IA.3.083

Control Acronym

IA

Family

Identification And Authentication

CMMC Level

3

800-171 Control #

3.5.3

CMMC Description

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

CMMC Clarification

Implement a combination of two or more factors of authentication to verify privileged account holders’ identity regardless of how the user is accessing the account. Implement a combination of two or more factors for non-privileged users requiring network access. These factors include: * something you know (e.g., password/PIN) * something you have (e.g., token) * something you are (e.g., biometrics). Example To improve security of your network you determine multifactor authentication (MFA) is necessary. Multifactor authentication will provide confirmation that the person attempting access is who they claim to be, and is not someone using a stolen password. As part of your plan for the IT infrastructure you enable multifactor authentication on your remote access point. When users initiate remote access they will be prompted for the additional authentication factor. Because your organization is also using a cloud-based application you enable MFA when staff access the application from within the office, at home, or on travel. Finally, you work to enable MFA for users who login into the network with their laptops and desktops. You configure your internal directory service to require MFA when a user authenticates to their system while on the network.

800-171 Description

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

800-171 Discussion

Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security.Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. 24 Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. 25 Local access is any access to a system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Network access is any access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). [SP 800-63-3] provides guidance on digital identities.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 4.5, 11.5, 12.11

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-2(1), IA-2(2), IA-2(3)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.3

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7

CERT RMM Reference

CERT RMM v1.2 TM:SG4.SP1

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

AU ACSC Essential Eight

Assessment Sub-Criteria 1

IA.3.083.[a] privileged accounts are identified;

Assessment Sub-Criteria 2

IA.3.083.[b] multifactor authentication is implemented for local access to privileged accounts;

Assessment Sub-Criteria 3

IA.3.083.[c] multifactor authentication is implemented for network access to privileged accounts; and

Assessment Sub-Criteria 4

IA.3.083.[d] multifactor authentication is implemented for network access to non-privileged accounts.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15