If you’ve been involved in the DFARS 252.204-7012 (Implementing NIST 800-171) process you’ve seen the wording in the regulation requiring a second layer of defense for your systems — 2-Factor Authentication or Multi-Factor Authentication (you will see it presented either way, but they are the same thing). Multi-Factor Authentication (MFA) is one of the requirements imposed by DFARS 252.204-7012 via NIST SP 800-171. This requirement is familiar to the government network computer users but is a new requirement for contractors. Implementing MFA is not a cheap process, and as a small business, we were dumbfounded as to the, supposed, lack of solutions — so we did some research. We found a multitude of solutions to satisfy the MFA requirement without breaking the bank (see the Partner Page of our website for more information). MFA is an extra level of security that has been needed for a long time, but as with many other security best practices, unless there is a forcible business driver, it is an overhead cost and function that is never implemented.
Well, DFARS 252.204-7012 (Implementing NIST 800-171) is your business driver.
Soon, if you haven’t been already, prime contractors and even direct contracting officers will be questioning your DFARS compliance status, hence, why DFARS is your business driver. If you have a DFARS compliance requirement and you are not working toward the goal, the next contractor on the bidding list may be (or they may already be compliant!). If they can provide artifacts or a Plan of Actions and Milestones (PoA&M) to prove their compliance, they may be selected over you for the next contract.
So, that was a bit “cart before the horse,” but back to what MFA is. It is a log-in process to your computer or computer network that requires two factors of authentication. Instead of just a username and password, you need one more “factor” to authenticate you to your computer or network. The most common implementation of this is smart cards or tokens, with PIN numbers or changing values, respectively. While a hassle, it does provide another layer of defense, such that an attacker must have a physical object of yours in order to compromise your system.