>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IA-2(2)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Implement multi-factor authentication for access to non-privileged accounts.

>DoD Impact Level Requirements

Additional Requirements and Guidance

IA-2 (2) Requirement: According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL). IA-2 (2) Requirement: Multi-factor authentication must be phishing-resistant. IA-2 (2) Guidance: Multi-factor authentication to subsequent components in the same user domain is not required.

>Discussion

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S.

Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk.

Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

>Programmatic Queries

Beta

Related Services

IAM
Cognito
AWS SSO

CLI Commands

Enable MFA for all users in account
aws iam get-account-summary --query 'SummaryMap.{Users:Users,MFADevices:MFADevices}'
List users without MFA
aws iam get-credential-report && grep -v ',true' account_credential_report.csv
Require MFA for console access
aws iam put-user-policy --user-name USERNAME --policy-name MFA-Required --policy-document file://mfa-policy.json
Open AWS ConsoleDocumentation

>Related Controls

AC-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IA-2(2) (Multi-Factor Authentication To Non-Privileged Accounts)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IA-2(2)?
  • How frequently is the IA-2(2) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IA-2(2) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IA-2(2) requirements.
  • What automated tools, systems, or technologies are deployed to implement IA-2(2)?
  • How is IA-2(2) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IA-2(2) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IA-2(2)?
  • What audit logs, records, reports, or monitoring data validate IA-2(2) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IA-2(2) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IA-2(2) compliance?

Ask AI

Configure your API key to use AI features.