ADCS (Active Directory Certificate Services) is commonly assumed to satisfy CMMC Level 2 device authentication requirements, but it fundamentally cannot. CMMC Level 2 (NIST SP 800-171 control 3.5.2) demands verifiable evidence that device trust decisions were enforced at access time — not just that certificates were issued. Standard ADCS/SCEP deployments fail on four fronts: no proof of trust origin, no lifecycle evidence between issuance and expiration, credential portability risks from non-hardware-bound keys, and MDM compliance state that is decoupled from actual access events. Template hardening and TPM configuration improve hygiene but don't create the trust decision layer CMMC requires. A compliant architecture needs four layers: hardware attestation at issuance, hardware-bound identity, policy enforcement at access time, and auditable evidence generated as a byproduct of operation. A migration path is outlined moving from ADCS to a hardware-attested system (using ACME Device Attestation and mTLS), emphasizing that evidence history must be built before assessment — it cannot be retroactively created.
Table of contents
1. The Dangerous Default Assumption2. Where ADCS and SCEP Break Under CMMC3. Why ADCS Cannot Be Extended to Meet This Requirement4. The Real Requirement: Verifiable Device Identity5. Migration Path: ADCS to Smallstep6. Device Identity in Defense Environments7. The Real RiskSort: