Level 5 CMMC - CMMC Practices

IA.3.083  

Reference: CMMC 1.02

Family: IA

Level Introduced: 3

Practice:
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

CMMC Clarification:
Implement a combination of two or more factors of authentication to verify privileged account holders’ identity regardless of how the user is accessing the account. Implement a combination of two or more factors for non-privileged users requiring network access. These factors include:
• something you know (e.g., password/PIN);
• something you have (e.g., token); and
• something you are (e.g., biometrics).

Example
To improve security of your network you determine multifactor authentication (MFA) is necessary. Multifactor authentication will provide confirmation that the person attempting access is who they claim to be, and is not someone using a stolen password. As part of your plan for the IT infrastructure you enable multifactor authentication on your remote access point. When users initiate remote access they will be prompted for the additional authentication factor. Because your organization is also using a cloud-based application you enable MFA when staff access the application from within the office, at home, or on travel. Finally, you work to enable MFA for users who login into the network with their laptops and desktops. You configure your internal directory service to require MFA when a user authenticates to their system while on the network.

3.5.3

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Discussion:
Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security.

Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information.

[SP 800-63-3] provides guidance on digital identities.

*Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials.

*Local access is any access to a system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Network access is any access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Source: NIST Special Publication 800-171 Rev. 2

IA-2 (1)

IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS

Description:
The information system implements multifactor authentication for network access to privileged accounts.

Supplemental Guidance:
Related control: AC-6.

IA-2 (2)

IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

Description:
The information system implements multifactor authentication for network access to non-privileged accounts.

Supplemental Guidance:
None

IA-2 (3)

IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTS

Description:
The information system implements multifactor authentication for local access to privileged accounts.

Supplemental Guidance:
Related control: AC-6.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02