Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements multi-factor authentication for network access to privileged accounts.
NIST 800-53 (r4) Supplemental Guidance:
Related control: AC-6.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. Related Controls: AC-5, AC-6.
38North Guidance:
Meets Minimum Requirement:
Implements multi-factor authentication for network access to privileged accounts
FedRAMP-authorized MFA solutions using FIPS-validated encryption mechanisms/modules/libraries.
If FIPS mode is available on the solution, ensure that it is enabled.
Best Practice:
Require the use of MFA for all privileged network account access. This includes the following types of accounts:
Administrative accounts
Network (remote) accounts
Security application accounts
All VPN access needs to have a MFA solution in place that is FIPS 140-2 or FIPS 140-3 validated such as hardware tokens such as YubiKey, RSA, Gemalto etc. Or software tokens such as Google Authenticator, RSA, DUO, Okta, etc.
Unofficial FedRAMP Guidance:
OKTA push notification currently does not meet NIST SP 800-63B (Section 5.1.3.2) requirements for out-of-band verifiers. CSP's should use OKTA one-time password or passcode (OTP) instead.
Assessment Evidence:
Demonstration of multi-factor authentication into devices or the FedRAMP environment specifically privileged access into the environment, components such as edge routers or network devices from both CLI & GUI interfaces (if applicable).
Screenshots of MFA configurations for accessing components in the environment.
CSP Implementation Tips: TBD
Page updated
Report abuse