Multi-Factor Authentication Policy

Topics: 

PS-19-001 Multi-factor Authentication Policy

Issue Date: 7/1/2018

Effective Date: 7/1/2019

 

PURPOSE

The purpose of an Enterprise Multi‐Factor Authentication (MFA) Policy is to enable a means of strong authentication for those users with access to sensitive information and information systems resources, or have a privileged level of system support access, while ensuring ease of use and adoption for the user(s). The adoption of an Enterprise Multi‐Factor Authentication (MFA) Policy will reduce the likelihood of unauthorized access, provide demonstrated compliance to federal and industry mandates, as well as enable the solicitation, assessment, and selection of MFA solutions that will implement the requirements of this policy.

 

SCOPE and AUTHORITY

Information Technology Policies, Standards and Guidelines (PM-04-001) Enterprise Information Security Charter (PS-08-005)

 

 

POLICY

Agencies shall use Multi-Factor authentication (MFA) for all network access to privileged accounts as outlined in NIST Special Publication 800-53 Revision 4 and required in federal regulatory requirements.

 

RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES

Authorization and Access Management (SS-08-010)

 

TERMS and DEFINITIONS

 

Multi-Factor Authentication (sometimes referred to as two-factor authentication or 2FA) is a security enhancement that allows you to present two pieces of evidence when logging in to an account.

 

Privileged User/Accounts is a User/Account that by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and Network administrator(s) who are responsible for keeping the system available and may need powers to create new user profiles as well as add to or amend the powers and access rights of existing users.

Related Files