According to CMMC practice AC.L2-3.1.5, what is required for privileged accounts?

The requirement for privileged accounts under CMMC practice AC.L2-3.1.5 emphasizes the importance of security measures to protect sensitive access. Multi-factor authentication (MFA) is a critical component in safeguarding privileged accounts because it adds an additional layer of verification beyond just a password. This means that even if a password is compromised, unauthorized users would still need a second form of identification, such as a text message code or a biometric scan, to gain access to privileged functions.

Privileged accounts typically have access to sensitive systems or data, making them prime targets for cyberattacks. By enforcing multi-factor authentication, organizations significantly reduce the risk of unauthorized access, thus enhancing overall cybersecurity posture. This practice aligns with broader security frameworks that advocate for stringent authentication measures, particularly for accounts with elevated privileges.

In contrast to the other options provided, multi-factor authentication is the only choice that directly addresses the protection of these high-risk accounts in a meaningful way. It is essential for safeguarding sensitive operations and data from potential breaches, which is paramount in the context of compliance and security best practices.