Beat the Toughest CMMC Level 3 Requirements: Multifactor Authentication

SMB suppliers across the US Defense Industrial Base (DIB) are beginning to assess the effort required to pass a Cybersecurity Maturity Model Certification (CMMC) compliance audit. CMMC Level 3 involves about 130 interconnected controls, and not every company has sufficient information security expertise in-house to interpret the DoD’s guidance, conduct a “gap assessment” and prioritize remediation steps.

To help SMB defense suppliers find their path to CMMC Level 3 audit readiness, Pivot Point Security CISO and Managing Partner John Verry recorded a special episode of The Virtual CISO Podcast detailing the six most common and critical issues we are seeing with our SMB clients seeking CMMC certification, along with tips on how best to address them.

This post focuses on multifactor authentication (MFA). Don’t miss the blog posts covering the other five top challenges.

  1. Mobile Device Management
  2. Multifactor Authentication
  3. End-to-End Encryption
  4. Email Spam Protection and Sandboxing
  5. Logging and Alerting

How to Beat CMMC Level 3’s Multifactor Authentication Requirements

Within the Identification and Authentication (IA) practice, CMMC Level 3 states: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” Sounds pretty all-encompassing! But what does that mean for cloud-based systems, for instance? And what accounts are considered privileged?

“MFA is actually one of the more confusing areas of CMMC,” shares John. “The simplest way to look at this is that MFA for all users is really what your target should be. I say that for two reasons. One is that we don’t know exactly how this will be adjudicated by the CMMC AB C3PAO auditors. So, we don’t want [a nonconformity] to occur.”

“The second thing is that, honestly, MFA is one of the single most important mechanisms to reduce the likelihood that your organization has a breach or is hacked. And at the end of the day, we want to be certified — but we also want to be secure, right? This is national defense. This is our national economy. And with the minimal amount of additional overhead associated with MFA for all user accounts, it’s a no-brainer to do that,” John adds.

Affordable, easy-to-use tools are available to help SMBs implement MFA, like the free authenticators offered with Microsoft 365 or Google G Suite. For those that need a more powerful MFA solution to integrate with legacy applications or meet other specific needs, John recommends leading MFA products like Centrify and Okta.

“We see credential thefts, credential stuffing attacks, things of that nature… Once somebody has your password, they are you, right? They have access to the CUI [Controlled Unclassified Information],” adds John. By adding a second factor, even if you have my password, you still can’t get to the CUI.”

“Everybody should be using MFA on any information that’s important to them, is my opinion at this point in time,” John stresses.

If your business faces a CMMC Level 3 audit, you need to hear this special episode of The Virtual CISO Podcast with John Verry.

To listen to this show end-to-end, and along with all our other episodes, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

We are a trusted source of simple, practical, and actionable information security guidance.