NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Control Family: Identification and Authentication
Control Type: Derived
SPRS Value: 3/5
SPRS Supplemental Guidance:
Subtract 5 points if MFA not
implemented. Subtract 3
points if implemented for
remote and privileged users,
but not the general user.
CMMC Level(s):
IA.L2-3.5.3
Top Ten Failed Requirement:
#2
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
IA-2(1)
IA-2(2)
IA-2(3)
NIST Supplemental Guidance:
[SP 800-63-3]
Discussion:
Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security.
Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information.
[SP 800-63-3] provides guidance on digital identities.
Upon assessment, assessors must determine if-
3.5.3[a] privileged accounts are identified.
3.5.3[b] multifactor authentication is implemented for local access to privileged
accounts.
3.5.3[c] multifactor authentication is implemented for network access to privileged
accounts.
3.5.3[d] multifactor authentication is implemented for network access to non-privileged
accounts.
Assessors are instructed to-
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing multifactor authentication capability].