IA-2(2): Identification and Authentication (Organizational Users) – Multifactor Authentication to Non-Privileged Accounts
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 07/10/2024
- As specified in Control IA-2, Identification and Authentication (Organizational Users), Multifactor authentication (MFA) should be implemented based on documented risk management decisions for access to privileged or non-privileged accounts where one of the factors is provided by an asset separate from the information being accessed.
- MFA is required for any information resource that stores or processes confidential data, as required by Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security, or critical data.