NIST 800-171 • LEVEL 2 • IDENTIFICATION AND AUTHENTICATION
3.5.3 — Multi-Factor Authentication
This requirement applies to user accounts. Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number .PIN), something you have (e.g., a physical authenticator, such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level to provide increased information security.
CMMC Practice Mapping
Assessment Objectives
- multi-factor authentication for access to privileged accounts is implemented.
- multi-factor authentication for access to non-privileged accounts is implemented.
Practitioner Notes
Multi-factor authentication (MFA) means you need two different types of proof to log in — typically your password (something you know) plus a code from your phone or a hardware key (something you have). A password alone is not enough anymore.
This applies to both privileged accounts (admins) and regular user accounts.
Example 1: In the M365 Admin Center, go to Users > Active Users > Multi-factor authentication (or use the Entra Admin Center under Protection > Authentication Methods). Enable MFA for all users via a Conditional Access policy that requires MFA for all cloud apps. For stronger assurance, configure the policy to require phishing-resistant methods (FIDO2 keys or Windows Hello) for admin accounts.
Example 2: For on-premises systems, deploy Duo Security or RSA SecurID as an MFA solution. Install the Duo Authentication Proxy and configure it to integrate with your Active Directory. Apply Duo to VPN logins and RDP sessions by configuring the Duo RDP application on each server under Applications > Protect an Application > Microsoft RDP.