NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-2(3)Local Access to Privileged Accounts

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Practitioner Notes

This enhancement requires MFA for local (console) access to privileged accounts — not just remote access but physically sitting at the machine.

Example 1: Configure Windows Hello for Business with PIN plus biometric to require multi-factor authentication even for local administrator logins at the console.

Example 2: For Linux servers, configure PAM (Pluggable Authentication Modules) to require a TOTP code from Google Authenticator in addition to the password for local root access.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts