3.5.3

Requirement

Implement multi-factor authentication for access to privileged and non-privileged accounts.

Discussion

This requirement applies to user accounts. Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator, such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level to provide increased information security.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: identification and authentication policy and procedures; system design documentation; list of system accounts; system configuration settings; system audit records; system security plan; other relevant documents or records]
Interview

[SELECT FROM: mechanisms for supporting or implementing a multi-factor authentication capability]
Test

[SELECT FROM: personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system developers; system administrators]

ID	Assessment Objectives
A.03.05.03[01]	multi-factor authentication for access to privileged accounts is implemented.
A.03.05.03[02]	multi-factor authentication for access to non-privileged accounts is implemented.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!