Why Multi-Factor Authentication (MFA) is Not Enough to Meet CMMC Requirements

Share this blog

As the Defense Industrial Base (DIB) looks to 2023, companies need to consider the impact that the Cybersecurity Maturity Model Certification (CMMC) will have on their contracts. The National Institute of Standards and Technology (NIST) has said that it plans to publish Special Publication (SP) 800-171 updates in “late spring 2023,” while the Department of Defense (DoD) has indicated that companies may see CMMC language in solicitations as early as May 2023.

With these challenges in mind, organizations should be proactive by considering where implementing only compliance bare minimums creates cybersecurity risks. As the landscape continues to evolve, organizations maintaining Controlled Unclassified Information (CUI) may find that multi-factor authentication (MFA) is not enough to meet CMMC requirements.

The Regulatory MFA Breadcrumbs

Nothing in the CMMC world is straightforward, which is why following the trail of breadcrumbs from CMMC across the different NIST publications matters.

Start with CMMC IA.L2-3.5.3 Multi-Factor Authentication

The Level 2 Assessment Guide states:

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

From here, the assessment guide forwards you to NIST SP 800-171 3.5.3.

NIST SP 800-171 Identification and Authentication (IA) Control Family

Within the IA control family, NIST outlines the steps required to ensure that users accessing networks are who they say they are.

The NIST requirement defines MFA as a combination of two or more of the following:

  • Something you know (a password)
  • Something you have (a token or mobile device)
  • Something you are (a biometric like fingerprint or face ID)

Organizations should also note that NIST 800-171 explains:

In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security.

Why Isn’t MFA Enough?

MFA will always be an important security control. It acts as a secondary line of protection at the identity layer. However, malicious actors have recently found ways to bypass this control through sophisticated SMS-based attacks.

Supply Chain Attacks

In August 2022, threat actors deployed attacks against Cloudflare and Twilio. As part of these sophisticated SMS-based spear phishing attacks, malicious actors texted employees a password reset notification along with a well-disguised link. Additionally, the end-to-end encryption messaging service, Signal, was one of the 125 customers impacted by the attack, ultimately causing a downstream impact to roughly 1900 of its customers.

CMMC exists precisely because the interconnected nature of the DIB means that one impacted contractor creates a flow-down supply chain data security risk.

MFA-Bombing Attacks

As organizations implement MFA, attackers seek ways around it. In an MFA bombing attack, also called MFA push spam or MFA fatigue, attackers overwhelm users by sending high volumes of text messages, waiting for the user to accept the authentication attempt to stop the notifications.  In September 2022, attackers used this tactic against Uber, infecting a third-party contractor’s personal device with malware that exposed and compromised credentials.

With the rise of these sophisticated attacks, DIB members need additional controls that reinforce their MFA protections.

Mobile Threat Defense: Augmenting MFA for Comprehensive CMMC Compliance

It is imperative that you take into account how threat actors can circumvent your controls as part of CMMC compliance. It is crucial to implement MFA, but you should also reinforce your security controls to mitigate these new risks.

Mobile threat defense (MTD) supplements your Mobile Device Management (MDM) and Mobile Application Management (MAM) tools for a comprehensive approach to mobile security.

MDM enables device:

  • Deployment
  • Configuration
  • Management

MAM enables you to:

  • Establish controls for different apps on a managed device
  • Enforce controls for different apps on a managed device

However, neither of these approaches actually responds to the unique problems that MFA-based attacks cause.

With MTD, DIB members augment their current mobile device security technologies with the following:

  • Real-time continuous monitoring
  • Assessing apps after deployment and during runtime
  • Detecting and protecting mobile devices, apps, and end users against attack via wireless network
  • Detecting attacks against an app or OS software, such as side-loaded apps
  • Detecting and alerting users to unexpected interactions among apps or the use of data on the device

Supplement Security Awareness Training

Sophisticated MFA-based SMS spear phishing attacks incorporate threat intel on the intended targets and send them to specially crafted, legitimate-looking, malicious landing pages. MTD supplements your security awareness training with behavioral and machine learning that detects device, network, phishing, and application mobile attacks, even when a device is not connected to the network.

Mitigate Mobile Operating System (OS) Risks

A mobile device’s OS often comes with vulnerabilities and can be open to misconfigurations. MDM and MAM lock down your devices and deploy security policies. MTD augments and completes your mobile device security program by overcoming threats arising from malicious links embedded in SMS-based phishing attacks. Distracted users with small smartphone screens may not be able to determine whether the link is malicious because they can’t just use the “hover” capability that they would with a mouse. MTD closes this security gap, enabling robust security and CMMC compliance.

Protect the Expanded Attack Surface

Many companies forget to secure the mobile component of their attack surface. Each mobile device is a potential attack vector that is part of a larger attack chain. In an SMS-based spear phishing attack, reconnaissance includes gathering information about employees and services, then communicating with these individuals. Leveraging malicious websites, they then compromise credentials which can lead to enterprise system access. MTD closes the security gap that MDM and MAM create by providing visibility into the threats targeting mobile endpoints. With MTD, you can reduce your mobile device attack surface.

Zimperium: Mobile Threat Defense for the DIB

As DIB contractors implement security controls aligned to CMMC practices, MTD is fundamental to securing CUI, especially for organizations with distributed workforces.

As a pioneer in mobile security, Zimperium’s zIPS provides advanced security for enterprises and government agencies in the DIB so that they can comply with CMMC practices. As the first MTD provider granted an Authority to Operate (ATO), Zimperium is used by many government organizations, including the DoD.

zIPS is the only patented, on-device MTD solution with the technical capabilities to protect CUI from known and zero-day advanced persistent threats across Android, iOS, and ChromeOS. Our purpose-built technology provides enterprises and government agencies with a privacy-focused experience. We keep mobile devices secure without relying on cloud-based lookups, content scanning, or other privacy-invasive techniques.

Our dynamically updatable Zimperium z9 engine powers zIPS with behavioral and machine learning techniques to detect device, network, phishing, and application mobile attacks without needing updates or an active network connection. Combined with our z3A Advanced App Analysis, zIPS performs in-depth mobile application scanning to detect privacy and security risks, with detailed privacy ratings, malware classifications, security ratings, and customizable app privacy settings.

For more information about how Zimperium can help you achieve your CMMC compliance goals, contact us today.

Jim Kovach
Author: Jim Kovach
Mobile Security Specialist, Public Sector. View the author's experience and accomplishments on LinkedIn.