Forum Discussion
Solved
CMMC - does it require MFA at network login?
"NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts" Some debate inside my company about whether ...
bkaufman There is a strong argument that MFA is applied at the device in order to protect data on the device as well as the local area network. This is especially true for legacy authentication with applications that may not natively support MFA. We have been working with many working groups to gain clarity on the fit for Windows Hello for Business satisfying the device-based MFA, and transitive to remote networks as well.
We have been working with a 3rd party to help with compliance and they have told us the following: If a client machine is connected to the network housing the CUI (as defined by your network boundary in your System Security Plan), then it must use MFA.
If you have a separate part of your network that is logically separated from the CUI network (e.g. you have placed a firewall in between), then that part of your network would fall outside of the CUI network boundary (again, as shown in your SSP) and thus the security controls would not apply (no MFA).
TLDR: if the PC is logging into the same network where CUI lives, or CUI resides on the device, you need MFA.
