CMMC-ready identity
for defense industrial base agents.
NIST 800-171 requires unique identification for all processes handling CUI — including AI agents. Shared service accounts are direct examination findings. Failure to achieve CMMC certification means losing the ability to bid on DoD contracts. Mailgent provides per-agent identity that satisfies NIST 800-171 3.5.1 and 3.5.2 requirements.
API Primitives used
mail.sendIdentified CUI communication
Send Controlled Unclassified Information via email from an identified agent within the CMMC boundary. DKIM-signed with unique agent identity headers.
vault.storeSecure credential management
Store ITAR-controlled system credentials, program office access tokens, and subcontractor portal keys. AES-256-GCM encrypted, scoped per agent identity.
vault.totpMulti-factor authentication
Authenticate with DoD program portals, DCSA systems, and classified network access points that mandate 2FA. Generate TOTP codes without physical devices.
NIST 800-171 mandates unique agent identification.
Defense contractors deploying AI agents face a binary compliance requirement: NIST SP 800-171 Rev. 2 controls 3.5.1 and 3.5.2 require unique identification and authentication for all users and processes acting on behalf of users — including AI agents. CMMC 2.0 assessors specifically test for shared account usage. A finding against 3.5.1/3.5.2 blocks CMMC certification.
Without CMMC certification, defense contractors cannot bid on DoD contracts. For most companies in the defense industrial base, this is existential. False Claims Act liability (31 USC 3729) for self-certifying NIST 800-171 compliance while using shared credentials for AI agents exposes contractors to treble damages.
Mailgent provides each AI agent with a unique identity that satisfies NIST 800-171 3.5.1 and 3.5.2. Every agent action — email sent, credential accessed, TOTP code generated — is logged against the agent's unique identity. The delegation chain traces every action back to the authorized program manager. CMMC assessors get exactly the evidence they need.
How to build it.
Provision a CMMC-ready agent identity
Create a unique agent identity within your CMMC boundary. Each identity satisfies NIST 800-171 3.5.1 (identification) and 3.5.2 (authentication). Delegation chain: Program Manager > Contractor Org > Agent.
vault.storeStore program credentials securely
Store ITAR-controlled system credentials, subcontractor portal tokens, and program office access keys. AES-256-GCM encrypted with per-agent isolation. No shared credential stores.
mail.sendCommunicate with identified attribution
Send CUI-containing communications from an identified agent address. DKIM-signed with agent identity headers. Every email is logged for NIST 800-171 audit requirements.
Example prompt
“Send the updated technical data package to subcontractor team leads. Authenticate with the DCSA portal to verify their clearance status. Log every action for CMMC audit.”
What defense contractors build.
CUI email distribution
Agent sends ITAR-controlled specifications, technical data packages, and program updates to authorized subcontractors. Each email is from an identified agent within the CMMC boundary with full NIST 800-171 compliant audit logging.
Subcontractor coordination
Agent coordinates with subcontractor program offices — sending RFIs, receiving deliverables, tracking milestones. Each communication carries the prime contractor's delegation chain. All interactions audit-logged for DCMA review.
DCSA portal authentication
Agent authenticates with DCSA, DIBNET, and program-specific portals using stored credentials and TOTP codes. Checks clearance status, submits required reports, and downloads compliance artifacts. Every login is logged with agent identity.
Incident reporting and response
Agent sends cyber incident reports to DCSA within the 72-hour DFARS 252.204-7012 requirement. Each report is from an identified agent with delegation chain proving authorization. Delivery proof satisfies reporting timeline evidence.
FedRAMP boundary communications
For cloud service providers in FedRAMP environments, agents send system status reports, POA&M updates, and incident notifications. Each communication satisfies NIST 800-53 IA-2 unique identification requirements.
Supply chain risk management
Agent monitors supplier compliance status, sends verification requests, and collects attestations. Every interaction is attributable to the supply chain risk management officer via delegation chain — satisfying NIST 800-171 3.4 requirements.
Why not shared service accounts?
Shared service accounts are a direct NIST 800-171 3.5.1 finding. CMMC assessors specifically test for unique identification of automated processes — including AI agents. A finding blocks certification, and without certification, you lose the ability to bid on DoD contracts. For most DIB companies, this is an existential business risk.
Beyond the immediate CMMC risk, False Claims Act liability (31 USC 3729) applies to contractors who self-certify NIST 800-171 compliance in DFARS 252.204-7019 while using shared credentials for AI agents. Treble damages apply. Mailgent's per-agent identity eliminates this exposure — each agent has its own unique identity, audit trail, and delegation chain that CMMC assessors can verify.
NIST 800-171 3.5.1/3.5.2
Each agent has a unique identity satisfying identification and authentication requirements. No shared service accounts.
CMMC audit evidence
Every action logged with agent identity, timestamp, and delegation chain. Assessors get the evidence they need for Level 2+ certification.
CUI-grade encryption
AES-256-GCM envelope encryption for all stored credentials. Per-agent isolation ensures CUI handling meets NIST 800-171 media protection controls.
Build CMMC-compliant agents.
Per-agent identity that satisfies NIST 800-171 — so you can keep bidding on DoD contracts.