Ping Identity
by Ping Identity
Covered
11
controls
Partial
2
controls
Gaps
3
controls
Overview
Ping Identity by Ping Identity is an identity & access management solution that covers 11 NIST 800-171 controls (10% total coverage). It addresses key requirements in the identity & access management domain for defense contractors pursuing CMMC compliance.
Controls Covered (11)
Implementation Notes
Deploy Ping Identity with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.
More Identity & Access Management Products
Implementation Guidance for Ping Identity
Configure Ping Identity to satisfy NIST 800-171 requirements through proper policy and access control setup. For Access Control (3.1.x) family, enable multi-factor authentication in PingFederate by configuring authentication policies with risk-based adaptive MFA, set session timeout policies to 30 minutes for CUI access, and implement role-based access control through PingDirectory's group membership features. Configure account lockout after 3 failed attempts and automatic account disabling after 35 days of inactivity. For Identification and Authentication (3.5.x) controls, enable unique user identification through PingDirectory's person entries, implement password complexity requirements (minimum 14 characters, special characters, no dictionary words), and configure password history to prevent reuse of last 24 passwords. For System and Services Acquisition (3.12.x), document Ping Identity's security configurations in your developer security practices and maintain configuration baselines. Generate assessment evidence through PingCentral's reporting dashboard, exporting user access reports, authentication logs, and policy compliance reports. Configure audit logging to capture all authentication events, access decisions, and administrative changes with timestamps and user attribution. Integrate with SIEM tools like Splunk through syslog forwarding for centralized monitoring. Connect to endpoint management tools via SCIM provisioning for automated account lifecycle management. Common misconfigurations include: failing to enable comprehensive audit logging (causes AC-2 findings), using default session timeouts exceeding NIST requirements (IA-11 violations), not implementing proper password policies in PingDirectory (IA-5 gaps), and inadequate role separation in administrative access (AC-6 findings). Ensure all policy engines are configured with deny-by-default rules and regularly review access entitlements through PingCentral's access reviews feature.
Gap Analysis & Compensating Controls
The 3 uncovered NIST controls likely fall in System and Communications Protection (3.13.x) and System and Information Integrity (3.14.x) families, as Ping Identity focuses on identity/access rather than network security or malware protection. The biggest gap is typically 3.13.1 (boundary protection) and 3.13.8 (transmission confidentiality), which require network firewalls and encryption solutions beyond IAM scope. For boundary protection gaps, implement compensating controls through network segmentation tools like Palo Alto Networks firewalls or Cisco ASA, documenting the network architecture that isolates CUI systems. Address transmission security gaps with VPN solutions like Cisco AnyConnect or F5 BIG-IP APM for encrypted remote access. System integrity gaps (3.14.x) require endpoint protection tools like CrowdStrike Falcon or Microsoft Defender to provide malware protection, vulnerability scanning, and system monitoring capabilities. Document these gaps in your System Security Plan under compensating controls sections, explaining how network and endpoint tools provide defense-in-depth alongside Ping Identity's access controls. In your Plan of Action and Milestones (POA&M), prioritize network boundary controls first (highest CMMC weight), followed by encryption requirements, then endpoint protection. Timeline should target network controls within 3 months, encryption within 6 months, and comprehensive endpoint protection within 9 months. Consider bundled solutions like Microsoft 365 E5 or integrated security platforms that can address multiple gap areas simultaneously while maintaining compatibility with Ping Identity's SAML/OIDC protocols for seamless user experience.
Compliance Cost Estimate
Ping Identity licensing ranges from $3-15 per user per month depending on feature requirements, with PingOne cloud starting at $3/user/month and PingFederate enterprise licenses reaching $15+/user/month for advanced features. Initial implementation costs range $50,000-200,000 for medium defense contractors (500-2000 users), including professional services for SAML configuration, directory integration, and policy setup. Ongoing monitoring and maintenance costs approximately $30,000-60,000 annually for dedicated IAM administration, security monitoring, and compliance reporting. Compared to competitors like Okta ($2-16/user/month) or Microsoft Entra ID ($6-22/user/month), Ping Identity offers competitive pricing with superior government cloud compliance and FICAM certification. Total 3-year cost of ownership typically ranges $300,000-800,000 for mid-size defense contractors, making it cost-effective for NIST 800-171 compliance when leveraging cloud deployment models.
Compliance Cross-References
Ping Identity directly supports DFARS 252.204-7012 safeguarding requirements through access control (paragraph (b)(1)) and audit logging (paragraph (b)(2)) capabilities. For CMMC Level 2, Ping Identity satisfies Access Control domain objectives AC.1.001-AC.1.003 and AC.2.005-AC.2.008, plus Identification and Authentication objectives IA.1.076-IA.1.078 and IA.2.079-IA.2.081. The solution addresses approximately 35% of CMMC Level 2 assessment objectives in AC and IA domains. For FedRAMP alignment, Ping Identity's FedRAMP authorized cloud services map to AC-2 (Account Management), AC-3 (Access Enforcement), AC-7 (Unsuccessful Logon Attempts), IA-2 (User Identification and Authentication), and IA-5 (Authenticator Management) controls. However, additional tools are required for System and Communications Protection (SC family) and System and Information Integrity (SI family) CMMC objectives. Organizations need complementary solutions for network security (AC.3.020), malware protection (SI.1.211), and vulnerability management (SI.2.216) to achieve full CMMC Level 2 certification. Document Ping Identity's CMMC objective coverage in assessment scope worksheets and identify specific gaps requiring additional security tool integration.
Frequently Asked Questions
How many NIST 800-171 controls does Ping Identity cover?
Ping Identity covers 11 of 110 NIST 800-171 controls (10%), with 2 partially covered and 3 gaps.
Can Ping Identity alone satisfy CMMC Level 2?
No single tool covers all 110 NIST 800-171 controls. Ping Identity covers 10% and should be part of a layered security stack addressing the remaining controls.
What controls does Ping Identity not cover?
Ping Identity does not cover controls mp-3-8-1, sc-3-13-1, si-3-14-6. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.
Map Your Full Security Stack
See NIST 800-171 control coverage for 80+ security products.
Open NIST Tool MapperTrack Ping Identity NIST 800-171 coverage updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days