Multi-Factor Authentication (MFA) for NIST 800-171 Compliance - Requirement #3.5.3

Posted by

One of the most common technical questions we receive is about implementing Multi-Factor Authentication (MFA) as part of NIST 800-171 compliance (requirement #3.5.3Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts).

When you cut through the hype for MFA products, there are generally two ways to incorporate MFA:

- Out-of-Band (OAB) (e.g., accept an alert on an app on your phone, receive a call or text message with a One-Time Password (OTP))

- Cryptographic Token (e.g., digital certificate, keyfob, USB)

When it comes down to it, a company may have to incorporate more than one type of MFA to comply with NIST 800-171, since many businesses operate in a hybrid environment where some of their data is stored locally and some is hosted in the cloud. 

For companies with everything on-site and an Active Directory (AD) domain, using digital certificates is most likely the most painless and seamless way to incorporate MFA. However, that is generally not an option with most cloud providers, so OAB MFA solutions have to be considered for those environments. With hybrid models, it is likely going to be a mix of MFA solutions. However, determining MFA technology comes down to two things:

#1 - Know what your Controlled Unclassified Information (CUI) is!

#2 - Once you know where your CUI is, know where your CUI is stored, transmitted and processed so you can segment it off from non-CUI data to minimize compliance scope!

If you don't know how to do those steps, we have some great references available here -

If you are looking for a good, vendor-neutral place to start learning about MFA, a good reference is from the PCI Security Standards Council - information supplement on MFA from February 2017 -  Since there are many similarities between protecting the Cardholder Data Environment (CDE) in PCI DSS compliance and protecting CUI with DFARS/NIST 800-171, it is worth taking a look at what the PCI Security Standards Council recommends for possible compliance solutions. After all, why reinvent the wheel?

Cybersecurity & Privacy Compliance - Statutory vs Regulatory vs Contractual Obligations

Compliance terms are pretty badly abused, even by professionals within the cybersecurity and privacy industries. This is our attempt to help get everyone on the same sheet of music, since words do have meanings and it is important to understand cybersecurity and privacy requirements.STATUTORY CYBERSECURITY & PRIVACY REQUIREMENTS Statutory obligations are required by law and refer [...]

Read More »

Searching For A Magic Pill?

A little commentary on cybersecurity compliance from a cybersecurity professional During a recent commercial break on the news, there were several advertisements for new pharmaceuticals that addressed everything from lowering blood pressure to diabetes. The one thing that each commercial had in common was that each drug still required healthy eating and exercise to be effective. [...]

Read More »

Tick, Tock on NIST 800-171 Compliance

If you have contracts with the US Department of Defense (DoD) or are a subcontractor to a prime contractor with DoD contracts, your organization has until December 31, 2017 to implement NIST SP 800-171 . This is a requirement that is stipulated in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. In the context of this article, DFARS focuses on two things: Safeguarding Covered [...]

Read More »

The new baseline for private industry - NIST 800-171 Appendix E - Non-Federal Organization (NFO) Controls

Non-Federal Organization (NFO) controls are "expected to be routinely satisfied by non-federal organizations without specification." This is an often-overlooked reference from Appendix E of NIST 800-171.In this context, the term "without specification" means that the National Institute of Standards and Technology (NIST) feels the requirements do not need a detailed description of the requirements, due to the requirement being basic. [...]

Read More »

NIST 800-171 Compliance Video

We put a video together for businesses that need to comply with NIST 800-171, but do not know where to start. It covers how to define Controlled Unclassified Information (CUI), as well as Appendix D and Appendix E from NIST 800-171.ComplianceForge YouTube Channel: NIST 800-171 Compliance Video - 

Read More »

DFARS 252.204-7012 / NIST 800-171 Requirements - Non-Federal Organizations (NFO)

Have You Looked At Appendix E of NIST 800-171?While it is not called out with the main NIST 800-171 requirements in chapter 3, Appendix E contains numerous NIST 800-53 controls that are marked as Non-Federal Organizations (NFO). Essentially, these NFO requirements are "expected to be routinely satisfied" by government contractors without NIST 800-171 having to [...]

Read More »

​Scoping NIST 800-171 - Use PCI DSS As A Guide

Managing NIST 800-171 Scoping If you are new to NIST 800-171, it is intended to help "non-federal entities" (e.g., contractors) to comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches. It also provides a standardized and uniform set of requirements for all [...]

Read More »

Announcing The NIST 800-171 Compliance Criteria (NCC)

We listened to our customer needs for guidance on becoming compliant with NIST 800-171, so we created the NIST 800-171 Compliance Criteria (NCC) product. This took considerable time to develop and contains expectations and recommendations that a for-hire consultant would offer you. If you are just starting out on the path to become compliant with NIST 800-171, this [...]

Read More »

FTC - Data Security Considerations for "Unfair" Business Practices

Section 5 of the Federal Trade Commission Act (FTC Act) (15 USC 45) prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’ The prohibition applies to all persons engaged in commerce - this includes online retailers or any business that maintains sensitive consumer information.In the data security context, the FTC has gone after companies for [...]

Read More »

Sign up for our Newsletter!