Skip to main content
← Back to CCC Virtual Private Cloud

CCC.C03: Implement Multi-factor Authentication (MFA) for Access

Control ID:CCC.C03
Title:Implement Multi-factor Authentication (MFA) for Access
Objective:Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. This may include something you know, something you have, or something you are. In the case of programattically accessible services, such as API endpoints, this includes a combination of API keys or tokens and network restrictions.
Control Family:
Identity and Access Management
Threats:
IDTitleDescription
CCC.TH01Access Control is MisconfiguredAn attacker can exploit misconfigured access controls to grant excessive privileges or gain unauthorized access to sensitive resources.
NIST CSF:
PR.AC-7

Control Mappings

CCM:
IAM-03
IAM-08
ISO_27001:
2013 A.9.4.2
NIST_800_53:
IA-2

Test Requirements

CCC.C03.TR01:When an entity attempts to modify the service, the service MUST attempt to verify the client's identity through an authentication process.
TLP:
tlp_clear
tlp_green
tlp_amber
tlp_red
CCC.C03.TR02:When an entity attempts to view information presented by the service, service, the service MUST attempt to verify the client's identity through an authentication process.
TLP:
tlp_amber
tlp_red
CCC.C03.TR03:When an entity attempts to view information on the service through a user interface, the authentication process MUST require multiple identifying factors from the user.
TLP:
tlp_amber
tlp_red
CCC.C03.TR04:When an entity attempts to modify the service through an API endpoint, the authentication process MUST be limited to a specific allowed network.
TLP:
tlp_clear
tlp_green
tlp_amber
tlp_red
CCC.C03.TR05:When an entity attempts to view information on the service through an API endpoint, the authentication process MUST be limited to a specific allowed network.
TLP:
tlp_amber
tlp_red
CCC.C03.TR06:When an entity attempts to modify the service through a user interface, the authentication process MUST require multiple identifying factors from the user.
TLP:
tlp_clear
tlp_green
tlp_amber
tlp_red