Reference: CMMC 2.0
Level Introduced: 2
Title: Multifactor Authentication
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Implement a combination of two or more factors of authentication to verify privileged account holders' identity regardless of how the user is accessing the account. Implement a combination of two or more factors for non-privileged users requiring network access. These factors include:
• something you know (e.g., password/PIN);
• something you have (e.g., token); and
• something you are (e.g., biometrics).
To improve security of your network you determine multifactor authentication (MFA) is necessary. Multifactor authentication will provide confirmation that the person attempting access is who they claim to be, and is not someone using a stolen password. As part of your plan for the IT infrastructure you enable multifactor authentication on your remote access point. When users initiate remote access they will be prompted for the additional authentication factor. Because your organization is also using a cloud-based application you enable MFA when staff access the application from within the office, at home, or on travel. Finally, you work to enable MFA for users who login into the network with their laptops and desktops. You configure your internal directory service to require MFA when a user authenticates to their system while on the network.