MFA for all admins everywhere, and for all users over the network.
What it actually means
One of the single highest-value controls. You need MFA for: local AND network access to privileged accounts, and network access to non-privileged accounts. Use phishing-resistant factors where you can — an authenticator app or a FIDO2 hardware key, not SMS. (See our guide on whether a Microsoft PIN counts.)
Pass or fail — an assessor needs a "yes" to each
- MFA enforced for privileged accounts on both local and network access.
- MFA enforced for all users' network access.
- Factors are reasonably strong (authenticator app / FIDO2 preferred over SMS).
What to have ready
- Identity-provider MFA / conditional-access policies
- Enrollment reports showing coverage
- Authenticator/FIDO2 configuration
Where teams trip up
- MFA only for remote/privileged users but not general users on the network
- Single-factor PIN treated as 'MFA'
- SMS as the only second factor
Partial credit: the DoD methodology deducts 5 points if MFA isn't implemented at all, but only 3 if it covers remote and privileged accounts but not general users on the local network — so partial coverage still helps your score while you finish.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →