NIST SP 800-171 Rev 2 requirement 3.5.3 mandates the use of multifactor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts. MFA requires authentication using two or more different factor categories: something you know (e.g., password or PIN), something you have (e.g., hardware token, smart card, or authenticator app), or something you are (e.g., fingerprint or facial recognition). Privileged accounts — those with elevated permissions such as system administrators, domain admins, or security officers — must be protected with MFA regardless of whether access is local (console) or remote (network). Non-privileged accounts (standard user accounts) must also use MFA when accessing systems over a network connection. This practice directly addresses credential-based attacks by ensuring that a stolen password alone is insufficient to gain access.
Where it stops · what it isn't
- —This practice does not define account creation or provisioning procedures — that is addressed by IA-L2-3.5.1 and IA-L2-3.5.2.
- —This practice does not cover service accounts, machine-to-machine authentication, or non-interactive processes unless those processes use privileged credentials for human-initiated sessions.
- —This practice does not govern the strength of individual authentication factors (e.g., password complexity requirements) — those are addressed by IA-L2-3.5.7 and IA-L2-3.5.8.
- —Physical access controls (badge readers, locks) are not a substitute for logical MFA within information systems, even if the physical control involves a biometric.
- —This practice does not address federated identity or single sign-on architecture design, though MFA must still be enforced within those architectures when applicable.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/identification-and-authentication