compensating control effectiveness during assessment preparation phase
- 9Contracts: Ensure Infor Government usage aligns with DFARS 252.204-7012 system security requirements
- 10ISSO: Implement automated compliance reporting dashboards for continuous CMMC posture monitoring
Estimated Compliance Cost
Initial setup and remediation costs range from $75,000-$150,000, including professional services for RBAC configuration, compensating control implementation, and SSP documentation updates. Annual ongoing costs approximate $25,000-$40,000 for continuous monitoring, quarterly access reviews, and compliance reporting automation. Continuous monitoring costs include $8,000-$12,000 annually for security tooling integration and log management solutions required to address access control gaps. Timeline spans 3-4 months for full remediation and documentation, with ongoing quarterly review cycles. Additional costs may include identity provider integration ($15,000-$25,000) and network segmentation implementation ($20,000-$35,000) depending on existing infrastructure maturity.
Compliance Cross-References
Infor Government's FedRAMP authorization directly supports DFARS 252.204-7021 requirements for adequate security on covered contractor information systems, providing a strong foundation for CMMC compliance. The platform addresses DFARS 252.204-7012 safeguarding requirements through its STIG-hardened configurations and continuous monitoring capabilities, though access control gaps in 3.1.1 and 3.1.2 require additional attention. Within CMMC Level 2 assessment domains, Infor Government performs strongly in Configuration Management (CM), System and Information Integrity (SI), and Risk Assessment (RA) domains but requires compensating controls in Access Control (AC) domain. The DoD SRG IL4/IL5 support exceeds CMMC Level 2 requirements, providing headroom for future compliance needs. FedRAMP authorization ensures cloud security controls meet federal standards, automatically satisfying numerous NIST 800-171 controls related to system and communications protection. Integration with this compliant platform helps contractors meet the 'adequate security' standard required under DFARS, while the continuous monitoring capabilities support ongoing compliance demonstration required for CMMC maintenance.
Frequently Asked Questions
Is Infor Government CMMC compliant?
Infor Government meets CMMC Level 2 requirements with 80% NIST 800-171 control coverage.
What NIST 800-171 controls does Infor Government cover?
Infor Government covers 80% of the 110 NIST 800-171 controls, with 2 gaps primarily in 3.1.1 and 3.1.2 control families.
What are the CMMC compliance gaps for Infor Government?
The primary gaps are in controls 3.1.1, 3.1.2. These require supplementary tools or process controls to achieve full CMMC Level 2 compliance.
Check Your Full Tech Stack
See CMMC readiness scores for 80+ enterprise vendors.
Open CMMC Readiness CheckTrack Infor Government CMMC readiness updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days