6.5: Require MFA for Administrative Access

CSF v1.1 References:


Previous Version:

Control Statement

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]