Overview:
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Action Items:
3.5.3[a]
Determine if: privileged accounts are identified.
3.5.3[b]
Determine if: multifactor authentication is implemented for local access to privileged accounts.
3.5.3[c]
Determine if: multifactor authentication is implemented for network access to privileged accounts.
3.5.3[d]
Determine if: multifactor authentication is implemented for network access to non-privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Identification and authentication policy; procedures addressing user identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts; other relevant documents or records].
2
Interview: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
3
Test: Mechanisms supporting or implementing multifactor authentication capability].
Related Documents (document name and content will vary by organization):
1) Identification and authentication policy
2) procedures addressing user identification and authentication
3) system security plan
4) system design documentation
5) system configuration settings and associated documentation
6) system audit logs and records
7) list of system accounts
8) other relevant documents or records
Additional Guidance:
Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor solutions that feature physical authenticators include, for example, hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security.
Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information traversing the network. NIST Special Publication 800-63 provides guidance on digital identities.
Article ID: 151
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-multi-factor-authentication-3-5-3-151.html