Mapped to NIST 800-171 Requirement: 3.5.2
CMMC Assessment Objective: IA.L2-3.5.2[a]
What This Objective Means
This control is the starting point for implementing MFA. You must first determine which accounts require it and document those requirements clearly.
This typically includes:
• All accounts with privileged access
• Remote access users (e.g., VPN, remote desktop)
• Administrative or root accounts
• Users accessing CUI from outside the enclave
• Cloud platform and SaaS admin accounts
This inventory informs the enforcement policies you’ll implement in the next steps.
Why It Matters
Without identifying which accounts require MFA:
• You risk inconsistent enforcement
• High-privilege accounts may be left vulnerable
• Auditors cannot verify MFA policies are aligned with access types
• Attackers may target underprotected access points
Security begins with visibility—especially when it comes to authentication.
How to Implement It
1. Inventory All Accounts
• Perform a full user and service account audit
• Categorize by access level, location (internal/external), and role
2. Identify MFA Requirements by Role
• Flag accounts that meet one or more of the following:
◦ Remote access
◦ Admin or elevated privileges
◦ Access to CUI or sensitive systems
◦ Cloud service management
3. Document MFA Applicability
• Maintain a list or table showing:
◦ Account name/type
◦ Reason for MFA
◦ MFA method required
4. Align with Policy
• Ensure your policies reflect which accounts are subject to MFA requirements
Evidence the Assessor Will Look For
• Account inventories indicating MFA-required users
• Documentation showing risk-based or role-based MFA application
• Access control policy or SSP references
• Audit logs identifying MFA-enabled accounts
Common Gaps
• MFA applied inconsistently or only to user accounts (excluding service/admin)
• Lack of documentation showing why MFA is required for specific users
• Remote access users not enrolled in MFA
• MFA tool deployed but not mapped to appropriate accounts
How Cuick Trac Helps
Cuick Trac supports this control by:
• Maintaining a secure environment where MFA is required by default for all remote and privileged access
• Helping organizations identify and map user accounts to MFA requirements
• Providing templates and inventory support to document MFA enforcement criteria
• Integrating MFA at both system and application levels within the enclave
Cuick Trac ensures that accounts requiring MFA are clearly identified—and clearly protected.
Final CTA
You can’t enforce MFA if you don’t know who needs it.
Schedule a Cuick Trac demo and start with a clear inventory of every account that requires strong authentication.