CMMCDocs.comHome / Glossary / AC.L2-3.1.13
AC.L2-3.1.13
Also known as: MFA remote access requirement
The NIST SP 800-171 requirement that mandates multifactor authentication for remote access to the contractor's information system.
AC.L2-3.1.13 requires the contractor to 'employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.' In practice, this is the multifactor authentication requirement for remote access.
A C3PAO will not accept a screenshot of an MFA configuration page as evidence. They will ask to see MFA enforced live: a remote user attempting to log in, prompted for the second factor, and successfully authenticating. They will also verify that all privileged accounts and all network access paths to in-scope systems are covered, not just a sample.
Failure to fully implement AC.L2-3.1.13 is one of the most common reasons contractors lose points on the SPRS score. It is weighted at 5 points in the DoD Assessment Methodology and is generally not eligible to be on a POA&M.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account