Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements multi-factor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [FedRAMP Assignment: (M)(H) FIPS 140-2, NIAP Certification, or NSA Approval].
IA-2(11) Additional Requirements and Guidance: PIV=separate device. Please refer to NIST SP-800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.]
NIST 800-53 (r4) Supplemental Guidance:
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into IA-2(6).]
38North Guidance:
Meets Minimum Requirement:
IA-2(11).1 - Implements multi-factor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
IA-2(11).2 - Implements multi-factor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
IA-2(11).5 - Implements multi-factor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.
IA-2(11).6 - Implements multi-factor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.
Best Practice:
Ensure that MFA mechanisms are separate from the system that personnel are trying to obtain access to and a memorized secret is utilized as well as a software or hardware token.
Define requirements to specify how strong the encryption should be for MFA. FIPS-140-2, & FIPS-140-3 should be utilized to meet encryption requirements for the environment. Note - PIV cards should meet requirements in NIST-SP 800-77.
Refer to the following to verify Authenticator and Verifier for the solution is FIPS validated: https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/CSI_MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of the MFA authentication process utilizing a software or hardware token when connecting to the FedRAMP environment.
Screenshot of a list of MFA devices demonstrating unique serial numbers for each hardware device and verify that the hard tokens are FIPS validated.
CSP Implementation Tips: TBD
Page updated
Report abuse