Compliance Brief
Pulse CA: Zero Trust and CMMC L3
How Continuous Authentication & Identity Assurance Satisfies the Mandate That MFA Alone Cannot
A practitioner-level mapping of Pulse CA capabilities to NIST SP 800-207 Zero Trust Architecture principles and CMMC Level 3 practice requirements.
AffirmedID | affirmedid.com | May 2026
Executive Summary
Zero Trust Architecture and CMMC Level 3 share a foundational premise: no session, credential, or access token should be trusted beyond the moment it was verified. Yet almost every enterprise security stack, including those that have deployed MFA, endpoint detection, and identity governance, still honors session trust implicitly for minutes or hours after the authentication ceremony ends.
Pulse CA was built to close this gap. By delivering continuous authentication throughout the full session lifecycle, combined with FIDO2-based phishing-resistant MFA and real-time AuthZEN authorization evaluation, Pulse CA provides the technical architecture that ZTA and CMMC L3 describe, not merely a compliance-aligned product, but a genuine implementation of the principles those frameworks demand.
This brief maps Pulse CA capabilities directly to NIST SP 800-207 Zero Trust tenets and CMMC Level 3 practice domains, and explains how the platform's dual-assertion authentication model addresses MFA requirements at an assurance level most organizations have not previously achieved.
The Gap MFA Alone Leaves Open
Multi-factor authentication is required by both ZTA and CMMC, and for good reason: it significantly raises the cost of credential-based attacks at login. But MFA, as universally implemented, is a point-in-time ceremony. It verifies identity once, at the start of a session, and then steps aside. From that moment on, the session token carries the full weight of access authority, and the system has no mechanism to detect whether anything has changed.
This is not a theoretical concern. Reputable 2026 reports confirm that 87% of successful identity-based attacks in 2025 involved session hijacking after a valid MFA login ceremony. Attackers have adapted: rather than defeating MFA, they wait for it to succeed, then steal the session token that MFA produced. The authentication succeeded. The attacker inherited the result.
The compliance implication: An organization that relies on MFA alone satisfies the authentication requirement of ZTA and CMMC, but not the underlying intent. Both frameworks call for continuous verification of identity and trust throughout a session, not a single ceremony followed by hours of implicit trust. Pulse CA is the mechanism that bridges the gap between what MFA provides and what the frameworks actually require.
Dual-Assertion Authentication: Exceptional MFA
Pulse CA's authentication architecture is built on two simultaneous, independent identity assertions, a model that goes substantially beyond conventional MFA and satisfies the highest assurance levels defined by NIST SP 800-63B.
Assertion 1, FIDO2 / Passkey Device Assertion
At login, Pulse CA performs a phishing-resistant FIDO2 authentication ceremony using a Passkey or the AffirmedID Auth device as the authenticator. This provides cryptographic proof of device possession, confirming the right authenticator was physically present and that the ceremony was not intercepted, proxied, or replayed. FIDO2 satisfies NIST Authenticator Assurance Level 2 (AAL2) on its own, meeting the phishing-resistant MFA requirement across CMMC L2 and L3 and NIST SP 800-207.
Assertion 2, Auth Behavioral Identity Assertion
Simultaneously, the AffirmedID Auth app, running on the user's bonded mobile device, produces a continuous behavioral identity assertion derived from four live trust signals:
- Identity Trust Score, behavioral biometrics, including interaction patterns learned during the bonding ceremony, continuously confirming the authenticated person remains in control of the session.
- Proximity Trust Score, Bluetooth-based verification that the user's bonded phone remains physically near the device in active use. If the phone leaves proximity, the score degrades immediately.
- 3D Location Trust Score, GPS combined with barometric altitude, providing floor-level precision. A user authorized to access from the twelfth floor of a facility who moves to a different floor registers a location anomaly that 2D geofencing cannot detect.
- Device Health Trust Score, real-time integrity monitoring of the Auth device, covering jailbreak detection, hijack indicators, and anomalous state changes as they occur.
Unlike the FIDO2 assertion, which is produced once at login, the Auth behavioral identity assertion is live and continuous throughout the session. It does not age. It does not expire. It reflects the actual state of the user's identity at every moment from login to logout.
The Combined Effect: NIST AAL3 in a Single Ceremony
The combination of FIDO2 device assertion and Auth behavioral identity assertion satisfies NIST AAL3, the highest authenticator assurance level, within a single login ceremony. Most organizations require two separate authentication ceremonies to reach AAL3. Pulse CA achieves it by design, because both factors are gathered simultaneously at login and both remain active throughout the session. Step-up authentication using Auth delivers on-demand AAL3 re-verification for high-privilege actions without a separate session or re-enrollment.
In short: Pulse CA's dual-assertion model is not merely compliant MFA, it is phishing-resistant MFA (FIDO2) combined with continuous behavioral identity verification (Auth), producing a live, composite trust signal that persists for the full session. This is what ZTA and CMMC mean when they call for verification that does not stop at login.
Zero Trust Architecture, NIST SP 800-207 Mapping
NIST SP 800-207 defines seven core tenets of Zero Trust Architecture. Pulse CA addresses each of them, and directly implements the four that relate to identity, session monitoring, and authorization.
| NIST SP 800-207 Tenet | Pulse CA Implementation |
|---|---|
| T1: All data sources and computing services are resources | Pulse CA's AuthZEN evaluator applies consistent trust-based access control to any OIDC- or SAML-connected resource, on-premises, cloud, or hybrid, without creating a privileged internal zone. |
| T2: All communication is secured regardless of network location | Trust evaluation is identity-based, not network-based. Pulse CA does not grant access because a device is on a trusted network; it grants access because the current trust score justifies it. Network location is irrelevant to the access decision. |
| T3: Access to individual resources is granted on a per-session basis | AuthZEN evaluates every access request against the current trust context at the time of the request, not at login. Each protected resource access is an independent authorization evaluation. Session tokens do not carry blanket authority beyond what current trust supports. |
| T4: Access is determined by dynamic policy including behavioral and environmental attributes | The Pulse PDP incorporates behavioral biometrics (Identity Trust Score), physical context (Proximity and 3D Location), and device state (Device Health) into every authorization decision. This is precisely the dynamic, multi-signal policy evaluation T4 describes. |
| T5: The enterprise monitors and measures the integrity and security posture of all assets | Device Health Trust Score provides continuous integrity monitoring of the Auth device throughout the session. Anomalies are detected in real time, not on the next login. |
| T6: All resource authentication and authorization is dynamic and strictly enforced before access is allowed | Authorization is re-evaluated at every access request via AuthZEN. Enforcement is automatic: permit, deny, step-up, or termination, delivered via push notification to all registered endpoints within milliseconds of a trust state change. |
| T7: The enterprise collects information about the current state of assets, network infrastructure, and communications | Every trust metric, AuthZEN evaluation, and enforcement decision is logged with a session-scoped correlation ID, creating a complete, tamper-evident audit trail from login through every access decision and enforcement action. |
ZTA Summary: Pulse CA is one of the few commercially available platforms that implements all seven NIST SP 800-207 tenets in a single integrated framework, not through assembling separate point solutions, but through a purpose-built continuous authentication and authorization pipeline.
CMMC Level 3, Practice Domain Mapping
CMMC Level 3 encompasses all 110 practices from NIST SP 800-171 plus a subset of practices drawn from NIST SP 800-172. The practices most directly addressed by Pulse CA span four domains: Access Control (AC), Identification and Authentication (IA), Audit and Accountability (AU), and Configuration Management (CM). The table below maps specific CMMC L3 practices to Pulse CA capabilities.
| Practice | Requirement Summary | Pulse CA Implementation |
|---|---|---|
| AC.L3-3.1.3 | Control the flow of CUI based on privacy and other security requirements | AuthZEN evaluates CUI access requests against the live composite trust score at the time of each request. Access to sensitive resources can be restricted to sessions meeting a minimum trust threshold, automatically, without policy updates. |
| AC.L3-3.1.20 | Verify and control all connections to external systems | Pulse CA applies the same continuous trust evaluation to connections originating from any external access point. There is no implicit trust granted to any connection regardless of origin. |
| IA.L2-3.5.3 | Use multi-factor authentication for local and network access | Dual-assertion authentication (FIDO2 + Auth behavioral assertion) satisfies this requirement at NIST AAL2, with the combination reaching AAL3. Both factors are phishing-resistant: FIDO2 by cryptographic design; Auth behavioral assertion by virtue of being derived from the user's bonded personal device and behavioral patterns that cannot be replicated remotely. |
| IA.L2-3.5.4 | Employ replay-resistant authentication mechanisms | FIDO2 is replay-resistant by design (challenge-response with cryptographic nonce). The Auth behavioral assertion is inherently replay-resistant: it is derived from live behavioral and physical signals that cannot be captured and replayed from a different device or person. |
| IA.L3-3.5.10 | Employ identity-based access control | Every AuthZEN access decision is made against the real-time trust state of the authenticated identity, not a static role or group membership assigned at login. Access control is continuously identity-driven. |
| AU.L2-3.3.1 | Create, protect, and retain system audit logs to enable monitoring, analysis, investigation, and reporting | Pulse CA logs every trust metric update, AuthZEN evaluation, and enforcement decision, linked by session correlation ID. Logs are structured, timestamped, and retained for audit and forensic analysis. |
| AU.L2-3.3.2 | Ensure the actions of individual system users can be traced to those users | The session correlation ID links every action, including AI agent actions, to the authenticated human user. Traceability is complete and unbroken from login through logout. |
| AU.L3-3.3.9 | Protect audit information and tools from unauthorized access, modification, and deletion | Pulse CA audit logs are generated and stored in the cloud PDP, separated from the relying party systems they audit. Logs cannot be modified or deleted by the systems or users they record. |
| CM.L2-3.4.2 | Establish and enforce security configuration settings for information technology products | Device Health Trust Score continuously monitors the Auth device for configuration drift, jailbreaks, and anomalous state changes. A device that falls out of a compliant configuration immediately affects the composite trust score and can trigger access restriction or session termination. |
| SI.L3-3.14.7 (NIST 800-172) | Conduct targeted penetration testing to identify vulnerabilities in organizational systems | Pulse CA's continuous session monitoring and device health tracking provide the real-time visibility surface that enables effective penetration testing outcomes, anomalous access patterns detected during testing are captured in the audit trail automatically. |
Continuous Monitoring: The CMMC Requirement Most Organizations Fall Short On
CMMC Level 3 requires continuous monitoring of organizational systems, not periodic audits, not login-time snapshots. Pulse CA provides continuous monitoring at the session level: four trust metrics streaming in real time for every active session, with every deviation logged and every threshold breach triggering an automated enforcement response.
This is not a secondary benefit. For organizations seeking CMMC L3 certification, the ability to demonstrate continuous, automated monitoring with a complete and correlated audit trail is one of the hardest requirements to satisfy with conventional tooling. Pulse CA provides this capability out of the box, as a structural property of the platform, not as an add-on report or periodic scan.
Operational Impact for MSPs and MSSPs
For managed service providers supporting Defense Industrial Base (DIB) clients or other regulated industries, Pulse CA's ZTA and CMMC alignment translates directly into competitive and commercial advantages.
- Accelerate client CMMC assessments. The practices Pulse CA addresses, IA, AC, AU, CM, are among the most commonly cited gaps in CMMC readiness assessments. Deploying Pulse CA closes multiple high-priority gaps in a single engagement.
- Strengthen your ZTA posture statement. Pulse CA is one of the few platforms that maps credibly to all seven NIST SP 800-207 tenets. For clients building or certifying a ZTA architecture, Pulse CA is the identity and authentication layer of that architecture, not an add-on.
- Differentiate your managed security offering. Continuous authentication is not a commodity. An MSP that can provide clients with live session trust monitoring, behavioral anomaly detection, and automatic enforcement, at a per-user subscription price, is offering a meaningfully different service than competitors relying on login-time MFA and EDR.
- Simplify audit evidence collection. Pulse CA's correlated audit trail eliminates the manual evidence-gathering burden that typically accompanies CMMC assessments. Log export provides a structured, correlation-ID-linked record of every authentication, authorization evaluation, and enforcement action across all managed tenants.
Conclusion
Zero Trust Architecture and CMMC Level 3 both describe an identity security model that most organizations have not yet built: one where trust is continuously verified, never implicitly extended, and immediately revoked when conditions change. Conventional MFA satisfies the letter of the authentication requirement but not its intent, authentication that ends at login cannot satisfy a framework that demands continuous verification.
Pulse CA implements the full model. Its dual-assertion authentication, FIDO2 phishing-resistant device assertion combined with continuous Auth behavioral identity assertion, provides exceptional MFA that reaches NIST AAL3 and remains active throughout the session. Its AuthZEN authorization engine evaluates every access decision against a live trust picture. Its structured audit trail satisfies CMMC continuous monitoring and traceability requirements. And its seven-tenet NIST SP 800-207 alignment makes it a genuine ZTA implementation, not a ZTA-adjacent product.
To discuss Pulse CA's fit for your organization's ZTA or CMMC program, or to evaluate how Pulse CA maps to a specific set of practices relevant to your environment, contact the AffirmedID team or request a technical walkthrough.
Request a Technical Review Contact UsUS Patents Apply • Copyright © 2026 Affirmed Identity LLC
Pulse CA™ — AffirmedID at affirmedid.com — Copyright © June 2026