Has your organization implemented multifactor authentication (MFA) for all user access to systems containing sensitive data?
Explanation
Multifactor authentication requires users to provide two or more verification factors to gain access to a resource, significantly reducing the risk of unauthorized access even if passwords are compromised. Common MFA implementations include combinations of something you know (password), something you have (security token or mobile app), and something you are (biometric verification).
Evidence of MFA implementation could include screenshots of MFA configuration settings in your identity management system, a documented MFA policy, user enrollment statistics showing percentage of accounts with MFA enabled, or system logs demonstrating successful MFA challenges.
Implementation Example
Require multifactor authentication
ID: PR.AA-03.200
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Users, services, and hardware are authenticated
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

