800-53|IA-2(11)

Title

REMOTE ACCESS - SEPARATE DEVICE

Description

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

Reference Item Details

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.8.8 Ensure users must authenticate users using MFA via a graphical user logonUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installed - escUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11UnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.4.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 8 Server L1 v2.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat EL8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat EL8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 8 Workstation L1 v2.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 8 Server L1 v3.0.0
5.4.9 Ensure multifactor authentication for access to privileged accounts - PAM.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.10 Ensure certificate status checking for PKI authenticationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication.UnixDISA STIG AIX 7.x v2r9
AOSX-14-003025 - The macOS system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.UnixDISA STIG Apple Mac OSX 10.14 v2r6
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
OL07-00-010061 - The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.UnixDISA Oracle Linux 7 STIG v2r13
OL07-00-041001 - The Oracle Linux operating system must have the required packages for multifactor authentication installed.UnixDISA Oracle Linux 7 STIG v2r13
OL07-00-041002 - The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM) - PAM.UnixDISA Oracle Linux 7 STIG v2r13
OL07-00-041003 - The Oracle Linux operating system must implement certificate status checking for PKI authentication.UnixDISA Oracle Linux 7 STIG v2r13
OL08-00-010390 - OL 8 must have the package required for multifactor authentication installed.UnixDISA Oracle Linux 8 STIG v1r8
OL08-00-010400 - OL 8 must implement certificate status checking for multifactor authentication.UnixDISA Oracle Linux 8 STIG v1r8
RHEL-07-010061 - The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.UnixDISA Red Hat Enterprise Linux 7 STIG v3r14
RHEL-07-041001 - The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.UnixDISA Red Hat Enterprise Linux 7 STIG v3r14
RHEL-07-041002 - The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).UnixDISA Red Hat Enterprise Linux 7 STIG v3r14
RHEL-07-041003 - The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.UnixDISA Red Hat Enterprise Linux 7 STIG v3r14
RHEL-08-010390 - RHEL 8 must have the packages required for multifactor authentication installed.UnixDISA Red Hat Enterprise Linux 8 STIG v1r13
RHEL-08-010400 - RHEL 8 must implement certificate status checking for multifactor authentication.UnixDISA Red Hat Enterprise Linux 8 STIG v1r13
RHEL-09-215075 - RHEL 9 must have the openssl-pkcs11 package installed.UnixDISA Red Hat Enterprise Linux 9 STIG v1r1
RHEL-09-611165 - RHEL 9 must enable certificate based smart card authentication.UnixDISA Red Hat Enterprise Linux 9 STIG v1r1
RHEL-09-611170 - RHEL 9 must implement certificate status checking for multifactor authentication.UnixDISA Red Hat Enterprise Linux 9 STIG v1r1
RHEL-09-611175 - RHEL 9 must have the pcsc-lite package installed.UnixDISA Red Hat Enterprise Linux 9 STIG v1r1
RHEL-09-611180 - The pcscd service on RHEL 9 must be active.UnixDISA Red Hat Enterprise Linux 9 STIG v1r1
RHEL-09-611185 - RHEL 9 must have the opensc package installed.UnixDISA Red Hat Enterprise Linux 9 STIG v1r1
SLES-12-030500 - The SUSE operating system must have the packages required for multifactor authentication to be installed.UnixDISA SLES 12 STIG v2r12
SLES-12-030510 - The SUSE operating system must implement certificate status checking for multifactor authentication.UnixDISA SLES 12 STIG v2r12
SLES-12-030520 - The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).UnixDISA SLES 12 STIG v2r12
SLES-15-010460 - The SUSE operating system must have the packages required for multifactor authentication to be installed.UnixDISA SLES 15 STIG v1r11
SLES-15-010470 - The SUSE operating system must implement certificate status checking for multifactor authentication - which includes status information to an accepted trust anchor.UnixDISA SLES 15 STIG v1r11
SLES-15-020030 - The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).UnixDISA SLES 15 STIG v1r11
UBTU-16-030800 - The Ubuntu operating system must have the packages required for multifactor authentication to be installed.UnixDISA STIG Ubuntu 16.04 LTS v2r3