NIST SP 800-171
Control 3.5.3
Use Multifactor Authentication for Local and Network Access
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
What This Means in Plain English
Admin accounts must use MFA for both local and remote access. Standard user accounts must use MFA for all network (remote) access. MFA means using two or more different types of credentials (something you know + something you have).
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Microsoft Entra ID Conditional Access enforcing MFA for all users on all network access
- Windows Hello for Business providing MFA for local workstation logon for privileged users
- FIDO2 security keys available for high-security administrative access
- FortiGate VPN requiring MFA via FortiToken for all remote access connections
- Microsoft Authenticator app deployed to all users for push-based MFA
Assessment Guidance
Assessors will test MFA enforcement for privileged local access, verify MFA for all network access, check that MFA cannot be bypassed, review Conditional Access policies, and test MFA on VPN and remote access portals.
Common Implementation Gaps
- MFA not enforced for privileged local access
- MFA not required for standard user network access
- MFA bypass available through legacy authentication protocols
- No MFA on VPN connections
- SMS-only MFA without stronger alternatives
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-2(1), IA-2(2), IA-2(3) |
| HIPAA | 164.312(d) - Person or Entity Authentication |
| PCI DSS | Req 8.3 - Secure all individual non-console administrative access with MFA |
Need Help Implementing 3.5.3?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment