MFA for CMMC: How to Actually Satisfy IA.L2-3.5.3
Multi-factor authentication sounds like a solved problem. You turn it on, and you are done. In a CMMC Level 2 assessment it is one of the most commonly misimplemented controls, because IA.L2-3.5.3 is more specific than most contractors realize. It does not just say use MFA. It dictates where, for whom, and what counts as a factor.
What the Control Actually Requires
IA.L2-3.5.3 requires multi-factor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts. Read that carefully. Privileged accounts need MFA for both local and network access. Regular user accounts need it for network access. A factor must come from at least two of three categories: something you know, something you have, and something you are.
Where Implementations Fall Short
The gaps an assessor finds are rarely the front door. They are the side doors:
- Admin and service accounts skipped: privileged accounts are exactly where MFA matters most, yet break-glass and service accounts are often exempted without compensating controls.
- Local privileged access ignored: teams enforce MFA on network logins but leave local administrator access single-factor.
- Weak second factors: SMS codes are widely considered weak. Phishing-resistant methods are the stronger answer.
- Two passwords are not MFA: a password plus a security question is two of the same category, not two factors.
- Coverage gaps in legacy systems: an old application that cannot do MFA still needs a documented compensating control, not silence.
How to Get It Right
Start by inventorying every account that can reach your CUI environment and labeling each as privileged or non-privileged. Then enforce MFA according to the control: both local and network access for privileged accounts, network access for the rest. Favor phishing-resistant factors such as hardware security keys or authenticator apps over SMS. For any system that genuinely cannot support MFA, write down the compensating control and the risk decision so the assessor sees a deliberate choice rather than an oversight. Finally, keep evidence: configuration screenshots, policy language, and a dated record showing enforcement is live.
MFA Readiness Checklist
- Inventory all accounts touching CUI and tag each privileged or non-privileged.
- Enforce MFA for local and network access on privileged accounts.
- Enforce MFA for network access on non-privileged accounts.
- Replace SMS factors with phishing-resistant methods where possible.
- Document compensating controls for any system that cannot support MFA.
- Capture dated evidence that enforcement is configured and active.
CMMC Operator provides compliance readiness resources for informational and planning purposes only. This article is not legal advice, an assessment determination, or a substitute for a qualified C3PAO or GRC advisor. Validate your MFA implementation against the current NIST SP 800-171 and CMMC assessment guidance for IA.L2-3.5.3.
Member discussion