IA.L2-3.5.3 — Use multifactor authentication for system access
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Verbatim NIST SP 800-171 Rev 2 requirement text (3.5.3).
How it's scored
5 points deducted from your SPRS score if unmet.
Special scoring rule (DoD Assessment Methodology v1.2.1):
Subtract 5 points if MFA is not implemented for any users; subtract 3 points if MFA is implemented for remote and privileged users but not for the general user.
Source: DoD Assessment Methodology v1.2.1 Annex A; 32 CFR 170.24(c)(2)(i)(B)(4)(i)
An open gap here is not POA&M-eligible (only 1-point requirements qualify under 32 CFR 170.21, with one narrow exception at SC.L2-3.13.11): it must be fully implemented before a Level 2 assessment can certify.
What an assessor checks: the 4 assessment objectives
NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks IA.L2-3.5.3 MET only when every applicable objective is satisfied — and examines evidence, not assertions.
| Objective | Determination statement |
|---|---|
| 3.5.3[a] | privileged accounts are identified. |
| 3.5.3[b] | multifactor authentication is implemented for local access to privileged accounts. |
| 3.5.3[c] | multifactor authentication is implemented for network access to privileged accounts. |
| 3.5.3[d] | multifactor authentication is implemented for network access to non-privileged accounts. |
Where do you stand on IA.L2-3.5.3?
The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.
Get your free Muster Score →Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.