CIS Control 6.3: Require MFA for Externally-Exposed Applications
External-facing applications are prime targets for credential attacks. CIS Control 6.3 mandates multi-factor authentication across all externally-exposed enterprise and third-party apps to eliminate single-factor compromise risks. This control is foundational for SMBs protecting customer-facing systems and remote access points.
What this means
You must enforce MFA on any application accessible from the internet—whether built in-house or provided by vendors. MFA can be implemented directly within the application or delegated to a centralized directory service (Active Directory, Okta) or SSO provider (Azure AD, Google Workspace). The goal is to make stolen passwords useless by requiring a second verification factor.
How to comply
- 1.Inventory all externally-exposed applications, including web apps, APIs, customer portals, and admin dashboards.
- 2.Evaluate MFA support in each application—most modern platforms natively support or integrate with SSO/directory services.
- 3.Deploy MFA through your SSO provider (recommended for centralized control) or enable native MFA within each application.
- 4.Configure MFA methods: authenticator apps, SMS, hardware keys, or push notifications—choose based on user experience and security requirements.
- 5.Exclude service accounts and automation from MFA only where technically necessary; use IP whitelisting or certificate-based auth instead.
- 6.Test MFA flows with real users to ensure adoption and identify support needs before full rollout.
- 7.Monitor and enforce MFA adoption; block non-compliant sessions until MFA is enabled.
- 8.Document your MFA implementation, supported methods, and exemptions for audit purposes.
Evidence auditors look for
- Screenshots of SSO provider MFA configuration (e.g., Azure AD Conditional Access policies)
- Application authentication logs showing MFA challenges and completions
- Directory service (Active Directory, Okta) MFA enforcement rules and policies
- User access logs proving secondary factor verification for all external logins
- Network access control rules blocking non-MFA traffic to external applications
- Inventory spreadsheet mapping applications to MFA implementation method
- User training records confirming MFA setup and supported authentication factors
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates MFA verification across your applications and directory services, logs all authentication events for audit evidence, and flags non-compliant external logins in real-time—eliminating manual log reviews and compliance gaps.
See how GRCWatch handles this control automatically
Start free trial