Understanding IA.L2-3.5.3: Multifactor Authentication (MFA) RequirementTheIA.L2-3.5.3practice, derived fromNIST SP 800-171 (Requirement 3.5.3), requires thatmultifactor authentication (MFA) be implemented for both privileged and standard userswhen accessing:
✔Organizational endpoints(e.g., laptops, desktops, mobile devices).
✔Network resources(e.g., VPNs, internal systems).
✔Cloud services containing Controlled Unclassified Information (CUI).
Key Requirement for a "MET" RatingFor IA.L2-3.5.3 to beMet, the organization must:
Require MFA for all privileged users(e.g., system administrators).
Require MFA for standard users accessing endpoints and network resources.
Implement MFA across all relevant systems.
Sincestandard users do not require MFA in the OSC’s current implementation, the practiceis not fully implementedand must be ratedNOT MET.
A. The process is running correctly → Incorrect
MFA isonly applied to privileged users, but it isalso required for standard users. The process isnot fully implemented.
B. It is out of scope as this is a new acquisition → Incorrect
C. The new acquisition is considered Specialized Assets → Incorrect
Specialized assets (e.g., IoT, legacy systems) may have alternative security controls, but standard users and endpointsmust still comply with MFA.
D. Practice is NOT MET since the objective was not implemented → Correct
MFA must be enabled for both privileged and standard usersaccessing endpoints and network resources. Since standard users are excluded, the practice isNOT MET.
Why is the Correct Answer "D" (Practice is NOT MET since the objective was not implemented)?
CMMC 2.0 Level 2 (Advanced) Requirements
NIST SP 800-171 (Requirement 3.5.3 – MFA Implementation)
Requires MFA forall user types, including privileged and standard users.
CMMC Assessment Process (CAP) Document
States that a practicemust be fully implemented to be considered MET. Partial implementation meansNOT MET.
CMMC 2.0 References Supporting This Answer:
