The Cybersecurity Maturity Model Certification (CMMC) is a set of certification standards produced by the United States Department of Defense and intended to serve as a verification mechanism to ensure that companies bidding on defense contracts have appropriate levels of cybersecurity practices and processes in place. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). The CMMC is the DoD's response to significant compromises of sensitive defense information located on contractors' information systems.
Of particular interest is the following requirement:
CMMC IA.L2-3.5.3 (NIST 800-171r2 3.5.3) - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Local Access - Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.
Network Access - Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).
Privileged User - A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Breaking down the above requirement means the following:
All users are required MFA for network/remote access.
Only privileged users are required MFA for local access (if regular user accounts have administrative rights only on their computers, they are not considered a “privileged account” and as such do not require MFA authentication for local access).
Why Windows Hello for Business is a viable MFA authenticator
Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. The Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM)and combines it with additional information to authenticate users. The additional information the user supplies is the activation factor for Windows Hello for Business and can be a PIN value (“something you know”) or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition (“something you are”).The TPM constitutes the “something you have” factor for the purpose of MFA. Learn more about How Windows Hello for Business uses the TPM.
The idea of TPM as a valid “something you have” factor is not new, and addressedby NIST 800-63B Section 220.127.116.11 back in December 2017 (as captured in the errata) where a TPM is recognized as a hardware cryptographic authenticator.Multi-factor cryptographic device authenticators use tamper-resistant hardware to encapsulate one or more secret keys unique to the authenticator and accessible only through the input of an additional factor, either a memorized secret or a biometric. The authenticator operates by using a private key that was unlocked by the additional factor to sign a challenge nonce presented through a direct computer interface (e.g., a USB port). Alternatively, the authenticator could be a suitably secure processor integrated with the user endpoint itself (e.g., a hardware TPM).
Configuring Windows Hello in a way that adheres to NIST guidance
Now that weunveiled the mystery behind CMMC IA.L2-3.5.3 requirement and explained why Windows Hello for Business is a viable MFA authenticator, let usmake sure it is configured in a way that adheres to NIST guidance and provides the required strength:
To adhere to NIST 800-63B Section 18.104.22.168requirements of activation factor (PIN) at least 8 characters long, configure minimum PIN lengthsetting for PIN Complexity to be at least 8 characters (no complexity rules are required, PIN can be digits only).
Make sure Windows Hello for Business cryptographic key are protected using a tamper-resistant hardware by enablinguse a hardware security devicesetting for Windows Hello for Business.
Configure privileged user accounts to disallow password authentication (also known as SCRIL).
For those who still do not accept TPM as “something you have” factor for local accesses (sign-in to the endpoint) or for those seeking additional risk mitigation, an alternative option is using FIDO2 keys or smart cards.
Please note that the information cutoff date for this post is February 12, 2021 and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body (CMMC AB) has not formalized guidance for Cloud Service Providers. As a result, the information herein, including our CMMC related offerings, is provisional and may be enhanced to align with future guidance from the DoD and CMMC AB. Microsoft is closely tracking developments related to the CMMC.
@Ehud_Itshaki is a Principal Program Manager in the Azure Active Directory Customer Success Team. Currently he is focused on regulatory issues for highly regulated industries and Government. Areas of focus include but are not limited to NIST, FedRAMP, DoD SRG, CMMC, CJIS, IRS 1075, EPCS, etc.