Does CMMC require multi-factor authentication?

Yes. NIST SP 800-171 requirement 3.5.3 (CMMC practice IA.L2-3.5.3) requires multi-factor authentication for local and network access to privileged accounts, and for network access to non-privileged accounts. It is a mandatory Level 2 control and one of the most heavily scrutinized in an assessment.

Which accounts need MFA under NIST SP 800-171?

MFA is required for local and network access to privileged accounts (administrators), and for network access to non-privileged (standard) accounts. Local access to non-privileged accounts is the one case this requirement does not mandate MFA — but every administrative login and every remote login must be protected.

How many SPRS points is the MFA requirement worth?

The MFA requirement is worth 5 points in the DoD Assessment Methodology — among the highest weights. It is also one of two partial-credit requirements: deploying MFA for some but not all required cases reduces the deduction to 3 points instead of the full 5, but only fully implemented MFA avoids any deduction.

Is SMS-based MFA good enough for CMMC?

SMS-based one-time codes can technically satisfy the multi-factor requirement, but they are widely considered weak and susceptible to interception and SIM-swap attacks. Phishing-resistant methods such as FIDO2 security keys or PIV/CAC smart cards are strongly preferred, and FIPS-validated cryptography may be required for the authenticators used in a CUI environment.

MFANIST 800-171Access Control

CMMC and MFA: The 5-Point Control You Can't Fake (IA.L2-3.5.3)

By Glenn Ballard·CMMC Registered Practitioner·June 19, 2026·8 min read

If there is a single control that decides more CMMC assessments than any other, it's multi-factor authentication. It carries one of the heaviest score weights, it's the first thing many assessors test, and — unlike a policy you can write — it either challenges a login or it doesn't. There's nowhere to hide. Here is exactly what NIST SP 800-171 requirement 3.5.3demands, how it's scored, and the gaps that quietly sink companies.

What the Requirement Actually Says

Requirement 3.5.3 (CMMC practice IA.L2-3.5.3) is precise about where MFA is mandatory:

Local and network access to privileged accounts — every administrator login, whether at the console or remote.
Network access to non-privileged accounts — every standard user logging in remotely.

The one case it does notrequire: local (at-the-machine) access to a non-privileged account. Everything else — all admin access, all remote access — must be protected with more than a password.

MFA means two or more factors of differenttypes: something you know (password), something you have (a security key or authenticator), or something you are (a biometric). Two passwords aren't MFA. A password plus a security-question isn't either.

Why It's Worth 5 Points — and Why Partial Counts

In the DoD Assessment Methodology, most requirements are worth 1 or 3 points. MFA is one of the heaviest at 5 points. It's also one of only two requirements that allow partial credit:

Fully implemented (all required cases) → no deduction.
Partially implemented (some required cases, not all) → 3-point deduction instead of 5.
Not implemented → the full 5-point deduction.

Don't plan to “POA&M the MFA gap.” High-value 5-point requirements are not eligible for a POA&M to reach conditional status — that path is reserved for certain low-weight items. Practically, MFA has to be genuinely, fully in place. (More on POA&M limits in our SSP & POA&M guide.)

The Gaps That Quietly Fail You

Almost every company “has MFA.” The failures are in the coverage:

Email but not everything else. MFA on Microsoft 365 or email, but not on the VPN, RDP, servers, network devices, or admin consoles.
Local admin accounts. Domain admins protected, but built-in local administrator logins on servers and workstations left with a password only.
Service and break-glass accounts. Privileged automation or emergency accounts excluded “temporarily” and never revisited.
Infrastructure and OT. Hypervisors, switches, firewalls, and management interfaces accessed with single-factor credentials.

Doing It Right

Prefer phishing-resistant MFA. FIDO2 security keys or PIV/CAC smart cards beat SMS one-time codes, which are vulnerable to interception and SIM-swap attacks.
Mind FIPS. In a CUI environment, the cryptography behind your authenticators may need to be FIPS-validated — which ties into the separate FIPS encryption requirement (SC.L2-3.13.11).
Inventory every access path. List all privileged and all network access points, then confirm each one challenges for a second factor. The assessor will.
Document it in the SSP. State exactly which systems enforce MFA and how — this is what gets examined and tested.

Find Out If Your MFA Actually Covers You

MFA coverage is one of the five high-risk areas the free Pulse Check looks at — and a full assessment maps it across every access path, scores it correctly under the partial-credit rule, and documents it in your draft SSP. The Dragonfli Group CMMC Accelerator shows you, control by control, whether the controls you think you have actually hold up.

CHECK YOUR HIGH-RISK CONTROLS

Is your MFA assessment-ready?

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

How to Calculate Your SPRS Score

How 5-point and partial-credit controls add up →

Preparing for a C3PAO Assessment

How assessors test controls like MFA →