SOLVED

CMMC - does it require MFA at network login?

Copper Contributor

"NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts"  Some debate inside my company about whether MFA is required at network login vs MFA being required only when accessing CUI systems (not all systems on our network have CUI).  So, can we place MFA at entry to CUI system and not MFA all employees at time of network login?  And does CMMC require anything different that NIST 800-171 3.5.2?

4 Replies

@bkaufman This depends on your organization's unique threat and risk profile so we leave this up to our customer's interpretation.

best response confirmed by Sarah.Gilbert (Community Manager)
Solution

@bkaufman There is a strong argument that MFA is applied at the device in order to protect data on the device as well as the local area network.  This is especially true for legacy authentication with applications that may not natively support MFA.  We have been working with many working groups to gain clarity on the fit for Windows Hello for Business satisfying the device-based MFA, and transitive to remote networks as well.

@bkaufman 

We have been working with a 3rd party to help with compliance and they have told us the following:  If a client machine is connected to the network housing the CUI (as defined by your network boundary in your System Security Plan), then it must use MFA. 

If you have a separate part of your network that is logically separated from the CUI network (e.g. you have placed a firewall in between), then that part of your network would fall outside of the CUI network boundary (again, as shown in your SSP) and thus the security controls would not apply (no MFA).

 

TLDR: if the PC is logging into the same network where CUI lives, or CUI resides on the device, you need MFA.

@bkaufman We have taken this to mean that when you login into the network that houses CUI data or the system that is on the CUI network shall require MFA. We have taken the literal translation of the controls and applied them to our customers. 

In your situation, if people are signing into systems and/or networks that are not in a CUI perimeter or boundary then the MFA requirement and all other NIST and CMMC requirements would not apply. 

1 best response

Accepted Solutions
best response confirmed by Sarah.Gilbert (Community Manager)
Solution

@bkaufman There is a strong argument that MFA is applied at the device in order to protect data on the device as well as the local area network.  This is especially true for legacy authentication with applications that may not natively support MFA.  We have been working with many working groups to gain clarity on the fit for Windows Hello for Business satisfying the device-based MFA, and transitive to remote networks as well.

View solution in original post