NIST 800-171 R-3.5.3
Use Multifactor Authentication
Official citation: 3.5.3
Class: core · Severity: critical
Statement of the obligation — verify against source
3.5.3
What it means
Require multifactor authentication — two or more different factors (something you know, something you have, something you are) — for local and network access to privileged accounts and for network access to non-privileged accounts. Solutions can use hardware or soft tokens, smart cards, or biometrics; this does not require PIV or CAC cards specifically. Authentication can be applied at logon and, where needed, at the application level.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.