Anyone who has ever used an online service such as email or social media is familiar with the term “multifactor authentication.” But is it required as part of the Cybersecurity Maturity Model Certification (CMMC)? In today’s post, we provide all the answers you need.
What Is Multifactor Authentication?
Multifactor authentication (or MFA for short) is an approach to data security where a system verifies a user’s identity by asking for two or more credentials.
Typically, a multifactor authentication login would require the user to present some combination of the following:
- Something the user knows: like a password or Personal Identification Number (PIN)
- Something the user has: like a smart card, mobile token, or hardware token
- Some form of biometric factor (e.g., fingerprint, palm print, or voice recognition)
By requiring multiple pieces of evidence before granting access, Multifactor Authentication ensures that only legitimate users can access accounts and applications.
This creates an additional layer of security beyond passwords alone, making it more difficult for malicious actors to gain unauthorized access to user accounts and data.
Note that, in order to be considered MFA, a login must require two different types of evidence. In other words, asking users to provide two passwords or two biometric factors does not qualify as MFA.
Multifactor Authentication and CMMC
The Cybersecurity Maturity Model Certification requires multifactor authentication in two specific instances, both of which are required if you aim to achieve CMMC Level 2 or higher.
Before we dive deeper into the subject, you need to understand how NIST SP 800-171 and CMMC categorize the different types of access to organizational systems:
- Local access: Access is obtained by direct connections without the use of networks.
- Network access: Access is obtained through network connections.
- Remote access: Network access that involves communication through external networks.
The practice Multifactor Authentication (IA.L2-3.5.3), within the domain Identification and Authentication (IA), mandates defense contractors to “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.”
On the other hand, the practice Nonlocal Maintenance (MA.L2-3.7.5), within the domain Maintenance (MA) states that you should “Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.”
Here it’s useful to remember that CMMC Level 1 is geared towards protecting Federal Contract Information (FCI) while CMMC Levels 2 and 3 comprise both FCI and Controlled Unclassified Information.
This means that if you are a defense contractor that handles CUI, then you need to implement MFA as outlined in CMMC.
Wrapping It Up
Multifactor Authentication is a security technology that helps protect sensitive data from unauthorized access by requiring users to present multiple methods of authentication.
Starting from CMMC Level 2, the Cybersecurity Maturity Model Certification requires defense contractors to implement multifactor authentication for local and network access (CMMC practice IA.L2-3.5.3) as well as for nonlocal maintenance sessions (CMMC practice MA.L2-3.7.5).
If you need help implementing (MFA) or require assistance with CMMC compliance in general, don’t hesitate to contact our CMMC Registered Practitioners. We stand ready to answer all your questions and help you achieve your compliance goals.
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
