Back

Implement multifactor authentication techniques.


CONTROL ID
00561
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Control all methods of remote access and teleworking., CC ID: 00559

This Control has the following implementation support Control(s):
  • Document and approve requests to bypass multifactor authentication., CC ID: 15464


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • For Internet banking, AIs should require 2FA to re-authenticate customers' identity before performing each high-risk transaction. High-risk transactions should cover, at least, high-risk funds transfers, which include: (§ 4.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should implement 2FA to re-authenticate the customer's identity before effecting a high-risk funds transfer transaction (see subsection 4.2.2). Nevertheless, AIs also have the flexibility to offer a service where small-value funds transfer transactions to unregistered payees' accounts or unregis… (§ 6.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should select reliable and effective authentication techniques to validate the identity and authority of their e-banking customers. In general, two-factor authentication (2FA) of customers should be implemented for e-banking channels (e.g. self-service terminals, Internet banking, phone banking … (§ 4.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • A licensed or registered person should implement two-factor authentication for login to clients' internet trading accounts. (1.1. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • A licensed or registered person should assess and implement a two-factor authentication solution which is commensurate with its business model. (1.1. ¶ 2, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • Implementing two-factor authentication for privileged users (Critical components of information security 5) (xiii) a), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • FIs should implement two-factor authentication at login for all types of online financial systems and transaction-signing for authorising transactions. The primary objectives of two-factor authentication and transaction-signing are to secure the customer authentication process and to protect the int… (§ 12.1.7, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Implement strong authentication mechanisms such as two-factor authentication for privileged users; (§ 11.2.3.a, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should deploy secure chips to store sensitive payment card data. The FI should also implement strong card authentication methods such as dynamic data authentication (“DDA”) or combined data authentication (“CDA”) methods for online and offline card transactions. As magnetic stripe car… (§ 13.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Multi-factor authentication should be implemented for users with access to sensitive system functions to safeguard the systems and data from unauthorised access. (§ 9.1.5, Technology Risk Management Guidelines, January 2021)
  • Multi-factor authentication should be deployed at login for online financial services to secure the customer authentication process. Multi-factor authentication can be based on two or more of the following factors, i.e. what you know (e.g. personal identification number or password), what you have (… (§ 14.2.1, Technology Risk Management Guidelines, January 2021)
  • A soft token is a software-based two-factor authentication mechanism installed on a general-purpose device. Appropriate measures, such as verifying the identity of the customer, detecting and blocking rooted or jailbroken devices, and performing device binding, should be implemented during soft toke… (§ 14.2.8, Technology Risk Management Guidelines, January 2021)
  • Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories. (P12:, Australian Government Information Security Manual)
  • Multi-factor authentication is used for access to gateways. (Security Control: 1039; Revision: 4, Australian Government Information Security Manual)
  • Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards. (Security Control: 1401; Revision: 4, Australian Government Information Security Manual)
  • Multi-factor authentication is used to authenticate standard users. (Security Control: 0974; Revision: 5, Australian Government Information Security Manual)
  • Multi-factor authentication is used to authenticate all privileged users and any other positions of trust. (Security Control: 1173; Revision: 3, Australian Government Information Security Manual)
  • Multi-factor authentication is used to authenticate all users when accessing important data repositories. (Security Control: 1505; Revision: 0, Australian Government Information Security Manual)
  • Database administrators must be authenticated with multifactor authentication. (Control: 1265, Australian Government Information Security Manual: Controls)
  • The organization must not use a Personal Identification Number or numerical password as the only method for authenticating a user. (Control: 0417, Australian Government Information Security Manual: Controls)
  • The organization must use multifactor authentication for remote access, privileged access, and positions of trust. (Control: 1173, Australian Government Information Security Manual: Controls)
  • The organization should use multifactor authentication for all users. (Control: 0974, Australian Government Information Security Manual: Controls)
  • A non-replayable and encrypted two-way authentication scheme should be used for call authentication and authorization. (Control: 0554, Australian Government Information Security Manual: Controls)
  • The organization should use multifactor authentication for accessing the gateways. (Control: 1039, Australian Government Information Security Manual: Controls)
  • The organization should implement multifactor authentication procedures for remote access, privileged access, and other high-risk activities. (¶ 44(i), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • multi-factor authentication for privileged access, remote access and other high-risk activities; (Attachment C 7(j)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • multi-factor authentication for privileged access, remote access and other high-risk activities; (¶ 44(i), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The organization should implement multi-factor authentication, especially for accessing sensitive data or performing a privileged action. (Mitigation Strategy Effectiveness Ranking 16, Strategies to Mitigate Targeted Cyber Intrusions)
  • Have you enabled Multi-Factor Authentication (MFA) on all of your cloud services? (A7.14., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Has MFA been applied to all users of your cloud services? (A7.17., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Multi-factor authentication, with a minimum password length of 8 characters and no max length. (A4.3. (A), Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Multi-factor authentication, with a minimum password length of 8 characters and no maximum length. (A5.5. (A), Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • If yes, is the access to the settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication settings? Please explain which option is used. (A4.10., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Authentication methods: financial institutions should enforce authentication methods that are sufficiently robust to adequately and effectively ensure that access control policies and procedures are complied with. Authentication methods should be commensurate with the criticality of ICT systems, inf… (3.4.2 31(g), Final Report EBA Guidelines on ICT and security risk management)
  • Member States shall ensure that a payment service provider applies strong customer authentication where the payer: (Art 97(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • accesses its payment account online; (Art 97(1)(a), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • The physical site access controls require two-factor authentication. (Section 5.5 PS-02 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The access and management of the logging and monitoring functionalities requires multi-factor authentication. (Section 5.6 RB-15 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The use of service programs and management consoles (e. g. for the management of the hypervisor or virtual machines), which allow extensive access to the data of the cloud customers, is restricted to authorised persons. Granting and changes to corresponding data access authorisations comply with the… (Section 5.7 IDM-12 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • There are separate networks for the administrative management of the infrastructure and for the operation of management consoles, which are separated logically or physically by the network of the cloud customers and are protected against unauthorised access by means of multi-factor authentication (s… (Section 5.9 KOS-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • A two-factor authentication system should be required for remote access. (§ II.28, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization use at least a two-factor authentication system? (Table Row II.28, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is two-factor authentication used for large value payments and System Administrators? (Table Row IV.1, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Has two-factor authentication been employed? (Table Row XIII.11, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Description: Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be pr… (1.10, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 1)
  • Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Description: Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be pr… (1.10, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 2)
  • Management ports on network devices should be disabled when not in use. If ports can not be disabled, then ports must be password protected with strong two factor authentication. (§ 2.3.1 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, 1)
  • The control system shall provide the capability to employ multifactor authentication for all human user access to the control system. (5.3.3.3 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide the capability to employ multifactor authentication for all human user access to the component. (5.3.3 (2) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Is two-factor authentication required for client access? (Appendix D, Implement Strong Access Control Measures Bullet 10, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Observe an employee logging on to the system remotely and ensure he/she uses both a password and an additional form of authentication (such as smart cards or tokens). (§ 8.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the system configurations for remote access servers and remote access systems to verify two-factor authentication is required for all third-party or vendor remote access, including support or maintenance, and all personnel access. (Testing Procedures § 8.3.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Observe a sample of personnel who remotely connect to the network and verify that they use at least 2 of the 3 authentication methods. (Testing Procedures § 8.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure all remote access uses two-factor authentication. (§ 8.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Observe an employee logging on to the system remotely and ensure he/she uses both a password and an additional form of authentication (such as smart cards or tokens). (§ 8.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Two-factor authentication must be implemented for remote network access by personnel and third parties. (PCI DSS Requirements § 8.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). (8.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. (8.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. (8.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (8.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (8.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (8.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (8.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication as follows: (8.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (8.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication, as follows: (8.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Two-factor authentication should be used if the payment application can be accessed remotely. The application should not interfere with the two-factor authentication mechanism and should allow technologies, such as RADIUS or TACACS with tokens or VPN with individual certificates. (§ 11.1, § 11.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • The secure operator interface is so designed that entry of more than one password (or some equivalent mechanism for dual or multiple control) is required in order to enter this sensitive state and that it is highly unlikely that the device can inadvertently be left in the sensitive state. (E2 ¶ 2, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
  • MFA is implemented for all access into the CDE. (8.4.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • MFA systems are implemented as follows: (8.5.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. (8.5.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • At least two different types of authentication factors are used. (8.5.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine network and/or system configurations to verify MFA is implemented for all access into the CDE. (8.4.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe personnel logging in to the CDE and examine evidence to verify that MFA is required. (8.4.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine system configurations for the MFA implementation to verify it is configured in accordance with all elements specified in this requirement. (8.5.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (PCI DSS Question 8.3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (PCI DSS Question 8.3, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (PCI DSS Question 8.3, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (PCI DSS Question 8.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? (PCI DSS Question 8.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • MFA is implemented for all access into the CDE. (8.4.2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA systems are implemented as follows: (8.5.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. (8.5.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least two different types of authentication factors are used. (8.5.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA is implemented for all access into the CDE. (8.4.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA systems are implemented as follows: (8.5.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. (8.5.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least two different types of authentication factors are used. (8.5.1 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA is implemented for all access into the CDE. (8.4.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA systems are implemented as follows: (8.5.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. (8.5.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least two different types of authentication factors are used. (8.5.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA systems are implemented as follows: (8.5.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least two different types of authentication factors are used. (8.5.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA is implemented for all access into the CDE. (8.4.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. (8.5.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • E-commerce providers should verify the legitimacy of the cardholder and the card. This can be accomplished by using Address Verification Service (AVS), Card Verification Value 2 (CVV2), Verified by Visa, and/or CyberSource Advanced Fraud Screen enhanced by Visa. The CVV2 method asks the customer for… (Pg 10, Pg 40 thru Pg 42, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • Access controls for critical business applications or sensitive business applications should be made stronger by requiring multi-factor authentication (i.e., a combination of password, token, and/or biometric). (CF.05.03.04a, The Standard of Good Practice for Information Security)
  • Computing devices used by staff working in remote environments should be supplied with access control mechanisms to restrict access to the remote computer (e.g., using external party products). (CF.14.01.04c, The Standard of Good Practice for Information Security)
  • Access controls for critical business applications or sensitive business applications should be made stronger by requiring multi-factor authentication (i.e., a combination of password, token, and/or biometric). (CF.05.03.04a, The Standard of Good Practice for Information Security, 2013)
  • Manage network devices using two-factor authentication and encrypted sessions. (Control 11.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Use multifactor authentication for all administrative access, including domain administrative access. Multi-factor authentication can include a variety of techniques, to include the use of smart cards, certificates, One Time Password (OTP) tokens, biometrics, or other similar authentication methods. (Control 5.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication. (Control 12.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. (Control 14.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Require multi-factor authentication for all user accounts that have access to sensitive data or systems. Multi-factor authentication can be achieved using smart cards, certificates, One Time Password (OTP) tokens, or biometrics. (Control 16.11, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should use two-factor authentication and encrypted sessions to manage the network devices. (Critical Control 10.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Two-factor authentication should be used for all administrative access, including domain administrative access. (Critical Control 12.12, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Two-factor authentication is required to be used for all remote login access. (Critical Control 13.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned … (IAM-02, Cloud Controls Matrix, v3.0)
  • Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equi… (IAM-14, Cloud Controls Matrix, v4.0)
  • Prevent that a compromise of a single authentication factor allows access into SWIFT systems, by implementing multi-factor authentication. (4.2 Control Objective, SWIFT Customer Security Controls Framework, Customer Security Programme, v2019)
  • Use multi-factor authentication and encrypted channels for all administrative account access. (CIS Control 4: Sub-Control 4.5 Use Multifactor Authentication For All Administrative Access, CIS Controls, 7.1)
  • Manage all network devices using multi-factor authentication and encrypted sessions. (CIS Control 11: Sub-Control 11.5 Manage Network Devices Using Multi- Factor Authentication and Encrypted Sessions, CIS Controls, 7.1)
  • Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. (CIS Control 12: Sub-Control 12.11 Require All Remote Logins to Use Multi- Factor Authentication, CIS Controls, 7.1)
  • Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information. (CIS Control 14: Sub-Control 14.8 Encrypt Sensitive Information at Rest, CIS Controls, 7.1)
  • Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third- party provider. (CIS Control 16: Sub-Control 16.3 Require Multi-Factor Authentication, CIS Controls, 7.1)
  • Use multi-factor authentication and encrypted channels for all administrative account access. (CIS Control 4: Sub-Control 4.5 Use Multifactor Authentication For All Administrative Access, CIS Controls, V7)
  • Manage all network devices using multi-factor authentication and encrypted sessions. (CIS Control 11: Sub-Control 11.5 Manage Network Devices Using Multi- Factor Authentication and Encrypted Sessions, CIS Controls, V7)
  • Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. (CIS Control 12: Sub-Control 12.11 Require All Remote Logins to Use Multi- Factor Authentication, CIS Controls, V7)
  • Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third- party provider. (CIS Control 16: Sub-Control 16.3 Require Multi-Factor Authentication, CIS Controls, V7)
  • Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information. (CIS Control 14: Sub-Control 14.8 Encrypt Sensitive Information at Rest, CIS Controls, V7)
  • Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. (CIS Control 6: Safeguard 6.3 Require MFA for Externally-Exposed Applications, CIS Controls, V8)
  • Authentication Enhancements. The use of user id/password pairs is a simple way to authenticate users, but they can be compromised or guessed. There are other more secure ways to authenticate users, particularly for remote users. Authentication enhancements are needed when there exists a high possibi… (¶ 13.3.3, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. (§ 9.4.1 Health-specific control ¶ 1, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Components shall provide the capability to employ multifactor authentication for all human user access to the component. (5.3.3 (2) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system implements multifactor authentication for local access to non-privileged accounts. (IA-2(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Utilize effective controls, which may include Multi-Factor Authentication procedures for any individual accessing Nonpublic Information; (Section 4.D ¶ 1(2)(g), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Unauthorized Use Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of unauthorized use of Transient Cyber Asset(s): - Restrict physical access; - Full-disk encryption with authentication; - Multi-factor authentication; or - Other method(s) … (Section 1. 1.5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Multi-factor authentication; or (Attachment 1 Section 1. 1.5. Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Are wireless connections authenticated using multifactor authentication? (§ G.12.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, does remote su access require multifactor authentication? (§ G.16.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, does remote root access require multifactor authentication? (§ G.16.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that transmit scoped data, does remote su access require multifactor authentication? (§ G.16.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that transmit scoped data, does remote root access require multifactor authentication? (§ G.16.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, does remote su access require multifactor authentication? (§ G.16.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, does remote root access require multifactor authentication? (§ G.16.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is multifactor authentication deployed for "high-risk" environments? (§ H.2.14, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • When remote access is permitted, is multifactor authentication required for remote access? (§ H.5.7, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the two-factor authentication Requirement include admin access (shell or ui) internally from inside the cloud provider network? (§ V.1.42.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the two-factor authentication Requirement include non-admin access (shell or ui) internally from inside the cloud provider network? (§ V.1.42.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the two-factor authentication Requirement to access production cloud environments that include scoped data include remote admin access (shell or ui)? (§ V.1.42.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the two-factor authentication Requirement for access to production cloud environments that contain scoped data include remote non-admin access (shell or ui)? (§ V.1.42.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, is two-factor authentication required for access to the administrative interfaces? (§ V.1.72.29, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is the staff required to use two factors to access a production cloud computing environment containing scoped data? (§ V.1.42, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Remote access users must use a two-factor authentication method to access network resources, including dial-up connections and VPNs. (§ 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • § 3.1 NAC systems require authentication and authorization for both the endpoint and the user. Successful authentication using multi-factor authentication is required before the network access point forwards traffic. Authorization of the OS security posture is also determined. Endpoints or users th… (§ 3.1, § 4.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • Use encrypted sessions for the management of network devices. (SC.2.179, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. (MA.2.113, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. (MA.2.113, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Use encrypted sessions for the management of network devices. (SC.2.179, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (IA.3.083, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. (MA.2.113, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (IA.3.083, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Use encrypted sessions for the management of network devices. (SC.2.179, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (IA.3.083, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. (MA.2.113, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Use encrypted sessions for the management of network devices. (SC.2.179, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (IA.L2-3.5.3 Multifactor Authentication, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. (MA.L2-3.7.5 Nonlocal Maintenance, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Impact Level 5: IAW the separation requirements for Level 5 described in Section 5.2.2.3, Impact Level 5 Location and Separation Requirements and DoD policy, the CSP must implement a strong two-factor I&A capability for CSP privileged user access to administer and maintain dedicated CSP infrastructu… (Section 5.4.1.2 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Check strong (2 factor) authentication for management and administrator traffic consistent with documented security designs. (DCBP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Remote access authenticators must offer strong protection against spoofing. (EBRU-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • No—the Health IT Module does not support authentication, through multiple elements, of the user's identity with the use of industry-recognized standards. When attesting "no," the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of… (§ 170.315 (d) (13) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Yes—the Health IT Module supports the authentication, through multiple elements, of the user's identity with the use of industry-recognized standards. When attesting "yes," the health IT developer must describe the use cases supported. (§ 170.315 (d) (13) (i), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Federal agencies should consider installing systems that continuously check for unauthorized connections to networks. Agency policy and procedures should reflect careful consideration of additional risk reduction methods such as bi-directional authentication, shielding standards and other technical … (Pg 47, The National Strategy to Secure Cyberspace, February 2003)
  • The agency shall enable user authentication and encryption mechanisms for the access points' management interface. (§ 5.5.7.1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The intent of AA is to meet the standards of two-factor authentication. Two-factor authentication employs the use of two of the following three factors of authentication: something you know (e.g. password), something you have (e.g. hard token), something you are (e.g. biometric). The two authenticat… (§ 5.6.2.2.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Attacks against systems and users protected with single-factor authentication often lead to unauthorized access resulting in data theft or destruction, adverse impacts from ransomware, customer account fraud, and identity theft. Accordingly, use of single-factor authentication as the only control me… (Section 5 ¶ 1, Authentication and Access to Financial Institution Services and Systems)
  • The organization should implement multifactor authentication methods if the risk assessment finds that single-factor authentication is inadequate. (Pg 2, FFIEC Guidance on Authentication in an Internet Banking Environment)
  • Layered security and supplemental authentication techniques for changes to account maintenance activities and for high-risk transactions. (App A Objective 16:3f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Multifactor or other strong authentication. (App A Tier 2 Objectives and Procedures N.7 Bullet 1 Sub-Bullet 5, Sub-Sub Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should consider using multifactor authentication techniques for sensitive applications to discourage fraudulent transactions. (Pg 34, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The identity and the authority of the sender should be authenticated prior to transferring funds. (Pg 32, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Online business transactions generally involve ACH file origination and frequent interbank wire transfers. Since the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its custom… (Business/Commercial Banking ¶ 1, Supplement to Authentication in an Internet Banking Environment)
  • the use of dual customer authorization through different access devices; (Layered Security Programs ¶ 2 Bullet 2, Supplement to Authentication in an Internet Banking Environment)
  • Simple device identification as described above can be distinguished from a more sophisticated form of this technique which uses "one‐time" cookies and creates a more complex digital "fingerprint" by looking at a number of characteristics including PC configuration, Internet protocol address, geoâ… (Device Identification ¶ 2, Supplement to Authentication in an Internet Banking Environment)
  • Many institutions use challenge questions as a backup in the event that the primary logon authentication technique becomes inoperable or presents an unexpected characteristic. The provision of correct responses to challenge questions can also be used to re‐authenticate the customer or verify a spe… (Challenge Questions ¶ 1, Supplement to Authentication in an Internet Banking Environment)
  • Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls; (§ 314.4 ¶ 1(c)(5), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The information system implements multifactor authentication for local access to non-privileged accounts. (IA-2(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When Federal Tax Information is being accessed from a remote location, use of two-factor authentication mechanisms is recommended. (§ 5.6.17.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union use single-factor authentication? (IT - Authentication Q 33, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are there implemented authentication procedures for remote access? (IT - Remote Access Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Implement multi-factor authentication for access to non-privileged accounts. (IA-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement multi-factor authentication for access to non-privileged accounts. (IA-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Implement multi-factor authentication for access to non-privileged accounts. (IA-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • At IAL1, it is possible that attributes are collected and made available by the digital identity service. Any PII or other personal information — whether self-asserted or validated — requires multi-factor authentication. Therefore, agencies SHALL select a minimum of AAL2 when selfasserted PII or… (4 ¶ 5, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • At AAL2, authentication SHALL occur by the use of either a multi-factor authenticator or a combination of two single-factor authenticators. A multi-factor authenticator requires two factors to execute a single authentication event, such as a cryptographically-secure device with an integrated biometr… (4.2.1 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Periodic reauthentication of subscriber sessions SHALL be performed as described in Section 7.2. At AAL3, authentication of the subscriber SHALL be repeated at least once per 12 hours during an extended usage session, regardless of user activity, as described in Section 7.2. Reauthentication of the … (4.3.3 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • When a multi-factor OTP authenticator is being associated with a subscriber account, the verifier or associated CSP SHALL use approved cryptography to either generate and exchange or to obtain the secrets required to duplicate the authenticator output. The verifier or CSP SHALL also establish, via t… (5.1.5.2 ¶ 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • While all identifying information is self-asserted at IAL1, preservation of online material or an online reputation makes it undesirable to lose control of an account due to the loss of an authenticator. The second authenticator makes it possible to securely recover from an authenticator loss. For t… (6.1.1 ¶ 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Each authentication operation using the authenticator SHALL require the input of both factors. (5.1.8.1 ¶ 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Each authentication operation using the authenticator SHOULD require the input of the additional factor. Input of the additional factor MAY be accomplished via either direct input on the device or via a hardware connection (e.g., USB, smartcard). (5.1.9.1 ¶ 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • When any new authenticator is bound to a subscriber account, the CSP SHALL ensure that the binding protocol and the protocol for provisioning the associated key(s) are done at a level of security commensurate with the AAL at which the authenticator will be used. For example, protocols for key provis… (6.1 ¶ 6, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the subscriber's account. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication SHALL use a hardware-based authenticator and an authenticator that p… (4.3 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Employ dual authorization to execute critical or sensitive system and organizational operations. (3.1.1e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • WLAN connectivity should require a two-factor authentication method. (Table 8-1 Item 9, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Organizational records and documentation and the system configuration settings should be examined to ensure a combination of passwords, tokens, and/or biometrics is used for the authentication process. Test the system to ensure a combination of passwords, tokens, and/or biometrics is being used. (IA-2(1), IA-2.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Mutual authentication should be used in order to verify the legitimacy of all devices on the network. Vulnerabilities should be minimized by implementing strong authentication mechanisms. (Table 4-2 Item 16, Table 4-2 Item 21, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements multifactor authentication for local access to non-privileged accounts. (IA-2(4) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Multi-factor authentication is an accepted good practice for access to ICS applications from outside the ICS firewall. (§ 6.2.7.3 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must authenticate all remote access. (SG.AC-15 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should use multifactor authentication for remotely accessing non-privileged accounts. (SG.IA-4 Additional Considerations A1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should use multifactor authentication for locally accessing privileged accounts. (SG.IA-4 Additional Considerations A1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should use multifactor authentication for remotely accessing privileged accounts. (SG.IA-4 Additional Considerations A1.c, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (3.5.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. (3.7.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (3.5.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. (3.7.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (3.5.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. (3.7.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The Information System should enforce dual authorization for privileged access commands. (App F § AC-3(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use multifactor authentication for network access to privileged accounts. (App F § IA-2(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use multifactor authentication for network access to non-privileged accounts. (App F § IA-2(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use multifactor authentication for local access to privileged accounts. (App F § IA-2(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use multifactor authentication for local access to non-privileged accounts. (App F § IA-2(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use multifactor authentication for network access to privileged accounts when one factor is provided by a separate device from the system being accessed. (App F § IA-2(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use multifactor authentication for network access to non-privileged accounts when one factor is provided by a separate device from the system being accessed. (App F § IA-2(7), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support multifactor authentication. (App I § IA-2 Control Enhancements: (1)(2)(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system enforces dual authorization for {organizationally documented privileged commands }. (AC-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system enforces dual authorization for {organizationally documented actions}. (AC-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to privileged accounts. (IA-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for local access to privileged accounts. (IA-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for local access to non-privileged accounts. (IA-2(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {organizationally documented strength of mechanism requirements}. (IA-2(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {organizationally documented strength of mechanism requirements}. (IA-2(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to privileged accounts. (IA-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for local access to privileged accounts. (IA-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for local access to non-privileged accounts. (IA-2(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to privileged accounts. (IA-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to privileged accounts. (IA-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for local access to privileged accounts. (IA-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements multifactor authentication for local access to non-privileged accounts. (IA-2(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements multifactor authentication for local access to non-privileged accounts. (IA-2(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. (AC-3(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. (IA-2(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. (IA-2(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement multi-factor authentication for access to non-privileged accounts. (IA-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. (AC-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (IA-2(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • One of the factors is provided by a device separate from the system gaining access; and (IA-2(6) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Utilize effective controls, which may include multi-factor authentication procedures for employees accessing nonpublic information. (Section 27-62-4(d)(2) g., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • multifactor authentication that includes a reasonably secure method of assigning and selecting a password or the use of unique identifier technologies such as biometrics or security tokens, (§ 38a-999b(b)(2)(A)(ii), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Utilization of effective controls, which may include multifactor authentication procedures for any individual accessing nonpublic information; (Part VI(c)(4)(B)(vii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Utilize effective controls, which may include multi-factor authentication procedures for employees or authorized individuals accessing nonpublic information (§ 8604.(d)(2) g., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Use effective controls, which may include multi-factor authentication procedures for any individual accessing nonpublic information; (§431:3B-203(2)(G), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Using effective controls, which may include multi-factor authentication procedures for any employees accessing nonpublic information. (Sec. 18.(2)(G), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Utilize effective controls, which may include multi-factor authentication procedures for authorized individuals accessing nonpublic information. (507F.4 4.b.(7), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Use effective controls, which may include multifactor authentication procedures for any individual accessing nonpublic information. (§2504.D.(2)(g), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Use effective controls, which may include multifactor authentication procedures, for individuals accessing nonpublic information; (§2264 4.B.(7), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Using effective controls, which may include multi-factor authentication procedures for employees accessing nonpublic information. (Sec. 555.(4)(b)(viii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • utilize effective controls, which may include multifactor authentication procedures for any authorized individual accessing nonpublic information; (§ 60A.9851 Subdivision 4(2)(vii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Utilize effective controls, which may include multi-factor authentication procedures for employees accessing nonpublic information; (§ 83-5-807 (4)(b)(vii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Utilize effective controls, which may include multi-factor authentication procedures for any individual accessing nonpublic information. (§ 420-P:4 IV.(b)(7), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Utilize effective controls, which may include multi-factor authentication procedures for employees accessing nonpublic information; (26.1-02.2-03. 4.b.(7), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Utilize effective controls, which may include multifactor authentication procedures for accessing nonpublic information; (Section 3965.02 (D)(2)(g), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • utilizing effective controls, which may include multifactor authentication procedures for an individual accessing nonpublic information; (SECTION 38-99-20. (D)(2)(g), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Utilize effective controls that may include multi-factor authentication procedures for authorized individuals accessing nonpublic information; (§ 56-2-1004 (4)(B)(vii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • The information system implements multifactor authentication for network access to non-privileged accounts. (IA-2(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Utilize effective controls, which may include multifactor authentication procedures for employees accessing nonpublic information. (§ 601.952(3)(b)7., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)