Meeting the DFARS MFA Requirements—What You Need to Know



As we noted in two previous blog posts, the deadline for complying with the Defense Federal Acquisition Regulation Supplement (DFARS) data security requirements is Dec 31, 2017.

In one post, we explained the basics of the DFARS data security rules, and in the other we explored the “14 families” of security measures outlined in National Institute for Standards and Technology Special Publication 800-171 (NIST SP 800-171). 

NIST SP 800-171 requires multi-factor authentication (MFA) on all local and remote privileged account access and for users who access controlled unclassified information (CUI).

If you remember from our previous posts, CUI is sensitive federal government information routinely processed, stored, or transmitted by a contractor in the course of its work. CUI covers a broad range of protected information, including credit card data, financial data, web and electronic email services, background investigative data, and healthcare data. If you’re a U.S. federal government contractor or any other organization that processes, stores, or transmits CUI, you are rapidly running out of time to prove your DFARS compliance.

With the deadline right around the corner, we wanted to take a closer look at the MFA requirements in NIST SP 800-171.

NIST MFA Requirements

NIST SP 800-171 defines MFA (p. 12) as follows:

“Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).”

You must use more than one of the factors listed above during the authentication process. For a more in-depth discussion of MFA, check out Multi factor Authentication Terms and Factor Types.Which Authentication Methods are Recommended for Different User Scenarios?  Download Guide»

The MFA requirements are contained in two of the 14 “families” of security measures laid out in NIST SP 800-171: identification and authentication (p. 12) and maintenance (p. 13). Under the derived security requirements for identification and authentication, NIST directs companies to use MFA “for local and network access to privileged accounts and for network access to non-privileged accounts.”

Additionally, under the derived security requirements for maintenance, NIST instructs companies to use MFA “to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.”

Why should you care about these requirements, you may ask? Well, besides complying with DFARS, these requirements make security sense. Passwords are a weak link in the security chain. According to the latest Verizon Data Breach Investigations Report, 80% of hacking-related breaches in 2017 resulted from either stolen or weak passwords. Passwords alone are simply not enough to secure your systems.

This is even more true for privileged accounts because they are the keys to unlock your company’s valuable assets. Privileged accounts can be used to access the most sensitive data, lock out legitimate users, and create ghost accounts and backdoors that are not easily seen.

How We Can Help

Does your organization need help implementing the right MFA solutions before the approaching DFARS deadline?

Identity Automation has the expertise and the industry's most comprehensive MFA platform to meet all of NIST 800-171’s MFA requirements and use cases.

RapidIdentity offers a broad range of authentication methods, including smart cards with public key infrastructure (PKI), encrypted radio-frequency identification (RFID), FIDO universal second-factor (U2F) tokens, fingerprint biometrics, push authentication, and one-time password (OTP).

All of these authentication methods work online, and the majority also work offline, provided the user has logged in online at least one time prior, with the exceptions of push authentication (RapidIdentity PingMe) and OTP.

The good news is that your existing security investments, such as smart cards or physical tokens, can be leveraged and then augmented with additional authentication options that give your users more flexibility in how they authenticate.

Due to the breadth of supported authentication methods and RapidIdentity’s ability to assign multiple authentication methods to the same individual, Identity Automation’s customers gain a sense of confidence and security that they’re able to address all DFARS authentication requirements in a single platform.  

Here are some examples of top-tier defense contractors we’ve helped comply with the authentication requirements contained in NIST SP 800-171:

  • One of the largest aerospace companies in the world deployed RapidIdentity MFA with encrypted RFID technology that leveraged the same badges used for building access.
  • One of the largest U.S. shipbuilders implemented our solution using contactless PKI combined with building access cards. We provided FIDO U2F, OTP, and push authentication to support various remote access and emergency access scenarios.
  • A mid-sized shipbuilder elected to use embedded Federal Information Processing Standard 201-certified fingerprint sensors in its laptops to achieve compliance.

Ready to get started? Let our NIST experts help you assess your compliance standing and technology needs—schedule a free consultation and demo of the RapidIdentity platform.

Schedule a free consultation with our NIST 800-171 experts to assess your DFARS  compliance standing and technology needs >>

How to Minimize the IAM Risks Associated with Third-Party Relationships

Key References or Links:


Subscribe Here!