Satisfying CMMC IA.L2-3.5.3 MFA requirement with Windows Hello for Business
The Cybersecurity Maturity Model Certification (CMMC) is a set of certification standards produced by the United States Department of Defense and intended to serve as a verification mechanism to ensure that companies bidding on defense contracts have appropriate levels of cybersecurity practices and processes in place. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). The CMMC is the DoD's response to significant compromises of sensitive defense information located on contractors' information systems.
Of particular interest is the following requirement:
CMMC IA.L2-3.5.3 (NIST 800-171r2 3.5.3) - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Breaking down the above requirement means the following:
Why Windows Hello for Business is a viable MFA authenticator
Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. The Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM) and combines it with additional information to authenticate users. The additional information the user supplies is the activation factor for Windows Hello for Business and can be a PIN value (“something you know”) or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition (“something you are”). The TPM constitutes the “something you have” factor for the purpose of MFA. Learn more about How Windows Hello for Business uses the TPM.
The idea of TPM as a valid “something you have” factor is not new, and addressed by NIST 800-63B Section 5.1.9.1 back in December 2017 (as captured in the errata) where a TPM is recognized as a hardware cryptographic authenticator. Multi-factor cryptographic device authenticators use tamper-resistant hardware to encapsulate one or more secret keys unique to the authenticator and accessible only through the input of an additional factor, either a memorized secret or a biometric. The authenticator operates by using a private key that was unlocked by the additional factor to sign a challenge nonce presented through a direct computer interface (e.g., a USB port). Alternatively, the authenticator could be a suitably secure processor integrated with the user endpoint itself (e.g., a hardware TPM).
Configuring Windows Hello in a way that adheres to NIST guidance
Now that we unveiled the mystery behind CMMC IA.L2-3.5.3 requirement and explained why Windows Hello for Business is a viable MFA authenticator, let us make sure it is configured in a way that adheres to NIST guidance and provides the required strength:
For those who still do not accept TPM as “something you have” factor for local accesses (sign-in to the endpoint) or for those seeking additional risk mitigation, an alternative option is using FIDO2 keys or smart cards.
Disclaimer
Please note that the information cutoff date for this post is February 12, 2021 and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body (CMMC AB) has not formalized guidance for Cloud Service Providers. As a result, the information herein, including our CMMC related offerings, is provisional and may be enhanced to align with future guidance from the DoD and CMMC AB. Microsoft is closely tracking developments related to the CMMC.
Additional resources
About the author
@Ehud_Itshaki is a Principal Program Manager in the Azure Active Directory Customer Success Team. Currently he is focused on regulatory issues for highly regulated industries and Government. Areas of focus include but are not limited to NIST, FedRAMP, DoD SRG, CMMC, CJIS, IRS 1075, EPCS, etc.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.