1.3.5 Ensure the organization is requiring members to use Multi-Factor Authentication (MFA)

ID

cis_sscs/organization_mfa

Severity

critical

Category

source_code/contribution_access

Levels

Optional

false

Tags

mfa, security, slsa-3, slsa-4, supply-chain

Description

Require members of the organization to use Multi-Factor Authentication (MFA) in addition to a standard username and password when authenticating to the source code management platform.

Rationale

By default, every user authenticates within the system by password only. If the password of a user is compromised, however, the user account and every repository to which they have access are in danger of data loss, malicious code commits, and data theft.

It is therefore recommended that each user has Multi-Factor Authentication enabled. This adds another layer of protection to ensure the account remains secure even if the user’s password is compromised.

Members without MFA enabled should not contribute to organization’s projects. They should enable MFA before they can contribute any code.

Verification

For every organization that exists in your source code management platform, verify that Multi-Factor Authentication is enforced and is the only way to authenticate.

Remediation

Use the built-in setting to set the enforcement of Multi-Factor Authentication for each member of the organization.