The network device must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the network device being accessed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000145-NDM-NA	SRG-NET-000145-NDM-NA	SRG-NET-000145-NDM-NA_rule		Low

Description
Single-factor authentication poses unnecessary risk to the information system since most single-factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication uses multiple levels of identification and authorization criteria and provides a much stronger level of security than single-factor. As users have access to many of the files on the platform, using a single-factor authentication approach provides an easy avenue of attack for a malicious user, to include escalation of privileges. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). In the case of network device communications, when one of the authentication factors is provided by a device that is separate from the system gaining access, this is referred to as out-of-band two-factor authentication. Out-of-band two-factor authentication employs separate communication channels, at least one of which is independently maintained and trusted to authenticate an end user. Non-privileged accounts are not authorized on the network device, regardless of configuration.

Description

Single-factor authentication poses unnecessary risk to the information system since most single-factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication uses multiple levels of identification and authorization criteria and provides a much stronger level of security than single-factor. As users have access to many of the files on the platform, using a single-factor authentication approach provides an easy avenue of attack for a malicious user, to include escalation of privileges. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). In the case of network device communications, when one of the authentication factors is provided by a device that is separate from the system gaining access, this is referred to as out-of-band two-factor authentication. Out-of-band two-factor authentication employs separate communication channels, at least one of which is independently maintained and trusted to authenticate an end user. Non-privileged accounts are not authorized on the network device, regardless of configuration.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000145-NDM-NA_chk )
This requirement is NA for network device management.

Fix Text (F-SRG-NET-000145-NDM-NA_fix)
This requirement is NA for network device management.