16.3: Require Multi-Factor Authentication
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Protect |
2, 3 |
Dependencies
Sub-control 16.6: Maintain an Inventory of Accounts
Inputs
Account inventory organized by authentication system (from Sub-Control 16.6)
Approved configuration(s) to require multi-factor authentication (MFA). This will likely be a configuration for each type of authentication system in use
Operations
For each account in the account inventory (Input 1), check to see if that account is configured to require MFA in accordance with the appropriate approved configuration(s) from Input 2.
Create a list of accounts that are properly configured to require MFA (M1)
Create a list of accounts that are not properly configured to require MFA (M2) noting the deviations from the approved configuration.
Measures
M1 = List of accounts that are properly configured to require MFA (compliant list)
M2 = List of accounts that are not properly configured to require MFA (non-compliant list)
M3 = Count of accounts properly configured to require MFA (count of M1)
M4 = Total number of accounts (count of Input 1)
Metrics
Metric |
The ratio of accounts that are properly configured to require MFA to the total number
of accounts.
|
Calculation |
|