The cybersecurity maturity model certification (CMMC) requires a multilayered approach to information security. Of the 171 practices listed in the CMMC cybersecurity framework, 16 fall into the domain of identification and authentication (IA), which deals with user credentials like usernames and passwords.
Most organizations will be aiming for a level 3 CMMC assessment, at least to begin with, since this is required for handling controlled unclassified information (CUI) as a defense contractor. One of the most important practices introduced in CMMC cybersecurity level 3 is IA.3.083. This explicitly states the requirement for multifactor authentication for local and networked access to privileged accounts, as well as for networked access to non-privileged accounts.
Here’s what that means and why it matters in the age of cloud computing:
What is multifactor authentication?
The most basic authentication method, which has been around since the dawn of computing, is the username and password combination. Multifactor authentication (MFA) introduces one or more additional authentication measures to serve as extra layers of security. One common example everyone will be familiar with is using a payment card to withdraw cash from an ATM. The card itself is the first authentication measure, while you use a PIN code for verification.
Authentication factors may include the following:
- Knowledge – something the user knows, such as a password
- Possession – something the user has, such as a one-time security token
- Inherence – something inherent to the user, such as a fingerprint scan
- Location – a specific location (or locations) from which users are permitted access
The goal of MFA is to create layered defenses that make it exponentially more difficult for an unauthorized user to access a target system. MFA is now a vital component of account-based security, especially in a time when many business-critical systems are hosted in the cloud and routinely accessed from off-site locations.
#1. Protect against password theft
Over reliance on passwords leaves accounts highly vulnerable to social engineering scams, a lot of which specifically target username and password combinations. These scams normally manifest as phishing emails purporting to be from a trusted friend or colleague or a malicious website masquerading as one belonging to a legitimate organization.
MFA is extremely effective in protecting accounts from these scams, simply because it is much harder for the attacker to get their hands on the additional authentication information. This is especially the case with single-use tokens or biometric data, which is inherent to the user.
#2. Follow the zero trust principles
The zero trust approach to security holds that no login should ever be assumed to be legitimate and must always be verified. It often works together with the principle of least privilege, where user accounts or individual systems are only granted privileged access to data they actually require to perform their roles.
MFA enforces zero trust policies by always asking users to verify their identities, especially if they are logging on from an unfamiliar device, network, or geographical location. This will also help achieve compliance with the CMMC cybersecurity practice IA.3.083.
#3. Implement with single sign-on
Having to remember dozens of different sets of login credentials is one of the main reasons for the development of poor password habits, such as reusing the same passwords for multiple accounts. Adding additional authentication measures can make things even more difficult, but it doesn’t have to be this way.
In business environments, MFA is typically combined with single sign-on (SSO), which allows users to use a single set of login credentials and additional authentication measures to access all the apps and data they need to do their jobs.
#4. Safeguard mobile workforces
While few can deny the benefits of workforce mobility, remotely accessing business systems that store or transmit CUI and other sensitive data carries some unique risks. After all, greater accessibility also potentially means easier access for attackers. This is especially the case for remote workers connecting to unsecured wireless networks.
Implementing MFA helps secure the transition from working in the office to working from home and elsewhere by protecting and monitoring access to online accounts. This is another core requirement for passing a CMMC assessment, especially at higher levels.
Charles IT provides multifactor authentication solutions to help protect your employees against social engineering scams and password-hacking attempts. Get in touch today to learn more!