3.5.3 has a weight of -3 to 5 points

1. System Security Plan (SSP) – Example

   I. Introduction

   This System Security Plan (SSP) details the measures implemented by our organization to comply with the requirements of NIST SP800-171, focusing on Control 3.5.3 concerning multifactor authentication (MFA). The following sections explain how we have deployed MFA and related security measures to ensure secure access to our systems.

   II. MFA Implementation for Privileged and Non-Privileged Accounts

   1. Privileged Accounts:

      • Implementation: Implemented MFA for local and network access to privileged accounts, requiring at least two different factors to authenticate users.
      • Authentication Factors: Utilized various factors such as passwords, cryptographic devices, tokens, or biometrics to establish robust authentication.
      • MFA Solutions: Deployed MFA solutions involving hardware tokens, smart cards, or commercial MFA solutions with replay resistance.

   2. Non-Privileged Accounts:

      • Extension of MFA: Extended MFA to network access for non-privileged accounts, requiring multiple authentication factors for users or processes accessing the systems through network connections.
      • Network Access: Implemented MFA across various networks including LANs, WANs, and the Internet.
      • Remote Access: Identified and implemented MFA for remote access connections, using additional security measures like encrypted VPNs.

   3. Tokens and Credentials:

      • Hard and Soft Tokens: Utilized both hard (e.g., smart cards) and soft tokens to securely store user credentials.

   4. Integration at System and Application Levels:

      • Integration Points: Integrated MFA mechanisms at both system (e.g., at logon) and application levels when necessary to enhance information security and prevent unauthorized access.

   5. Compliance and Best Practices:

      • Guidance and Standards: Followed guidance provided in SP 800-63-3 for digital identity best practices, including MFA.
      • Regular Review: Regularly reviewed and updated MFA mechanisms and processes to align with evolving threats, industry best practices, and organizational needs. 

Milestone 1: Implementation of Multifactor Authentication (MFA) for Privileged Accounts
Task 1: Implement MFA for local access to privileged accounts, requiring users to authenticate using two or more different factors by [Target Date].
Task 2: Utilize different authentication factors, such as passwords, cryptographic identification devices, or biometrics, to establish strong authentication for privileged account access by [Target Date].
Task 3: Deploy MFA solutions, including physical authenticators like hardware tokens or smart cards, with replay resistance for enhanced security by [Target Date].

Milestone 2: Extension of Multifactor Authentication to Network Access
Task 1: Implement MFA for network access, requiring users or processes to authenticate using multiple factors for non-privileged accounts by [Target Date].
Task 2: Identify remote access as a type of network access and implement MFA for remote connections, utilizing additional security measures like encrypted VPNs by [Target Date].

Milestone 3: Utilization of Multifactor Authentication Mechanisms
Task 1: Utilize hard tokens or soft tokens to securely store user credentials as part of the MFA process by [Target Date].
Task 2: Integrate MFA mechanisms at the system level (e.g., at logon) and, when necessary, at the application level for increased information security by [Target Date].

Milestone 4: Compliance with Standards and Best Practices
Task 1: Follow the guidance provided in SP 800-63-3 for best practices and standards regarding digital identities and multifactor authentication by [Target Date].

Milestone 5: Regular Reviews and Updates
Task 1: Regularly review and update multifactor authentication mechanisms and processes to adapt to evolving threats, industry best practices, and organizational needs by [Target Date].

Implementing multifactor authentication (MFA) requires a combination of hardware, software, and cloud-based tools. Depending on your organization’s specific needs and the scale of implementation, various solutions might be suitable. Here are some common tools you might consider:

1. Hardware Tokens:

• Yubico’s YubiKey: A physical hardware token that supports multiple authentication protocols.
• RSA SecurID: A well-known hardware token used for two-factor authentication.

2. Software and Mobile Authentication:

• Google Authenticator: A mobile app that generates time-based one-time passwords (TOTP) for two-factor authentication.
• Microsoft Authenticator: Similar to Google’s offering, Microsoft’s app allows for secure MFA.

3. Enterprise Solutions:

• Duo Security: Offers various MFA options including push notifications, TOTP, phone callbacks, and hardware tokens.
• Okta: A comprehensive identity management solution that provides strong MFA options.
• Symantec VIP: Offers strong authentication with various authenticator options like mobile apps, SMS, and voice.

4. Biometric Solutions:

• Windows Hello: Utilizes facial recognition, fingerprints, or PINs to enable strong authentication.
• Apple’s Face ID and Touch ID: Biometric solutions used in Apple devices.

5. Smart Cards and USB Security Keys:

• Smart Card Readers: Hardware devices that read smart cards used for authentication.
• Feitian ePass: USB security keys that can be used for secure authentication.

6. Virtual Private Networks (VPN) with MFA:

• Cisco AnyConnect: Can be configured with MFA for secure remote access.
• Fortinet FortiGate: Offers integrated MFA in its VPN solutions.

7. Identity and Access Management (IAM) Platforms:

• Azure Active Directory: Offers MFA as part of its identity services.
• AWS Identity and Access Management (IAM): Includes MFA options for added security.