Control 3.5.3 Information – Multifactor Local Logins

We wanted to follow up with you about the concerns noted last month about control 3.5.3. The major concerns with it we heard from you were the following:

  • Saving passwords in a vault does not satisfy the control to the level that you would prefer it to be satisfied.
    • More specifically, you would prefer to see that a true 2nd factor solution be in place and functional for managing local login.
  • The password vault solution considered by CSR population being difficult to enforce.
  • Backing up an assertion that a solution is in place when an auditor requests information.

We wanted to address your concerns as a follow-up with a confirmation of the following:

  • The password vault solution is a stopgap for the eventual plan of implementing local 2FA, and was approved by CISO as a viable solution for the control.
    • It allows for attestation that administrative passwords are at least protected behind 2nd factor authentication, even though they could be memorized.
    • 3.5.3 is designed only to ensure that a solution is in place to manage administrative accounts with local login access to an in-scope system via a 2nd factor.
      • Current NIST guideline is that password changes need only be completed when necessary. Therefore, in the case of your admin accounts, they would only need to be changed based on established events (compromise, malicious activity avoidance after termination, etc.)
      • We do recommend that passwords be changed regularly if possible, but this is not a requirement.
  • Enforcement of the vault should be more on the users that are utilizing it, and not always on the CSRs. For example:
    • Users using a 2FA password vault to manage their service account password could be managed by them, and not by CSRs.
      • PIs are also the users attesting that this solution is in play on the SSP, and therefore are attesting that a solution is in use.
    • CSRs using their own vaults would of course, be managed by themselves.
  • Part of our process of running an assessment is the assessor seeing that the controls are in place and in use at the time of assessment.
    • In this regard, a PI could show that they can log into their vault, utilize a second factor, and then finally have an entry for their managed account. This will satisfy the control and we can mark it compliant in our Report.
      • CSRs could show us their vault once for multiple projects if they have common admin accounts across multiple systems.
    • We in Cyber Security sign off on the Report on Compliance as whether we have seen or experienced each of the controls in place for a project. Our signature on the document is our attestation whether the controls are compliant.


That all said, if you would still prefer to wait on the local 2FA solution (like DUO), or implement one of your own, we have a Plan of Action and Milestone (PoA&M) template below for your review:

Control Number Control Description Remediation plan Due Date
3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Local multifactor authentication via a software solution (such as DUO) is how this control is planned to be achieved. However, this is a larger project that will involve testing and implementation that may fall outside of the timeline of this project. Administrative local logins on the machines will remain single factor until the solution is in place. Multifactor authentication is in use for network access for local and privileged accounts. ##/##/####


If possible, we’d like to work with you on the Barriers to Compliance as well, which will help to attest to the resources needed to bring a control covered by a PoA&M to full compliance. This will include the barriers that are making it difficult to implement this control as well as the cost estimate of what it would take to work through the PoA&M.

Control Number Control Description Barriers to Compliance Cost Estimate
3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.