Requirement text: IA.3.083: Use multifactor authentication for local and network access to privileged
accounts and for network access to non-privileged accounts.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Multifactor authentication requires the use of two or more different factors to authenticate.
The factors are defined as something you know (e.g., password, personal identification
number [PIN]); something you have (e.g., cryptographic identification device, token); or
something you are (e.g., biometric). Multifactor authentication solutions that feature
physical authenticators include hardware authenticators providing time-based or challenge-
response authenticators and smart cards. In addition to authenticating users at the system
level (i.e., at logon), organizations may also employ authentication mechanisms at the
application level, when necessary, to provide increased information security. Access to
organizational systems is defined as local access or network access. Local access is any
access to organizational systems by users (or processes acting on behalf of users) where such
access is obtained by direct connections without the use of networks. Network access is
access to systems by users (or processes acting on behalf of users) where such access is
obtained through network connections (i.e., nonlocal accesses). Remote access is a type of
network access that involves communication through external networks. The use of
encrypted virtual private networks for connections between organization-controlled and
non-organization controlled endpoints may be treated as internal networks with regard to
protecting the confidentiality of information.
CMMC CLARIFICATION
Implement a combination of two or more factors of authentication to verify privileged
account holders’ identity regardless of how the user is accessing the account. Implement a
combination of two or more factors for non-privileged users requiring network access.
These factors include:
• something you know (e.g., password/PIN);
• something you have (e.g., token); and
• something you are (e.g., biometrics).
Example
To improve security of your network you determine multifactor authentication (MFA) is
necessary. Multifactor authentication will provide confirmation that the person attempting
access is who they claim to be, and is not someone using a stolen password. As part of your
plan for the IT infrastructure you enable multifactor authentication on your remote access
point. When users initiate remote access they will be prompted for the additional
authentication factor. Because your organization is also using a cloud-based application you
enable MFA when staff access the application from within the office, at home, or on travel.
Finally, you work to enable MFA for users who login into the network with their laptops and
desktops. You configure your internal directory service to require MFA when a user
authenticates to their system while on the network.
References
• NIST SP 800-171 Rev 1 3.5.3
• CIS Controls v7.1 4.5, 11.5, 12.11
• NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
• CERT RMM v1.2 TM:SG4.SP1
• NIST SP 800-53 Rev 4 IA-2(1), IA-2(2), IA-2(3)
• AU ACSC Essential Eight