IG1 IG2 IG3

Require MFA for Externally>Exposed Applications

Control Group: 6. Access Control Management

Asset Type: Users

Security Function: Protect

Description

Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Identify systems requiring multi-factor authentication

7

Select and deploy MFA solution

8

Enroll users and distribute authentication factors

9

Test MFA across all identified systems

10

Inventory all third-party service providers

11

Classify third parties by risk level

12

Conduct security assessments of critical vendors

13

Include security requirements in contracts

Tool Recommendations

Microsoft Entra ID Gartner MQ Leader, Access Management 2024

Cloud identity and access management with SSO, MFA, conditional access, and identity governance

Microsoft · Per-user subscription (P1/P2)

Okta Workforce Identity Gartner MQ Leader, Access Management 2024

Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management

Okta · Per-user subscription

Cisco Duo Gartner MQ Leader, Access Management 2024

Multi-factor authentication and zero-trust access platform with device trust and adaptive access policies

Cisco · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Credential Stuffing Against External Applications

Confidentiality

Attackers use leaked credential databases to perform automated login attempts against externally-exposed applications that rely solely on passwords without MFA.

Phished Credentials Used to Access External Portals

Confidentiality

An employee's credentials stolen through a phishing campaign provide immediate access to externally-exposed applications because no second factor is required for authentication.

Brute-Force Attack on Internet-Facing Login Portal

Availability

Attackers perform sustained brute-force attacks against internet-facing login pages where single-factor authentication allows unlimited credential guessing at scale.

Vulnerabilities (When Safeguard Absent)

Single-Factor Authentication on External Applications

Externally-exposed applications protected only by passwords are vulnerable to credential theft, stuffing, spraying, and brute-force attacks from anywhere on the internet.

No MFA Enforcement for Third-Party SaaS Applications

Third-party applications used by the enterprise lack MFA requirements, meaning a compromised password grants full access to potentially sensitive cloud-hosted data.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	MFA enrollment status and enforcement configuration	Reviewed monthly
Record	Third-party risk assessment reports and scorecards	Annually per vendor
Document	Vendor contracts with security requirements	Per contract cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Privileged Access Management Policy

Control 5, Control 6

Related Safeguards in Control 6

6.1 Establish an Access Granting Process

6.2 Establish an Access Revoking Process

6.4 Require MFA for Remote Network Access

6.5 Require MFA for Administrative Access

6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems

6.7 Centralize Access Control

6.8 Define and Maintain Role>Based Access Control