IA.L2-3.5.3 — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

What this control requires

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Source: CMMC L2 v2.13 IA.L2-3.5.3 / NIST SP 800-171 R2 3.5.3 (official control text).

Why this matters

Passwords alone are vulnerable to phishing, credential stuffing, and brute-force attacks. Multifactor authentication (MFA) requires attackers to compromise two separate factors—typically a password plus a time-based code or biometric—making unauthorized access exponentially harder. This control mandates MFA for all privileged accounts (administrators, domain admins, service desk) accessing systems locally or remotely, and for standard user accounts connecting over networks. Without MFA, a single compromised password grants full access to CUI systems, exposing the organization to data theft, ransomware, and regulatory penalties.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export, PDF, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls