Skip to main content
← Back to CCC Relational Database Management System Features

CCC.C03: Implement Multi-factor Authentication (MFA) for Access

Objective:Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. This may include something you know, something you have, or something you are. In the case of programattically accessible services, such as API endpoints, this includes a combination of API keys or tokens and network restrictions.
Control Family:
Identity and Access Management
Threats:
IDTitleDescription
CCC.TH01Access Control is MisconfiguredMisconfigured access controls may grant excessive privileges or fail to restrict unauthorized access to sensitive resources. This could result in unintended data exposure or unauthorized actions being performed within the system.
NIST CSF:
PR.AC-7

Control Mappings

CCM:
IAM-03
IAM-08
ISO_27001:
2013 A.9.4.2
NIST_800_53:
IA-2

Test Requirements

CCC.C03.TR01:When an entity attempts to modify the service, the service MUST attempt to verify the client's identity through an authentication process.
TLP:
tlp_clear
tlp_green
tlp_amber
tlp_red
CCC.C03.TR02:When an entity attempts to view information presented by the service, service, the service MUST attempt to verify the client's identity through an authentication process.
TLP:
tlp_amber
tlp_red
CCC.C03.TR03:When an entity attempts to view information on the service through a user interface, the authentication process MUST require multiple identifying factors from the user.
TLP:
tlp_amber
tlp_red
CCC.C03.TR04:When an entity attempts to modify the service through an API endpoint, the authentication process MUST be limited to a specific allowed network.
TLP:
tlp_clear
tlp_green
tlp_amber
tlp_red
CCC.C03.TR05:When an entity attempts to view information on the service through an API endpoint, the authentication process MUST be limited to a specific allowed network.
TLP:
tlp_amber
tlp_red
CCC.C03.TR06:When an entity attempts to modify the service through a user interface, the authentication process MUST require multiple identifying factors from the user.
TLP:
tlp_clear
tlp_green
tlp_amber
tlp_red