16.3: Require Multi-Factor Authentication

CSF v1.1 References:

Threats Addressed:


Info icon.

The next version of the control set incorporates all or part of this control into: 6.3: Require MFA for Externally-Exposed Applications.

Control Statement

Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]