NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-2(7)Network Access to Non-privileged Accounts — Separate Device

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Practitioner Notes

This enhancement was incorporated into IA-2(6). It previously specifically addressed MFA via separate device for non-privileged network access.

Example 1: Apply the same separate device MFA requirement to non-privileged accounts — standard users must also use a phone or hardware token, not just software on the same computer.

Example 2: Configure Conditional Access to require phishing-resistant MFA (FIDO2 key or Windows Hello) for all users, regardless of privilege level.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts