Multi-Factor Authentication Policy (RETIRED) (PS-19-001)
PS-19-001 Multi-factor Authentication Policy
Issue Date: 7/1/2018
Effective Date: 7/1/2019
The purpose of an Enterprise Multi‐Factor Authentication (MFA) Policy is to enable a means of strong authentication for those users with access to sensitive information and information systems resources, or have a privileged level of system support access, while ensuring ease of use and adoption for the user(s). The adoption of an Enterprise Multi‐Factor Authentication (MFA) Policy will reduce the likelihood of unauthorized access, provide demonstrated compliance to federal and industry mandates, as well as enable the solicitation, assessment, and selection of MFA solutions that will implement the requirements of this policy.
SCOPE and AUTHORITY
Information Technology Policies, Standards and Guidelines (PM-04-001) Enterprise Information Security Charter (PS-08-005)
Agencies shall use Multi-Factor authentication (MFA) for all network access to privileged accounts as outlined in NIST Special Publication 800-53 Revision 4 and required in federal regulatory requirements.
RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES
Authorization and Access Management (SS-08-010)
TERMS and DEFINITIONS
Multi-Factor Authentication (sometimes referred to as two-factor authentication or 2FA) is a security enhancement that allows you to present two pieces of evidence when logging in to an account.
Privileged User/Accounts is a User/Account that by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and Network administrator(s) who are responsible for keeping the system available and may need powers to create new user profiles as well as add to or amend the powers and access rights of existing users.