Reference: CMMC 2.11
Family: IA
Level Introduced: 2
Title: Multifactor Authentication
Practice:
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
CMMC Clarification:
Implement a combination of two or more factors of authentication to verify privileged account holders' identity regardless of how the user is accessing the account. Implement a combination of two or more factors for non-privileged users requiring network access. These factors include:
• something you know (e.g., password/PIN);
• something you have (e.g., token); and
• something you are (e.g., biometrics).
Example
To improve security of your network you determine multifactor authentication (MFA) is necessary. Multifactor authentication will provide confirmation that the person attempting access is who they claim to be, and is not someone using a stolen password. As part of your plan for the IT infrastructure you enable multifactor authentication on your remote access point. When users initiate remote access they will be prompted for the additional authentication factor. Because your organization is also using a cloud-based application you enable MFA when staff access the application from within the office, at home, or on travel. Finally, you work to enable MFA for users who login into the network with their laptops and desktops. You configure your internal directory service to require MFA when a user authenticates to their system while on the network.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (3)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.