Security Frameworks with 2-factor Authentication
Keeping up with Two-Factor Authentication Day (2/2/23), we decided to showcase some cybersecurity and compliance frameworks that recommend 2-factor authentication controls. The frameworks we reviewed include:
- FFIEC CAT (The Federal Financial Institutions Examination Council Cybersecurity Assessment Tool)
- CMMC (Cybersecurity Maturity Model Certification)
- PCI DSS (Payment Card Industry Data Security Standard) v3.2.1
- PCI DSS (Payment Card Industry Data Security Standard) v4.0
- CIS v8 (Center for Internet Security), NYDFS (New York State Department of Financial Services)
- CISA (Cybersecurity & Infrastructure Security Agency) Shields Up 2022
- ACET (Automated Cybersecurity Examination Tool) from the NCUA (National Credit Union Association)
- NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) 1.1
- 405(d) HICP (Health Industry Cybersecurity Practices).
Cybersecurity Framework References
The multi-factor authentication controls within these frameworks are listed in the chart below.
| Framework | Reference | Control |
| FFIEC CAT | D3.PC.Am.B.9 | Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. |
| FFIEC CAT | D3.PC.Am.B.15 | Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. |
| FFIEC CAT | D3.PC.Am.Int.5 | Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution’s network and/or systems and applications. |
| FFIEC CAT | D3.PC.Am.Int.6 | Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s). (*N/A if no high risk systems.) |
| CMMC | IA.L2-3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. |
| CMMC | MA.L2-3.7.5 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
| PCI DSS v3.2.1 | 8.3 | Secure all individual non-console administrative access and all remote access to the CDE (Card Data Environment) using multi-factor authentication. Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication. |
| PCI DSS v3.2.1 | 8.3.1 | Incorporate multi-factor authentication for all non-console access into the CDE (Card Data Environment) for personnel with administrative access. |
| PCI DSS v3.2.1 | 8.3.2 | Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network. |
| PCI DSS v4.0 | 8.4 | Multi-factor authentication (MFA) is implemented to secure access into the CDE (Card Data Environment) |
| PCI DSS v4.0 | 8.4.1 | MFA is implemented for all non-console access into the CDE for personnel with administrative access. |
| PCI DSS v4.0 | 8.4.2 | MFA is implemented for all access into the CDE. |
| PCI DSS v4.0 | 8.4.3 | MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE |
| PCI DSS v4.0 | 8.5 | Multi-factor authentication (MFA) systems are configured to prevent misuse. |
| PCI DSS v4.0 | 8.5.1 | MFA systems are implemented as follows: • The MFA system is not susceptible to replay attacks. • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. • At least two different types of authentication factors are used. • Success of all authentication factors is required before access is granted. |
| PCI DSS v4.0 | 8.6 | Use of application and system accounts and associated authentication factors is strictly managed. |
| CIS v8 | 6.3 | Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. |
| CIS v8 | 6.4 | Require MFA for Remote Network Access |
| CIS v8 | 6.5 | Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. |
| NYDFS | 12a | Multi-factor authentication. Based on its risk assessment, each covered entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to nonpublic information or information systems. |
| NYDFS | 12b | Multi-factor authentication shall be utilized for any individual accessing the covered entity’s internal networks from an external network, unless the covered entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls. |
| CISA Shields Up 2022 | 1.1 | Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication. |
| ACET | 232 | Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. |
| ACET | 245 | Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution’s network and/or systems and applications. |
| ACET | 246 | Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s). |
| NIST CSF 1.1 | PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
| 405(d) HICP | 2.S.A.6 | For devices that are accessed off site, leverage technologies that use multi-factor authentication before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. |
| 405(d) HICP | 3.M.D.1 | Virtual Private Networks (VPNs) should be configured to limit user access based on role-based access control (RBAC) or ABAC rules and to enable MFA. |
| 405(d) HICP | 3.M.D.2 | These [Virtual Desktop Environments] are environments where virtual terminal sessions can be exposed to remote access, allowing your employees to work remotely. Although highly useful for workforce flexibility, virtual desktop environments systems can be compromised easily if they lack MFA. |
| 405(d) HICP | 9.M.C.3 | If remote access is required to manage medical devices, MFA capabilities should be deployed, with HDO acceptance of the system access mode to be used. Depending on the deployment scenario, the device manufacturer may be required to support remote access capabilities. Otherwise, such capabilities should be deployed on a separate component of your existing MFA system to limit exposure if the MFA system is compromised. |
If you want to learn more about 2-factor authentication, please check out our article at Stern Security. To ensure that you’re adhering to all of your cybersecurity controls including 2-factor authentication, use Velocity. You can measure your baseline security for free with Velocity today. Secure the Planet!
