IG1 IG2 IG3

Require MFA for Administrative Access

Control Group: 6. Access Control Management

Asset Type: Users

Security Function: Protect

Description

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Identify systems requiring multi-factor authentication

7

Select and deploy MFA solution

8

Enroll users and distribute authentication factors

9

Test MFA across all identified systems

10

Inventory all third-party service providers

11

Classify third parties by risk level

12

Conduct security assessments of critical vendors

13

Include security requirements in contracts

Tool Recommendations

Microsoft Entra ID Gartner MQ Leader, Access Management 2024

Cloud identity and access management with SSO, MFA, conditional access, and identity governance

Microsoft · Per-user subscription (P1/P2)

Okta Workforce Identity Gartner MQ Leader, Access Management 2024

Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management

Okta · Per-user subscription

Cisco Duo Gartner MQ Leader, Access Management 2024

Multi-factor authentication and zero-trust access platform with device trust and adaptive access policies

Cisco · Per-user subscription

Ping Identity Gartner MQ Leader, Access Management 2024

Enterprise identity security platform with SSO, MFA, directory, and API security for workforce and customer identity

Ping Identity (Thales) · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Admin Credential Compromise Leading to Full Domain Takeover

Confidentiality

An attacker obtains administrator credentials through phishing, keylogging, or hash theft and gains unrestricted administrative access because no second factor protects privileged accounts.

Privilege Escalation via Stolen Admin Password

Integrity

An attacker escalates from a standard compromise to full administrative control by using a stolen admin password, since MFA is not required for administrative access to any enterprise systems.

Vulnerabilities (When Safeguard Absent)

No MFA on Administrative Accounts

Administrative accounts protected by passwords alone represent the highest-value, lowest-resistance targets; a single compromised password yields complete system control.

Third-Party Admin Portals Without MFA

Administrative access to cloud services, SaaS platforms, and managed service provider portals lacks MFA, allowing remote administrative takeover with stolen credentials.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	MFA enrollment status and enforcement configuration	Reviewed monthly
Record	Third-party risk assessment reports and scorecards	Annually per vendor
Document	Vendor contracts with security requirements	Per contract cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Privileged Access Management Policy

Control 5, Control 6

Related Safeguards in Control 6

6.1 Establish an Access Granting Process

6.2 Establish an Access Revoking Process

6.3 Require MFA for Externally>Exposed Applications

6.4 Require MFA for Remote Network Access

6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems

6.7 Centralize Access Control

6.8 Define and Maintain Role>Based Access Control