GRCWatch
Sign inStart free trial

CIS Control 6.4: Require MFA for Remote Network Access

Remote access is a critical security risk—especially as hybrid work becomes standard. CIS Control 6.4 mandates multi-factor authentication for anyone accessing your network remotely, blocking the majority of account compromise attacks. This control is foundational for SOC 2, ISO 27001, and most modern compliance frameworks.

What this means

This control requires that any user accessing your network from outside your physical perimeter must authenticate using at least two independent factors (something you know, something you have, something you are). MFA prevents unauthorized access even if passwords are compromised, stolen, or guessed. It applies to VPN connections, remote desktop protocols, cloud applications, and any other remote access method.

How to comply

  1. 1.Identify all remote access points: VPNs, RDP, SSH, web applications, cloud platforms, and API endpoints
  2. 2.Deploy MFA solutions across all identified access points—use native tools (Azure AD, Okta) or third-party providers
  3. 3.Configure MFA requirements for all user accounts; exclude only service accounts with documented justification
  4. 4.Test MFA across all access methods to ensure functionality and user adoption
  5. 5.Document MFA policies, acceptable authentication factors, and exceptions with business justification
  6. 6.Establish monitoring and logging of all MFA events for audit trails
  7. 7.Train users on MFA enrollment, usage, and backup codes or recovery procedures
  8. 8.Review and update MFA implementation quarterly as new access methods are added

Evidence auditors look for

  • MFA configuration screenshots from VPN, cloud identity provider, and RDP solutions
  • User access logs showing successful MFA authentication events
  • MFA deployment policy document with scope, approved methods, and enforcement dates
  • List of all remote access tools in use with MFA status for each
  • MFA enrollment reports showing percentage of users with active MFA
  • Test results demonstrating MFA blocks access without valid second factor
  • User training records and documentation on MFA procedures
  • Exception log for any accounts excluded from MFA with business justification

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates MFA monitoring and audit logging across your entire access stack, collecting evidence from VPNs, identity providers, and cloud apps—then maps it directly to CIS 6.4 for one-click compliance reporting.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 6.1 — Establish an Access Control PolicyCIS 6.3 — Disable Dormant AccountsNIST 800-171 3.5.3 — Use Multi-Factor AuthenticationISO 27001 A.9.2.1 — User Registration and De-registrationSOC 2 CC6.2 — Logical Access Controls