CMMC Practice IA.L2-3.5.3

Multifactor Authentication: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Monarch ISC Guidance

There is a lot going on here so lets break it all down: 1) Multi-factor Authentication (MFA) is a combination of two of the three factors listed in the guidance: something you know, something you have, or something you are. 2) MFA is required for all administrative or privileged access. This is required if you are connecting remotely, on the network, or even sitting at a console physically in front of the server, mainframe, or computer. 3) MFA is required for all remote access to your network or cloud resources, for all users. We don't recommend allowing administrators to have remote access to your network. They should connect as a normal user first,, then switch to an administrative account. 4) MFA is required for all network connections for all users. This is where it gets interesting. Signing into your local workstation should not be considered network access as you are physically in front of your computer, but if your computer authenticates to a network server, as most do, CMMC is considering that network access, and you must implement MFA. This is a bit of a step backward, in our opinion, as it may drive organization back to local accounts, which are less secure and more difficult to manage. However, the practice currently states this is the requirement, and its further impressed upon us by the CMMC clarification, so prepare to implement MFA across the board, to all users.

Discussion From Source

NIST SP 800-171 R2 Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. NIST SP 800-63-3 provides guidance on digital identities.

References