CMMCDocs.comIA.L2-3.5.3
Also known as: MFA local privileged access · MFA for privileged accounts
The NIST SP 800-171 requirement that mandates multifactor authentication for local and network access to privileged accounts.
IA.L2-3.5.3 requires the contractor to 'use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.' It is the companion requirement to AC.L2-3.1.13 and together they form the core MFA mandate of CMMC Level 2.
The key distinction is 'local' versus 'network' access. AC.L2-3.1.13 covers network access; IA.L2-3.5.3 extends MFA to local privileged sessions — for example, an administrator logging into a server from a local console must also provide a second factor.
Like AC.L2-3.1.13, this requirement is weighted at 5 points, generally not eligible for POA&M, and assessors will verify it live in the contractor's environment.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account