MyCena Defense & Government

The pattern

Three breaches. All entered through the supply chain credential layer.

Every major national security credential breach in the last decade followed the same architectural failure: a credential held by a contractor or vendor — outside the government organisation’s control — used as the entry point to classified and sensitive networks.

SolarWinds — 2020

$90M+

State-sponsored attackers compromised SolarWinds’ build environment and inserted a backdoor into the Orion software update.

18,000 organisations installed the compromised update. The NSA, Treasury, State Department, and DoD were among those breached. Dwell time: 9 months. Detection: only when a cybersecurity firm discovered the malware in its own network.

Entry point — vendor build credential, software supply chain

OPM — 2014–2015

22.1M

State-sponsored attackers used a stolen contractor credential from KeyPoint Government Solutions to access OPM’s background investigation databases.

Security clearance files for 22.1 million current and former federal employees, contractors, and their families were exfiltrated. Biometric fingerprint data for 1.1 million individuals stolen. FBI Director Comey called it “a very big deal from a national security perspective.”

Entry point — stolen contractor credential, background investigation systems

US Courts / CISA — 2020–2021

Ongoing

Following SolarWinds, the Administrative Office of US Courts confirmed its case management system was compromised, endangering sealed court documents.

CISA issued guidance that all credentials exposed to SolarWinds software should be considered compromised. Former Homeland Security Advisor Thomas Bossert warned it could take years to evict attackers from US networks.

Entry point — compromised credentials, trusted vendor chain

In SolarWinds and OPM, the attacker authenticated as a legitimate user. The security perimeters — firewalls, intrusion detection, anomaly monitoring — saw valid credentials being used by systems and people they recognised. Nine months in SolarWinds. Nearly a year in OPM. One credential unlocked networks that held the most sensitive national security data in the world. And in both cases, it was in the hands of a contractor — not the government organisation that needed to protect it.

Risk landscape

Six credential risks specific to defense and government

Defense and government environments carry the standard enterprise credential gap — amplified by classified information, cleared contractor populations, complex supply chains, and AI deployment mandates that are creating non-human identity risk at pace.

01 — National security

Classified and CUI credential access

Credentials that access Controlled Unclassified Information (CUI) and classified networks are the highest-value targets in the threat landscape. State-sponsored actors specifically target contractor credentials as the entry point to government networks — because contractors are often less hardened than the government organisations they serve, and their credentials provide direct access to the systems those organisations depend on.

A credential breach in a defence environment does not cost money first. It compromises operational security, exposes intelligence sources, and can endanger personnel in the field.

02 — Supply chain

Cleared contractor and vendor credentials

Defense and government organisations depend on extensive contractor and vendor ecosystems — cleared personnel, managed service providers, software vendors, system integrators. Each holds credentials to government networks. SolarWinds reached 18,000 organisations through one vendor’s build credential. OPM was breached through one contractor’s stolen credential. The supply chain credential is the attack surface most difficult to see and fastest to exploit.

The OPM director confirmed in congressional testimony that the breach entered through a contractor credential. 22.1 million security clearance files were the consequence.

03 — AI deployment mandate

FY26 NDAA AI credential governance gap

The FY26 National Defense Authorization Act mandates demonstrable AI governance across defence networks. Every AI agent deployed on government networks holds credentials to the systems it accesses. Those credentials are created by development teams, stored in configuration environments, and typically ungoverned by any central authority. The mandate requires AI governance — credential governance for non-human identities is the unsolved layer of that requirement.

AI agents on defence networks without credential governance are the next SolarWinds-equivalent attack surface: ungoverned, trusted, and operating at machine speed.

04 — Regulatory

CMMC 2.0 personal certification

CMMC 2.0 requires defense contractors to certify their cybersecurity posture — including named individual certification for senior management responsible for CUI access governance. Unlike previous compliance frameworks, CMMC 2.0 places personal accountability on named individuals for access control failures. Policy assertions are not sufficient — demonstrable technical controls are required for Level 2 and Level 3 certification.

In CMMC 2.0, weak access control is not a compliance gap — it is personal liability.

05 — Insider threat

Cleared personnel credential misuse

The insider threat in defence environments is uniquely dangerous because cleared personnel have legitimate access to sensitive systems. When a cleared employee decides to misuse that access — or is coerced by a foreign intelligence service — they are using a real credential for a real system they are authorised to access. Monitoring tools see normal behaviour. The credential itself is the attack vector, not the detection gap.

Insider misuse is a permanent live attack path where employees hold credentials.

06 — Zero Trust compliance

Executive Order 14028 and the credential layer

Executive Order 14028 mandates Zero Trust Architecture across US federal agencies. NCSC and Cabinet Office guidance pushes the same framework for UK government. Zero Trust verifies identity at every access request — but it depends on the credential being presented being legitimate. A credential that was stolen, phished, or used after a contractor departed passes Zero Trust verification. ZTA governance requires credential control as its prerequisite layer.

Zero Trust without credential control verifies the attacker as a legitimate user.

Where credential control applies

The defence credential entry points MyCena closes

MyCena governs the credential layer above classified and sensitive systems — the contractor VPN access, the development pipeline credentials, the cleared personnel authentication, and the AI agent identities being deployed across defence networks. It does not require modification of classified systems or change security architectures.

MyCena governs

Contractor and vendor remote access

Cleared contractor VPN, remote desktop, and system access credentials

Every cleared contractor authenticates through MyCena. The government organisation generates the credential — the contractor never holds it — and revokes all access in seconds when the contract ends, the clearance changes, or an incident is detected. The OPM entry point — a stolen contractor credential — is structurally closed when the contractor does not hold the credential in the first place.

✓ OPM and SolarWinds entry point pattern — closed structurally

MyCena governs

Software build and development pipeline credentials

Developer credentials, build system access, CI/CD pipeline authentication

SolarWinds entered the US government through a compromised build environment credential. MyCena governs the authentication layer for development and build pipelines — developers never see the credentials that access production and government systems. Central generation, invisible injection, instant revocation when a developer leaves or a contract terminates.

✓ SolarWinds supply chain vector — closed at the build credential layer

MyCena governs

Cleared personnel workstation access

Government employee and cleared personnel authentication to sensitive systems

Every cleared employee accesses sensitive systems through MyCena — no password is created, held, or known. Insider threat actors cannot share or sell a credential they do not hold. Foreign intelligence services cannot extract a credential through coercion. The access event is attributed, logged, and revocable. CMMC 2.0 access control requirements are satisfied architecturally.

✓ Insider threat credential mechanism — structurally removed

MyCena governs

AI agents on defence networks

Autonomous AI agents, automated processes, and machine identities deployed under the FY26 NDAA AI mandate

AI agents deployed on defence networks hold credentials to the systems they access. Under MyCena, those credentials are generated centrally, attributed to the specific agent, never embedded in config files or known to developers, and instantly revocable when the deployment changes. The FY26 NDAA AI governance mandate requires demonstrable control — this is the credential layer that mandate requires.

✓ FY26 NDAA AI credential governance — structural compliance from deployment

What MyCena delivers

Structural credential control for cleared and contractor environments

The entry points in every major national security breach were at the contractor and vendor credential layer. MyCena closes those entry points without modifying classified systems, altering security architectures, or changing the operational access patterns of cleared personnel.

Supply chain credentials — owned by the government, not the contractor

Every contractor, vendor, and supplier who accesses government networks does so through credentials the government organisation generated and controls. When a contract ends — or when an incident is detected — all access is revoked in seconds across every system the contractor touched. SolarWinds entered for nine months because there was no structural revocation capability. MyCena provides it.

Cleared personnel — nothing to coerce, nothing to sell

Cleared personnel never hold their credentials in visible form. A foreign intelligence service that coerces a cleared employee to hand over access credentials finds there is nothing to hand over — the employee has never seen it. The insider threat credential mechanism is removed, not monitored.

CMMC 2.0 — access control requirements satisfied architecturally

CMMC 2.0 Level 2 and Level 3 require demonstrable access control for CUI — individual attribution, access logging, and instant revocation. MyCena satisfies these requirements architecturally rather than through policy assertion. The continuous audit trail is generated automatically, available on demand for assessor review.

Zero Trust prerequisite — credential integrity before identity verification

Zero Trust Architecture verifies identity at every access request. That verification is only meaningful if the credential being presented is legitimate. MyCena ensures credential integrity — the credential cannot be stolen, shared, or persist after departure — so ZTA verifies what it claims to verify.

The SolarWinds question

Former Homeland Security Advisor Thomas Bossert warned after SolarWinds that evicting the attackers could take years — because a valid vendor credential gave them months to establish persistence across thousands of networks. If SolarWinds had deployed credential control, the build environment access credential would not have existed in human hands. The 18,000-organisation cascade would not have been possible from that entry point.

How it works

Credential control without modifying classified infrastructure

MyCena deploys as a software overlay above existing security architectures. No classified system is modified. No security clearance process is changed. No ZTA implementation is disrupted.

Step 01

Government-generated credentials — contractor never creates their own

Every credential for government network access — contractor, vendor, cleared personnel, AI agent — is generated centrally by the government organisation. The contractor does not create a password. The vendor does not bring credentials from their own environment. Credential ownership is governmental from the moment of creation.

Step 02

Invisible injection — nothing to steal, nothing to coerce

Contractors and cleared personnel click to connect. MyCena injects the credential at authentication — it is never visible, never typed, never held. A foreign intelligence service that targets a cleared employee finds there is no credential to extract. A state-sponsored actor that targets a contractor finds nothing in the endpoint to harvest.

Step 03

Complete access map — every contractor, every system, every event

Every credential event is logged — which contractor, which government system, which data accessed, timestamp to the second, from which device and location. The access map is complete and current. When an incident investigation begins, the forensic trail exists from the first day of deployment. No reconstruction. No uncertainty.

Step 04

Instant revocation — contract end, clearance change, or incident

A contract ends: one command, all contractor access revoked across every government system simultaneously in seconds. A clearance is suspended: same command, same speed. A suspected insider incident: immediate revocation before lateral movement completes. The nine-month SolarWinds dwell window, closed to seconds.

CMMC 2.0 mapping

Access control requirements — CMMC 2.0 Level 2 and Level 3

CMMC 2.0 requires defence contractors to demonstrate technical access controls — not policy assertions. Every CMMC access control requirement maps directly to what MyCena delivers architecturally.

CMMC 2.0 Requirement	Domain	Current market approach	MyCena approach	Structural
AC.1.001 — Limit system access to authorised users	Access Control	IAM policy, user provisioning, access review	Credentials centrally generated — only authorised users provisioned, no self-service access creation	✓
AC.1.002 — Limit system access to authorised transactions	Access Control	Role-based access control policy	Role-based credential issuance — access scope enforced at credential generation, not just policy	✓
AC.2.006 — Use non-privileged accounts for non-privileged activities	Access Control	Separate account policy, user training	Separate credentials generated per role — privileged and standard access governed independently	✓
AC.2.013 — Monitor and control remote access sessions	Access Control	VPN logging, session monitoring tools	Every remote access credential injection logged with user identity, timestamp, and session detail	✓
AC.3.012 — Employ cryptographic mechanisms for remote access	Access Control	TLS, VPN encryption	Credentials distributed and stored encrypted — never in plaintext at any point in the lifecycle	✓
AU.2.042 — Create and retain system audit logs	Audit & Accountability	SIEM, manual log collection	Continuous automated log — every credential event attributed, timestamped, and audit-ready on demand	✓
IA.1.076 — Identify and authenticate system users	Identification & Authentication	Username/password, MFA	Individual credentials per user, centrally generated — no shared accounts structurally possible	✓
IA.3.083 — Use multifactor authentication for local and network access	Identification & Authentication	MFA deployment, hardware tokens	MyCena authentication plus MFA — complementary, not replacing	✓

CMMC 2.0 assessment methodology requires technical evidence, not policy documentation. MyCena generates the access control and audit evidence required for Level 2 and Level 3 certification automatically — available for assessor review on demand rather than compiled before assessment.

Regulatory framework

CMMC 2.0, EO 14028, JSP 440, and the FY26 NDAA — all structurally addressed

Defence and government credential governance requirements span US and UK frameworks. Every relevant framework requires demonstrable access control evidence — MyCena generates it automatically.

CMMC 2.0 — Level 2 & 3

Cybersecurity Maturity Model Certification requires technical access controls for CUI — individual user attribution, access logging, MFA, and instant revocation capability. Level 3 requires additional advanced controls. Named individual certification applies to those responsible for access governance. Policy assertion is insufficient — technical evidence is required.

✓ AC and IA domains — structurally satisfied, evidence auto-generated

Executive Order 14028

Federal agencies must implement Zero Trust Architecture across their networks. ZTA requires that every access request is verified against a valid, legitimate credential. MyCena provides the credential integrity layer that makes ZTA verification meaningful — ensuring the credential presented is genuine, not stolen or persisted after departure.

✓ ZTA credential prerequisite — structural credential integrity

FY26 NDAA — AI Governance

The FY26 NDAA requires demonstrable AI governance across defence networks, including accountability for AI agent access and actions. AI agents accessing defence systems through MyCena have individually attributed, centrally governed, instantly revocable credentials — the credential governance layer the mandate requires but does not specify.

✓ AI agent credential governance — NDAA mandate satisfied

UK JSP 440 & Cyber Essentials Plus

JSP 440 (Secure by Design) and Cyber Essentials Plus require individual user authentication, access control evidence, and password governance for systems handling government data. Cyber Essentials Plus requires technical verification that controls work — not self-attestation. MyCena satisfies both through its architectural credential control model.

✓ JSP 440 and CE Plus — architectural compliance, not policy compliance

NCSC CAF — Principle B2

For UK government departments and CNI operators, CAF Principle B2 requires identity and access control to be managed structurally — not procedurally. “Closely manage and maintain identity and access control for users, devices, and systems” is the requirement. MyCena is the architectural mechanism that satisfies B2 at the credential layer.

✓ CAF B2 — satisfied architecturally, not procedurally

NIS2 — Essential Services

Government and defence organisations classified as essential services under NIS2 face personal liability for named management where access control governance fails. Article 20 personal accountability applies. Supply chain access governance under Article 21 requires demonstrable control of contractor and vendor credentials — not contractual policy requirements.

✓ NIS2 personal liability — structurally mitigated