Partially Ready — CMMC Level 2
72% NIST 800-171 coverage. 4 control gaps identified.
CMMC Status
Partially Ready
Target Level
Level 2
NIST Coverage
72%
OneSpan Government
by OneSpan
Overview
OneSpan Government by OneSpan is an identity & access management solution pursuing FedRAMP authorization targeting CMMC Level 2 compliance. It provides 72% coverage of NIST 800-171 controls for defense contractors handling CUI.
What This Means for Defense Contractors
OneSpan Government meets the architectural requirements for CMMC Level 2. However, CMMC compliance depends on your entire system boundary — not just individual tools. There are 4 NIST 800-171 control gaps that need remediation before assessment. Defense contractors using OneSpan Government should verify that their System Security Plan (SSP) documents how this tool fits within their authorization boundary.
NIST 800-171 Coverage
Control Gaps
Using OneSpan Government without addressing these NIST 800-171 controls may result in findings during a CMMC assessment:
Strengths
Using OneSpan Government in a CMMC Environment
Defense contractors using OneSpan Government should be aware that its 72% NIST 800-171 coverage leaves 28% of controls unaddressed. While OneSpan Government can be part of your CMMC environment, you will need compensating controls and supplementary tools to close the 4 identified gaps before a C3PAO assessment. Document all compensating controls in your POA&M and ensure your SSP accurately reflects the shared responsibility model.
Need a Compliant Alternative?
OneSpan Government doesn't meet CMMC Level 2. Get real-time alerts when compliant alternatives become available, plus AI-matched contract opportunities for your NAICS codes.
CMMC-Ready Identity & Access Management Alternatives
CMMC Compliance Analysis for OneSpan Government
OneSpan Government demonstrates strong capabilities in digital identity verification and continuous monitoring, positioning it as a viable identity management solution for defense contractors handling CUI. The platform excels in NIST 800-171 control families 3.5 (Identification and Authentication) and 3.3 (Audit and Accountability) through its robust digital identity verification and automated compliance reporting features. However, critical gaps in controls 3.4.6 (information flow enforcement), 3.5.1 (identification of information system users), 3.5.3 (disabling identifiers), and 3.5.7 (password complexity enforcement) significantly impact its CMMC Level 2 readiness. During a C3PAO assessment, evaluators will scrutinize OneSpan Government's ability to enforce granular access controls for CUI, particularly examining how the system handles user provisioning, deprovisioning, and password management across federated environments. The platform's pursuit of FedRAMP authorization indicates architectural compliance with federal security requirements, allowing it to operate within CMMC authorization boundaries when properly configured. However, the 28% NIST coverage gap requires substantial compensating controls. Compared to competitors like Okta Government Cloud or Microsoft Azure AD Government, OneSpan Government's specialized focus on digital identity verification provides advantages in authentication assurance levels but lacks comprehensive identity governance capabilities. The continuous monitoring features align well with CMMC's emphasis on ongoing compliance verification, but the platform requires additional tooling to address access control enforcement gaps. C3PAO assessors will likely flag the incomplete coverage of foundational identity controls, requiring documented compensating measures and integration with complementary security tools to achieve full CMMC Level 2 compliance in defense contractor environments.
Remediation Plan
To achieve CMMC compliance, begin with a 4-week configuration audit to address control gaps. For 3.4.6 (information flow enforcement), implement network segmentation policies within OneSpan Government's admin console and integrate with network access control solutions to enforce CUI data flow restrictions. Document compensating controls in the SSP section 10.2, specifying how network-level enforcement supplements identity-based controls. Address 3.5.1 (user identification) by configuring unique identifier requirements in the user provisioning workflows and establishing integration with Active Directory for centralized user management within 6 weeks. For 3.5.3 (identifier disabling), implement automated account lifecycle management through OneSpan Government's API, creating workflows that disable accounts within 24 hours of employment termination or role changes affecting CUI access. Configure 3.5.7 (password complexity) by enabling advanced password policies in the authentication settings, enforcing minimum 14-character passwords with complexity requirements and regular rotation schedules. Establish continuous monitoring procedures using OneSpan Government's reporting features to generate monthly compliance reports for ongoing C3PAO evidence. Create POA&M entries for each remediated control with target completion dates and assign responsibility to the ISSO for quarterly compliance verification. Implement weekly vulnerability scanning of the OneSpan Government environment and establish incident response procedures for identity-related security events. Prepare evidence packages including configuration screenshots, policy documentation, and audit logs demonstrating consistent enforcement of remediated controls. Timeline for full compliance: 8-12 weeks including testing and documentation phases.
Remediation Checklist
- 1Configure network segmentation policies in OneSpan Government admin console to enforce CUI data flow restrictions (ISSO responsible, addresses 3.4.6)
- 2Establish unique identifier requirements in user provisioning workflows and integrate with enterprise Active Directory (Sysadmin responsible, addresses 3.5.1)
- 3Implement automated account lifecycle management through OneSpan Government API for 24-hour account disabling (Sysadmin responsible, addresses 3.5.3)
- 4Enable advanced password policies requiring 14-character minimum complexity and rotation schedules (ISSO responsible, addresses 3.5.7)
- 5Document compensating controls for information flow enforcement in SSP section 10.2 (ISSO responsible)
- 6Create POA&M entries for each remediated control with target completion dates and verification procedures (ISSO responsible)
- 7Configure automated compliance reporting using OneSpan Government's monitoring features for monthly C3PAO evidence (ISSO responsible)
- 8Establish incident response procedures for identity-related security events and integrate with SIEM (ISSO responsible)
- 9Conduct quarterly compliance verification reviews and maintain evidence packages with configuration screenshots and audit logs (ISSO responsible)
- 10Schedule C3PAO pre-assessment review of OneSpan Government configuration and compensating controls documentation (Contracts responsible)
Estimated Compliance Cost
Initial remediation costs for OneSpan Government CMMC compliance range from $45,000-$75,000, including platform configuration, integration development, and compensating control implementation. This covers 4-6 weeks of specialized consulting to address control gaps, custom API development for automated provisioning, and initial policy configuration. Annual ongoing costs range from $25,000-$40,000 for licensing, maintenance, and quarterly compliance reviews. Continuous monitoring implementation adds $15,000-$25,000 annually for automated reporting tools, log aggregation, and monthly compliance verification activities. Additional costs include C3PAO assessment preparation ($10,000-$15,000) and potential integration with network access control solutions ($20,000-$35,000) to fully address information flow enforcement requirements. Organizations should budget for ongoing training and certification maintenance, estimated at $5,000-$8,000 annually. Total 3-year cost of ownership ranges from $155,000-$263,000, making OneSpan Government cost-competitive for mid-to-large defense contractors requiring robust identity verification capabilities while achieving CMMC Level 2 compliance within a 12-week implementation timeline.
Compliance Cross-References
OneSpan Government's partial compliance significantly impacts DFARS 252.204-7012 requirements for safeguarding covered defense information, particularly affecting adequate security controls for CUI systems. The control gaps directly violate DFARS 252.204-7021 mandating NIST 800-171 compliance, specifically impacting control families 3.4 (Access Control) and 3.5 (Identification and Authentication). Control 3.4.6 gaps create findings in CMMC Level 2 Access Control (AC) domain, requiring documented compensating measures for information flow enforcement. Controls 3.5.1, 3.5.3, and 3.5.7 gaps directly impact the Identification and Authentication (IA) assessment domain, potentially resulting in Level 1 findings if not properly remediated. OneSpan Government's FedRAMP authorization pursuit aligns with CMMC requirements for cloud service providers but doesn't automatically satisfy contractor obligations for comprehensive identity management. Non-compliance creates cascading effects across NIST 800-171 control families, particularly impacting System and Communications Protection (3.13) and System and Information Integrity (3.14) through inadequate access enforcement. Defense contractors using OneSpan Government must document how compensating controls address these gaps in their System Security Plan and maintain continuous evidence of effective implementation to avoid CMMC assessment findings that could impact DoD contract eligibility.
Frequently Asked Questions
Is OneSpan Government CMMC compliant?
OneSpan Government partially meets CMMC requirements with 72% coverage. 4 control gaps need remediation.
What NIST 800-171 controls does OneSpan Government cover?
OneSpan Government covers 72% of the 110 NIST 800-171 controls, with 4 gaps primarily in 3.4.6 and 3.5.1 control families.
What are the CMMC compliance gaps for OneSpan Government?
The primary gaps are in controls 3.4.6, 3.5.1, 3.5.3, 3.5.7. These require supplementary tools or process controls to achieve full CMMC Level 2 compliance.
Check Your Full Tech Stack
See CMMC readiness scores for 80+ enterprise vendors.
Open CMMC Readiness CheckTrack OneSpan Government CMMC readiness updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days