CMMC Practice Requirement:

Use multi-factor authentication for local and network access to privileged accounts and for network access to nonprivileged accounts.

CMMC Requirement Explanation:

The traditional authentication uses a single factor, typically a password. Multifactor authentication requires that a second factor also be used. Examples includes a PIN from a mobile or bio metric fingerprint. Multifactor authentication significantly reduces the likely hood of an attacker being able to gain access to your accounts. You need to protect accounts accessed over the network with Multifactor authentication. Network Access means access to a system by a user communicating through a network (e.g., local area network, wide area network, internet). You need to protect privileged local accounts with MFA. Local access means access to a system by a use communicating through a direct connection without the use of a network. An example is the local admin account on laptop.

Example CMMC Implementation:

Implement a multi-factor authentication in your environment. If you use active directory sync it with your Multi-factor authentication (MFA) solution. Any logons occurring over a network need to be protected with MFA. Below are a few common examples: If users are logging into their workstations using their active directory account then setup MFA on the workstation. If employees use a local non-privileged account to log into their laptop then MFA is not required to protect the account however using MFA is always advised. If you have local admin accounts on your systems protect them with MFA. Protect all accounts used to access cloud services (e.g., Office 365) with MFA. Require MFA for remote VPN connections. Setup MFA for SSH connections.


- Scenario 1:

You use active directory to manage user accounts for your systems. As a result, most access to your systems occurs over the network. To protect these accounts you use multifactor authentication.

- Scenario 2:

You have a small company with 10 employees. All employees log into their workstations using their local unprivileged user accounts. Because the accounts are accessed locally and are unprivileged you have not protected them with MFA. The employees workstations do have a local admin account used by your system administrator. Each of the local admin accounts is protected by MFA because they are privileged accounts.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance