Effective Date 7/1/2021

 

PURPOSE

The purpose of an Enterprise Multi‐Factor Authentication (MFA) Policy is to enable a means of strong authentication for all users with access to information systems resources while ensuring ease of use and adoption for the user(s). The adoption of an Enterprise Multi‐Factor Authentication (MFA) Policy will reduce the likelihood of unauthorized access, provide demonstrated compliance to federal and industry mandates, as well as enable the solicitation, assessment, and selection of MFA solutions that will implement the requirements of this policy.

 

SCOPE and AUTHORITY

Information Technology Policies, Standards and Guidelines (PM-04-001) Enterprise Information Security Charter (PS-08-005)

 

POLICY

All agencies shall ensure that their employees and contracted staff use Multi-Factor authentication (MFA) for local and network access for all user accounts on state managed systems as outlined in NIST Special Publication 800-53 Revision 5, NIST Special Publication 800-63b and in some federal regulatory requirements.

 

RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES

Authorization and Access Management (SS-08-010)

Multifactor Authentication (PS-19-001) - *Retired*

 

TERMS and DEFINITIONS

Multi-Factor Authentication (sometimes referred to as two-factor authentication or 2FA) is a security enhancement that allows you to present two pieces of evidence when logging in to an account.

 

Local Access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks.

 

Network Access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses).

 

Remote Access is a type of network access that involves communication through external networks (e.g., the Internet).