CMMC 2.0 • LEVEL 2 • IDENTIFICATION & AUTHENTICATION

IA.L2-3.5.3Multi-Factor Authentication

This requirement applies to user accounts. Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number .PIN), something you have (e.g., a physical authenticator, such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level to provide increased information security.

NIST 800-171 Mapping

NIST 800-53 Controls

IA-2(1)IA-2(2)

Assessment Objectives

  • multi-factor authentication for access to privileged accounts is implemented.
  • multi-factor authentication for access to non-privileged accounts is implemented.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

IA.L1-3.5.1 User Identification and Authentication IA.L1-3.5.2 Device Identification and Authentication IA.L2-3.5.4 Replay-Resistant Authentication IA.L2-3.5.5 Identifier Management