IA-2(1) / IA-2(2) / AC-17(2) / A.9.4.2 / CIS-6.3 NIST SP 800-53 Rev 5

MFA enforced on third-party / contractor access

Demonstrate that multi-factor authentication is consistently enforced for all third-party and contractor accounts accessing organizational resources, with no unauthorized exceptions or bypass mechanisms.

Description

What this control does

This control mandates that all third-party vendors, contractors, and external personnel authenticate using multi-factor authentication (MFA) when accessing organizational systems, applications, or data. MFA requires at least two independent authentication factors (something you know, something you have, or something you are) before granting access. This significantly reduces the risk of credential compromise from external entities who often operate outside the organization's direct security oversight and may have weaker endpoint controls or security hygiene.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Compromised third-party credentials used to gain unauthorized access to sensitive systems or data without detection
Phishing attacks targeting contractors successfully bypass single-factor authentication and establish persistent access
Stolen or shared contractor passwords enable lateral movement from external entities into internal network segments
Credential stuffing attacks leverage contractor accounts with reused passwords from unrelated breaches
Unmonitored contractor endpoints with malware harvest authentication credentials and access organizational assets
Terminated contractor accounts remain active without MFA protection, creating orphaned access paths exploitable by former personnel
Supply chain attacks leverage weakly-authenticated third-party access as initial compromise vector for broader organizational breach

Testing procedure

How an auditor verifies this control

Obtain a comprehensive inventory of all active third-party and contractor accounts across identity providers, VPN systems, SaaS applications, and privileged access management platforms
Review identity and access management policies and third-party access standards to confirm documented MFA requirements for external users
Export authentication configuration settings from each system hosting third-party accounts to verify MFA enforcement at the technical control level
Select a representative sample of 15-25 third-party accounts spanning different access levels, vendors, and system types for detailed testing
Query authentication logs for the sampled accounts over the past 90 days to verify MFA challenges occurred for every successful authentication event
Identify any accounts with MFA bypass flags, conditional access exceptions, or legacy authentication protocols enabled that circumvent MFA
Attempt to authenticate to a non-production test system using a contractor test account with MFA disabled to confirm access is denied
Interview identity management personnel to understand the provisioning workflow and confirm MFA enrollment occurs before third-party accounts are activated

Evidence required Configuration exports from identity providers showing MFA enforcement policies applied to third-party user groups or organizational units. Authentication logs demonstrating MFA validation events for sampled contractor accounts with timestamps, authentication methods, and success outcomes. Policy documentation or contractor access standards explicitly requiring MFA with defined exceptions and approval workflows. Screenshots of conditional access rules or access control lists demonstrating MFA requirement for external user populations.

Pass criteria All sampled third-party and contractor accounts show MFA enforcement in system configurations, authentication logs confirm MFA challenges for 100% of successful logins in the review period, no unauthorized exceptions or bypass mechanisms exist, and documented policy requires MFA for external access.