>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IA.L2-3.5.3Multifactor Authentication

Level 2
800-171: 3.5.3

>Control Description

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

>Cross-Framework Mappings

NIST SP 800-171

3.5.3
Compare

SCF

IAC-06
Compare
IAC-06.1
Compare
IAC-06.2
Compare
IAC-06.3
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your multifactor authentication (MFA) policy?
  • How do you determine which accounts and access scenarios require MFA?
  • What MFA technologies and methods are approved for use?
  • What is your process for handling MFA enrollment and token management?
  • How do you handle exceptions when MFA is temporarily unavailable?

Technical Implementation:

  • What MFA technologies are implemented (TOTP, hardware tokens, biometrics)?
  • How is MFA integrated with authentication systems?
  • What MFA solutions protect privileged accounts?
  • How do you enforce MFA for remote access?
  • What fallback authentication exists if MFA is unavailable?
  • What logging captures MFA authentication events?

Evidence & Documentation:

  • What authentication policy documentation can you provide?
  • What password policy settings and configurations can you show?
  • What MFA enrollment and usage reports demonstrate compliance?
  • What account management documentation shows account lifecycle?
  • What authentication logs demonstrate enforcement?
  • What screenshots show authentication configurations?

Ask AI

Configure your API key to use AI features.