Remote Access Separate Device IA-2(11)

Overview:
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental Guidance:
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

Related control:AC-6.

Action Items:
1) Ensure MFA for remote access is provided by a separate device

Related Documents:
1) Identity and Access Management Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
IA-2 (11) [FIPS 140-2, NIAP Certification, or NSA approval]

Moderate Additional FedRAMP Requirements and Guidance
IA-2 (11) Guidance: PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.