PR.AA-03 Multi-Factor Authentication - NIST CSF 2.0 Checklist

PR.AA-03 requires organizations to users, services and hardware are authenticated with multi-factor authentication or other strong methods. This NIST CSF 2.0 control falls under the Protect (PR) function and the Identity Management, Authentication and Access Control category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: PR.AA-03
Title: Multi-Factor Authentication
Function: Protect (PR)
Category: Identity Management, Authentication and Access Control
Framework: NIST CSF 2.0

Users, services and hardware are authenticated with multi-factor authentication or other strong methods.

Users, services and hardware are authenticated with multi-factor authentication or other strong methods. Authentication mechanisms are commensurate with the risk level of the access being granted.

Why This Matters

Passwords alone are insufficient. Credential stuffing and phishing attacks routinely bypass single-factor authentication. MFA blocks over 99% of automated credential-based attacks.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of PR.AA-03.

Enable MFA for all remote access and VPN connections
Require MFA for all privileged and administrative accounts
Implement MFA for cloud service and SaaS application access
Use phishing-resistant MFA methods such as FIDO2 or hardware tokens where feasible
Disable SMS-based MFA for high-risk accounts
Monitor for MFA bypass attempts and anomalous authentication patterns

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with PR.AA-03 during an audit.

MFA enrollment reports showing coverage percentages
MFA policy specifying required methods by access type
Configuration screenshots showing MFA enforcement for critical systems
Authentication logs showing MFA challenge events

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with PR.AA-03.

MFA is enabled for VPN but not for cloud admin consoles
SMS-based MFA is used for privileged accounts despite known SIM-swap risks
Service accounts and API keys bypass MFA requirements entirely

FAQ

What does PR.AA-03 require?

PR.AA-03 (Multi-Factor Authentication) requires that users, services and hardware are authenticated with multi-factor authentication or other strong methods. Authentication mechanisms are commensurate with the risk level of the access being granted. This control is part of the NIST CSF 2.0 Protect function under the Identity Management, Authentication and Access Control category.

How do I prove compliance with PR.AA-03?

To demonstrate compliance with PR.AA-03, prepare the following evidence: MFA enrollment reports showing coverage percentages; MFA policy specifying required methods by access type; Configuration screenshots showing MFA enforcement for critical systems. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment