GRCWatch
Sign inStart free trial

CIS Control 6.5: Require MFA for Administrative Access

Administrative accounts are prime targets for attackers seeking unauthorized access to your systems. CIS Control 6.5 mandates multi-factor authentication for all admin accounts to prevent credential-based breaches. Implementing MFA is one of the highest-impact security controls available to SMBs.

What this means

This control requires that all users with administrative privileges authenticate using at least two distinct factors before gaining access to enterprise assets. This applies whether systems are hosted on-premises or managed by third-party providers. MFA combines something you know (password), something you have (hardware token, authenticator app), or something you are (biometric), making unauthorized access significantly harder even if credentials are compromised.

How to comply

  1. 1.Inventory all administrative accounts across on-premises systems, cloud platforms, and third-party services
  2. 2.Select an MFA solution compatible with your infrastructure (authenticator apps, hardware tokens, or SMS-based verification)
  3. 3.Deploy MFA enforcement policies to all administrative access points, including VPNs, remote desktop gateways, and cloud consoles
  4. 4.Configure MFA as mandatory, not optional, with no admin bypass exceptions
  5. 5.Test MFA functionality across different devices, networks, and user scenarios before full rollout
  6. 6.Document the MFA solution deployed, supported methods, and any technical constraints or exclusions with business justification
  7. 7.Monitor and audit MFA usage logs to confirm all admin logins are protected

Evidence auditors look for

  • Screenshots of MFA configuration within identity management systems or cloud platforms
  • Policy documentation requiring MFA for all administrative accounts
  • Audit logs showing successful MFA challenges for administrative login attempts
  • Hardware token inventory or authenticator app deployment records
  • Test results demonstrating MFA blocks unauthorized login attempts
  • Third-party provider documentation confirming MFA is enabled for your admin accounts
  • User training records on MFA setup and usage

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers all administrative accounts across your infrastructure, verifies MFA is enabled, and generates audit-ready evidence dashboards—eliminating manual account inventories and reducing compliance verification time from weeks to days.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 5.2 — Account Changes and ProvisioningCIS Control 6.1 — Establish an Access Control ProcessCIS Control 6.3 — Configure Data Access Control ListsNIST SP 800-63B — Authentication and Lifecycle ManagementISO 27001 A.9.4.3 — Password Management