Forum Discussion
Solved
CMMC - does it require MFA at network login?
"NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts" Some debate inside my company about whether ...
bkaufman There is a strong argument that MFA is applied at the device in order to protect data on the device as well as the local area network. This is especially true for legacy authentication with applications that may not natively support MFA. We have been working with many working groups to gain clarity on the fit for Windows Hello for Business satisfying the device-based MFA, and transitive to remote networks as well.
bkaufman We have taken this to mean that when you login into the network that houses CUI data or the system that is on the CUI network shall require MFA. We have taken the literal translation of the controls and applied them to our customers.
In your situation, if people are signing into systems and/or networks that are not in a CUI perimeter or boundary then the MFA requirement and all other NIST and CMMC requirements would not apply.
