CMMC Practice IA.L2-3.5.3

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Bold Coast Security Guidance

There is a lot going on here so lets break it all down: 1) Multi-factor Authentication (MFA) is a combination of two of the three factors listed in the guidance: something you know, something you have, or something you are. 2) MFA is required for all administrative or privileged access. This is required if you are connecting remotely, on the network, or even sitting at a console physically in front of the server, mainframe, or computer. 3) MFA is required for all remote access to your network or cloud resources, for all users. We don't recommend allowing administrators to have remote access to your network. They should connect as a normal user first,, then switch to an administrative account. 4) MFA is required for all network connections for all users. This is where it gets interesting. Signing into your local workstation should not be considered network access as you are physically in front of your computer, but if your computer authenticates to a network server, as most do, CMMC is considering that network access, and you must implement MFA. This is a bit of a step backward, in our opinion, as it may drive organization back to local accounts, which are less secure and more difficult to manage. However, the practice currently states this is the requirement, and its further impressed upon us by the CMMC clarification, so prepare to implement MFA across the board, to all users.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. • Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. • Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). • Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information.

References