Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements multi-factor authentication for local access to privileged accounts.
NIST 800-53 (r4) Supplemental Guidance:
Related control: AC-6.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into IA-2(1).]
38North Guidance:
Meets Minimum Requirement:
Implements multi-factor authentication for local access to privileged accounts.
FedRAMP-authorized MFA solutions using FIPS-validated encryption mechanisms/modules/libraries.
If FIPS mode is available on the solution, ensure that it is enabled.
Best Practice:
Require the use of MFA for all privileged account access. This includes the following types of accounts:
Administrator accounts
Local accounts
Security application accounts
All access needs to have a MFA solution in place that is FIPS 140-2 or FIPS 140-3 validated such as hardware tokens such as YubiKey, RSA, Gemalto, etc., or software tokens such as Google Authenticator, RSA, DUO, Okto, etc.
Unofficial FedRAMP Guidance:
OKTA push notification currently does not meet NIST SP 800-63B (Section 5.1.3.2) requirements for out-of-band verifiers. CSP's should use OKTA one-time password or passcode (OTP) instead.
Assessment Evidence:
Demonstration of multi-factor authentication into devices for the FedRAMP environment, specifically privileged account access locally to components such as edge routers or network devices from both CLI & GUI interfaces (if applicable).
Screenshots of MFA configurations for accessing components in the environment.
CSP Implementation Tips: TBD
Page updated
Report abuse