NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-2(6)Access to Accounts —separate Device

Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that: One of the factors is provided by a device separate from the system gaining access; and The device meets {{ insert: param, ia-02.06_odp.03 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process.

Practitioner Notes

This enhancement requires MFA using a separate physical device — the authentication factor must come from a device that is different from the system being accessed.

Example 1: Require users accessing their laptop to authenticate with a YubiKey hardware token or a code from their mobile phone authenticator app — a separate device.

Example 2: For VPN access from a laptop, require an approval push notification on the user's enrolled Microsoft Authenticator smartphone — ensuring a second device is involved.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts