6.5: Require MFA for Administrative Access
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Protect |
1, 2, 3 |
Dependencies
Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Safeguard 5.1: Establish and Maintain an Inventory of Accounts
Inputs
GV22: Inventory of accountsGV3: Configuration Standard
Operations
Using
GV22identify and enumerate all administrative accounts (M1)- For each administrative account identified in Operation 1 check configurations in
GV3 Identify and enumerate administrative accounts properly configured to require MFA (M2)
Identify and enumerate administrative accounts not properly configure to require MFA (M3)
- For each administrative account identified in Operation 1 check configurations in
Measures
M1 = Count of administrative accounts
M2 = Count of administrative accounts properly configured to require MFA
M3 = Count of administrative accounts not properly configured to require MFA