IA.L2-3.5.3[d] – MFA Question

old.reddit.com / @/u/K_SV, https://old.reddit.com/user/K_SV

Hi All,

Seeking some guidance from those who have successfully implemented this requirement.

[d] multifactor authentication is implemented for network access to non-privileged accounts.

I'm at a company that uses MFA for VPN and privileged accounts, no problems there. But what exactly is this requiring for non-privileged? Is there an expectation that MFA should be implemented for endpoints, such as CaC reader on each system?

The example given in the CMMC assessment guide is implementing MFA for cloud-based email in addition to the VPN. Guess we could turn that on, but I'm not totally confident that's the coverage DCMA would look for.

Would appreciate any examples of controls implemented that satisfied this. Thank you!

submitted by /u/K_SV
[link] [comments]

published about 2 months ago


Previous

Recommendations on CMMC Consulants
published about 2 months ago

Next

MSP requires CMMC?
published about 2 months ago
See all items from the same source