3.5.3 — MFA Everywhere
What It Says
Section titled “What It Says”Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
What It Actually Means
Section titled “What It Actually Means”MFA is required in three specific scenarios. Miss any one and the entire requirement is NOT MET:
- Local access to privileged accounts — an admin logging into a server console or workstation with an admin account must use MFA. Not just a password.
- Network access to privileged accounts — an admin connecting remotely to any system with elevated privileges must use MFA.
- Network access to non-privileged accounts — any user connecting to CUI systems over the network (VPN, cloud apps, remote desktop, web applications) must use MFA.
The word “network” is critical. A user sitting at their desk logging into their local workstation with a standard account is the only scenario where MFA isn’t explicitly required by this control — and even then, best practice says use it.
This requirement cannot be placed on a POA&M. You must have MFA fully implemented before the assessment. There is no conditional certification path for this one.
MFA strength matters too. SMS-based MFA is technically MFA but it’s vulnerable to SIM swapping. The assessor may question SMS-only implementations. FIDO2 keys, authenticator apps, and Windows Hello for Business are stronger choices.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Are privileged accounts identified? | A documented list of every admin/privileged account |
| 2 | Is MFA implemented for local access to privileged accounts? | Admin logging into a server console uses MFA — demonstrate it |
| 3 | Is MFA implemented for network access to privileged accounts? | Admin connecting remotely uses MFA — demonstrate it |
| 4 | Is MFA implemented for network access to non-privileged accounts? | Standard user connecting over the network uses MFA — demonstrate it |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Identification and authentication policy; procedures addressing user identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts
People they’ll talk to: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers
Live demos they’ll ask for: Mechanisms supporting or implementing multifactor authentication capability
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Show me your list of privileged accounts. How many are there and what systems do they administer?”
- “Log in to a server with an admin account — show me the MFA prompt.”
- “Connect to VPN with a standard user account — show me the MFA step.”
- “Access a CUI cloud application — show me MFA is enforced.”
- “What MFA method do you use? Is it phishing-resistant?”
- “Are there any accounts or access paths that don’t require MFA? Why?”
- “Show me your Conditional Access policies enforcing MFA.”
Where Companies Trip Up
Section titled “Where Companies Trip Up”MFA on some systems but not all. Cloud apps have MFA but VPN doesn’t. Or VPN has MFA but local admin logins don’t. Cover all three scenarios explicitly.
SMS-only MFA. SMS is vulnerable to SIM swapping. The assessor may question it. Authenticator apps, FIDO2 keys, or Windows Hello are stronger and demonstrate security maturity.
Service accounts without MFA or equivalent. A service account with domain admin privileges that authenticates with just a password. Use managed identities, certificate-based auth, or other compensating controls.
Break-glass accounts without MFA. Emergency access accounts that bypass MFA ‘just in case.’ These still need MFA or an equivalent control — document the compensating control if MFA truly isn’t possible.
Trying to POA&M this requirement. This is one of a small number of requirements that cannot be deferred. It must be MET before the assessment. No conditional certification without MFA.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.5.4 — Replay-Resistant Auth | MFA methods like TOTP and FIDO2 provide the replay resistance required here |
| 3.1.12 — Eyes on Remote Access | MFA is required for the remote access sessions monitored here |
| 3.7.5 — MFA for Remote Maintenance | MFA specifically for remote maintenance sessions |
| 3.1.15 — Admin Commands Over the Wire | Remote admin access that requires MFA from this control |
| 3.5.2 — Verify Before Entry | MFA is the strongest form of the authentication required here |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: IA.L2-3.5.3 | SPRS Weight: 5 points | POA&M Eligible: No