CMMC L3-IA.3.083

Written By John Igbokwe

CMMC – Level 3 - IA.3.083 - “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.”

Windows Hello for Business is a viable MFA authenticator for local Windows 10 logon as at Feb 12th 2021*.

The Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM) and combines it with additional information to authenticate users. The additional information the user supplies is the activation factor for Windows Hello for Business and can be a PIN value (“something you know”) or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition (“something you are”). The TPM constitutes the “something you have” factor for the purpose of MFA.

According to NIST 800-63B Section 5.1.9.1, a TPM is recognized as a hardware cryptographic authenticator; “Multi-factor cryptographic device authenticators use tamper-resistant hardware to encapsulate one or more secret keys unique to the authenticator and accessible only through the input of an additional factor, either a memorized secret or a biometric. The authenticator operates by using a private key that was unlocked by the additional factor to sign a challenge nonce presented through a direct computer interface (e.g., a USB port). Alternatively, the authenticator could be a suitably secure processor integrated with the user endpoint itself (e.g., a hardware TPM).”

To configure Windows Hello in a way that adheres to NIST guidance:

  1. Configure minimum PIN length Group Policy or MDM policy setting for PIN Complexity to be at least 8 characters (no complexity rules are required, PIN can be digits only). Reference NIST 800-63B Section 5.1.1.2

  2. Confirm Windows Hello for Business cryptographic key are protected using a tamper-resistant hardware by enabling use a hardware security device Group Policy or MDM policy setting for Windows Hello for Business.

  3. For securing privileged access, restrict privileged users to only access from secure workstations and require MFA for sign-in

  4. Enable Interactive logon: Require Windows Hello for Business or smart card Security Policy.

  5. Configure privileged user accounts to disallow password authentication (also known as SCRIL).

*This may change as the CMMC-AB and DoD release additional guidance.

John Igbokwe https://techaxia.com
Previous

Another Significant Microsoft Update for CMMC ... Vulnerability Management
Next

Microsoft Product Placemat for CMMC