AC.L2-3.5.3[d] — Identification & Authentication (Multifactor Authentication)Domain: Identification & Authentication (IA) | Practice: IA.L2-3.5.3 | Objective ID: 3.5.3[d] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2 | Assessment Objective: Multifactor authentication for network access to non-privileged accounts uses mechanisms that are FIPS-validated or NSA-approved. |
Executive Summary (For Leadership and the Board)
CMMC objective AC.L2-3.5.3[d] sits inside the Identification & Authentication domain (IA.L2-3.5.3 — Multifactor Authentication) and reads: Multifactor authentication for network access to non-privileged accounts uses mechanisms that are FIPS-validated or NSA-approved.. Extend the FIPS-validated MFA requirement to non-privileged accounts accessing CUI systems over the network, ensuring consistent cryptographic assurance across all access. For organizations that handle Controlled Unclassified Information (CUI), this objective is part of the foundation that every downstream control depends on.
Under DFARS 252.204-7012, AC.L2-3.5.3[d] will be evaluated during a full third-party CMMC Level 2 assessment, Joint Surveillance Voluntary Assessment, or formal certification gating DoD CUI contract awards. Leadership and the board should be asking: Who owns this objective? When was it last reviewed? Where is the evidence stored? And what is our remediation plan if a C3PAO flags a gap? Failing this objective in isolation may be POA&M-able under CMMC 2.0; failing it in conjunction with related objectives in the same practice is typically not.