8.4.1 MFA is implemented for all non-console access into the CDE for personnel with administrative access.

Defined Approach Requirements

8.4.1 MFA is implemented for all non-console access into the CDE for personnel with administrative access.

Customized Approach Objective

Administrative access to the CDE cannot be obtained by the use of a single authentication factor.

Applicability Notes

The requirement for MFA for non-console administrative access applies to all personnel with elevated or increased privileges accessing the CDE via a non-console connection—that is, via logical access occurring over a network interface rather than via a direct, physical connection.

Defined Approach Testing Procedures

8.4.1.a Examine network and/or system configurations to verify MFA is required for all non-console into the CDE for personnel with administrative access.

8.4.1.b Observe administrator personnel logging into the CDE and verify that MFA is required.

Purpose

Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user, because the attacker would need to compromise multiple authentication factors. This is especially true in environments where traditionally the single authentication factor employed was something a user knows such as a password or passphrase.

Good Practice

Implementing MFA for non-console administrative access to in-scope system components that are not part of the CDE will help prevent unauthorized users from using a single factor to gain access and compromise in-scope system components.

Definitions

Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.