Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements multi-factor authentication for network access to non-privileged accounts.
NIST 800-53 (r4) Supplemental Guidance:
None
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.
38North Guidance:
Meets Minimum Requirement:
Implements multi-factor authentication for network access to non-privileged accounts.
FedRAMP-authorized MFA solutions using FIPS-validated encryption mechanisms/modules/libraries.
If FIPS mode is available on the solution, ensure that it is enabled.
Best Practice:
Require the use of MFA for all non-privileged account access. This includes the following types of accounts:
Network (remote) accounts
Security application accounts
All VPN access needs to have a MFA solution in place that is FIPS 140-2 or FIPS 140-3 validated such as hardware tokens such as YubiKey, RSA, Gemalto etc. Or software tokens such as Google Authenticator, RSA, DUO, Okta, etc.
Unofficial FedRAMP Guidance:
OKTA push notification currently does not meet NIST SP 800-63B (Section 5.1.3.2) requirements for out-of-band verifiers. CSP's should use OKTA one-time password or passcode (OTP) instead.
Assessment Evidence:
Demonstration of multi-factor authentication into devices or the FedRAMP environment, specifically non-privileged account access into the environment (if applicable), components such as edge routers or network devices from both CLI & GUI interfaces (if applicable).
Screenshots of MFA configurations for accessing components in the environment.
CSP Implementation Tips: TBD
Page updated
Report abuse